Datatilsynet (Norway) - 21/03530: Difference between revisions

From GDPRhub
No edit summary
 
(16 intermediate revisions by 5 users not shown)
Line 76: Line 76:


=== Facts ===
=== Facts ===
Following noyb’s complaints against Meta, the Irish supervisory authority (DPC) issued decisions ([https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Facebook)_-_IN-18-5-5 IN-18-5-5] and [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7 IN-18-5-7]) where it was found that Meta Platforms Ireland (Meta) could not rely on [[Article 6 GDPR|Article 6(1)(b) GDPR]] (contract) for its processing of personal data for behavioural advertising. In those decisions Meta was ordered to bring its processing operations in compliance with the GDPR, in accordance with the conclusion reached by the binding decisions [https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_3/2022_-_%27Meta_(Facebook)%27 3/2022] and [https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_4/2022_-_%27Meta_(Instagram)%27 4/2022] of the EDPB.  
Following ''noyb''’s complaints, the Irish supervisory authority (DPC) issued decisions ([https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Facebook)_-_IN-18-5-5 IN-18-5-5] and [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7 IN-18-5-7]) where it was found that Meta Platforms Ireland (Meta) could not rely on [[Article 6 GDPR|Article 6(1)(b) GDPR]] (contract) for its processing of personal data for behavioural advertising. In those decisions Meta was ordered to bring its processing operations in compliance with the GDPR, in accordance with the conclusion reached by the binding decisions [https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_3/2022_-_%27Meta_(Facebook)%27 3/2022] and [https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_4/2022_-_%27Meta_(Instagram)%27 4/2022] of the EDPB.  


Following the DPC decisions, Meta shifted its legal basis from [[Article 6 GDPR|Article 6(1)(b) GDPR]] (contract) to [[Article 6 GDPR|Article 6(1)(f) GDPR]] (legitimate interest) for most of its processing of personal data for behavioural advertising.
After the DPC decisions, Meta shifted its legal basis from [[Article 6 GDPR|Article 6(1)(b) GDPR]] (contract) to [[Article 6 GDPR|Article 6(1)(f) GDPR]] (legitimate interest) for most of its processing of personal data for behavioural advertising.  


In addition, in a recent judgment [https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2466257 C-252/21 Facebook Inc. and Others v Bundeskartellamt] by the Court of Justice (hereinafter “Bundeskartellamt Judgment”), the Court of Justice essentially held that Meta cannot rely on [[Article 6 GDPR|Article 6(1)(f) GDPR]] for processing of personal data for the purposes of personalised advertising. The judgment signifies that Meta’s shift of legal basis to [[Article 6 GDPR|Article 6(1)(f) GDPR]] is unlawful.
However, in a recent judgment [https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2466257 C-252/21 Facebook Inc. and Others v Bundeskartellamt] by the Court of Justice (hereinafter “Bundeskartellamt Judgment”), the Court of Justice essentially held that Meta could not rely on [[Article 6 GDPR|Article 6(1)(f) GDPR]] for personalised advertising.


''<u>Mutual assistance (Article 61 GDPR)</u>''


TBA:
Following the DPC's decisions against Meta as well as the Bundeskartellamt Judgment, the Norwegian supervisory authority – in its role as a concerned supervisory authority ([[Article 4 GDPR|Article 4(22) GDPR]]) – raised its concerns and requested mutual assistance under [[Article 61 GDPR|Article 61(1) GDPR]] from the DPC as lead supervisory authority. The Norwegian supervisory authority requested the DPC the following:  


Following Meta's change shift of legal basis and the Court of Justice decision, the Norwegian supervisory authority – in its role as a concerned supervisory authority ([[Article 4 GDPR|Article 4(22) GDPR]]) – requested for mutual assistance under [[Article 61 GDPR]] from the DPC as the leadoing supervisory authority. The Norwegian authority firstly requested the DPC to issue a temporary ban on Meta’s processing of personal data for behavioral advertising based on [[Article 6 GDPR|Article 6(1)(f) GDPR]]. However, the DPC informed that it could not comply with that request.  
* Firstly, to issue a temporary ban on Meta regarding certain processing operations until Meta has provided adequate and sufficient commitments to ensure compliance with [[Article 6 GDPR|Articles 6(1)]] and, potentially, with the right to object under [[Article 21 GDPR]]. However, the DPC informed that it could not comply with that request.


In addition, the Norwegian supervisory authority made an information request to the DPC pursuant to [[Article 6 GDPR|Article 61(1) GDPR]] to share a timeline specifying how would the DPC ensure that Meta would coply with [[Article 6 GDPR|Article 6(1) GDPR]] as the DPC decisions foresee. The authority argued that the information received by the DPC was insufficient: DPC's response did not indicate which corrective measures they prepared to impose nor any timeframe for such imposition. Also, the Norwegian authority argued to have not received any explanation from the DPC as to why it was not possible to provide the requested information ([[Article 61 GDPR|Article 61(5) GDPR]]).
* Secondly, to share information on how would the DPC ensure that Meta complies with [[Article 6 GDPR|Article 6(1) GDPR]]. The DPC replied to the request, but the Norwegian authority viewed, essentially, that the DPC did not reply to the request adequately, and that the DPC did not provide any explanation on the reasons why is the DPC unable to provide the requested information.  
 
=== Holding ===
<u>''Urgency procedure (Article 66 GDPR)''</u>
<u>''Urgency procedure (Article 66 GDPR)''</u>


Following the insufficient reply form the leading supervisory authority - the DPC - to its information requests, the Norwegian authority decided to initiate an urgency procedure according to [[Article 66 GDPR]].     
Following the aforementioned lack of assistance by the DPC, the Norwegian DPA initiated an urgency procedure according to [[Article 66 GDPR]]. The authority viewed that Meta’s shift towards legitimate interests was unlawful, and that essentially Meta shifted from one unlawful legal basis (contract) to another (legitimate interests). Thus, the authority argued that Meta had not brought its processing operations into compliance with [[Article 6 GDPR|Article 6(1) GDPR]] as the DPC's decisions had foreseen.     


The Norwegian authority viewed that Meta’s shift towards legitimate interests was unlawful, and that essentially Meta shifted from one unlawful legal basis to another. Thus, the authority argued that Meta has not brought its processing operations into compliance with [[Article 6 GDPR|Article 6(1) GDPR]] as the DPC decisions foresee in the context of behavioral advertising.   
In this context, under [[Article 66 GDPR|Article 66(1) GDPR]], a concerned supervisory authority – such as the Norwegian DPA – may, in exceptional circumstances (urgent need to act), immediately adopt provisional measures towards a controller on its own territory with a specified period of validity in accordance with [[Article 55 GDPR|Article 55(1) GDPR]].   


Under [[Article 66 GDPR|Article 66(1) GDPR]], a concerned supervisory authority – such as the Norwegian supervisory authority in this case – may, in exceptional circumstances, adopt provisional measures towards a controller, if the authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. In the present case, the Norwegian supervisory authority considered that these conditions are met.
In the present case, the Norwegian supervisory authority considered that these conditions are met. The Norwegian authority viewed that Meta’s persistent state of non-compliance demanded immediate action to protect the rights and freedoms of data subjects. Additionally, the authority held that, since the DPC did not cooperate adequately (see two points above) - as it should have under [[Article 60 GDPR]] - [[Article 61 GDPR|Article 61(8) GDPR]] applied, which meant that the urgent need to act under [[Article 66 GDPR|Article 66(1) GDPR]] was presumed to be met and required an urgent binding decision by the EDPB pursuant to [[Article 66 GDPR|Article 66(2) GDPR]].   
 
The Norwegian authority viewed that Meta’s persistent state of non-compliance demanded immediate action to protect the rights and freedoms of European data subjects. Additionally, the authority held that, since the DPC did not provide sufficient information following their information request, [[Article 61 GDPR|Article 61(8) GDPR]] applies, which means that the urgent need to act under [[Article 66 GDPR|Article 66(1) GDPR]] is presumed to be met.   


=== Holding ===
<u>''Temporary ban on processing (order)''</u>
<u>''Temporary ban on processing (order)''</u>


Consequently, the Norwegian supervisory authority '''issued a temporary ban''' pursuant to [[Article 58 GDPR|Articles 58(2)(f)]] and [[Article 66 GDPR|66(1) GDPR]] on the processing of personal data for the purposes of behavioural advertising by Meta and Facebook Norway AS on the basis of [[Article 6 GDPR|Article 6(1)(b)]] or [[Article 6 GDPR|6(1)(f) GDPR]].  
Pursuant to [[Article 66 GDPR|Article 66(1) GDPR]] and [[Article 58 GDPR|58(2)(f) GDPR]] the Norwegian DPA consequently issued a temporary ban on Meta and Facebook Norway AS regarding the processing of personal data for behavioural advertising on Facebook and Instagram based on [[Article 6 GDPR|Article 6(1)(b)]] or [[Article 6 GDPR|6(1)(f) GDPR]]. The order applies in Norway and remains valid provisionally for three (3) months from 4 August 2023 until 3 November 2023. However, the ban will be lifted if Meta would impelement remedial measures before that date. In this context, the authority welcomes a dialogue with Meta on elements such as limiting the scope of processing of personal data for behavioural advertising and introducing new user settings for behavioural advertising. Additionally, if the order is not complied with, the authority may impose a coercive fine of up to NOK 1,000,000 (approx. € 90,000) per day.  
 
The order in question applies with respect to data subjects in Norway and remains valid provisionally for three (3) months '''from 4 August 2023 until 3 November 2023'''. The order will be lifted if remedial measures are implemented before. In this context, the authority welcomes a dialogue with Meta on elements such as limiting the scope of processing of personal data for behavioural advertising and introducing new user settings for behavioural advertising.
 
Additionally, if the order is not complied with, the authority may impose a coercive fine of up to NOK 1,000,000 (approx. € 90,000) per day.


<u>''Request for an urgent binding decision (edpb)''</u>
<u>''Urgent binding decision by the EDPB''</u>


Furthermore, the Norwegian supervisory authority also requested for an '''urgent binding decision from the EDPB''' correspondingly, pursuant to [[Article 66 GDPR|Article 66(2) GDPR]].
Furthermore, subsequent to the issuance of the order, the Norwegian supervisory authority stated the intention to request an urgent binding decision by the EDPB correspondingly, pursuant to [[Article 66 GDPR|Article 66(2) GDPR]], so that that final measures may urgently be adopted.


== Comment ==
== Comment ==
TBA
''We note, that when Article 66(1) GDPR applies the urgency is presumed and the the EDPB must adopt a binding decision. Therefore, it seems that in an Article 66(1) GDPR the concerned DPA does not have to request the EDPB to adopt a binding decision. Nevertheless, the Norwegian DPA stated its intention to <u>request</u> an urgent binding decision from the EDPB.'' ''Moreover, it should be highlighted that the territorial scope of the issued order by the Norwegian supervisory authority has national applicability'' ''only'' ''(Art. 55(1) GDPR), and thus, is limited to Norway. However, the EDPB may adopt a decision with a wider territorial scope.''


== Further Resources ==
== Further Resources ==

Latest revision as of 16:20, 6 December 2023

Datatilsynet - 21/03530-16
LogoNO.png
Authority: Datatilsynet (Norway)
Jurisdiction: Norway
Relevant Law: Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 58(2)(f) GDPR
Article 66(1) GDPR
Article 66(2) GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published: 14.07.2023
Fine: n/a
Parties: Meta Platforms Ireland
Facebook Norway AS
National Case Number/Name: 21/03530-16
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Datatilsynet (Norway) (in EN)
Initial Contributor: n/a

The Norwegian DPA has taken action after Meta shifted its legal basis in the context of behavioural advertising, and issued a temporary ban on Meta for processing personal data for the purpose on behavioural advertisement on the basis of Article 6(1)(b) or 6(1)(f) GDPR.

English Summary

Facts

Following noyb’s complaints, the Irish supervisory authority (DPC) issued decisions (IN-18-5-5 and IN-18-5-7) where it was found that Meta Platforms Ireland (Meta) could not rely on Article 6(1)(b) GDPR (contract) for its processing of personal data for behavioural advertising. In those decisions Meta was ordered to bring its processing operations in compliance with the GDPR, in accordance with the conclusion reached by the binding decisions 3/2022 and 4/2022 of the EDPB.

After the DPC decisions, Meta shifted its legal basis from Article 6(1)(b) GDPR (contract) to Article 6(1)(f) GDPR (legitimate interest) for most of its processing of personal data for behavioural advertising.

However, in a recent judgment C-252/21 Facebook Inc. and Others v Bundeskartellamt by the Court of Justice (hereinafter “Bundeskartellamt Judgment”), the Court of Justice essentially held that Meta could not rely on Article 6(1)(f) GDPR for personalised advertising.

Mutual assistance (Article 61 GDPR)

Following the DPC's decisions against Meta as well as the Bundeskartellamt Judgment, the Norwegian supervisory authority – in its role as a concerned supervisory authority (Article 4(22) GDPR) – raised its concerns and requested mutual assistance under Article 61(1) GDPR from the DPC as lead supervisory authority. The Norwegian supervisory authority requested the DPC the following:

  • Firstly, to issue a temporary ban on Meta regarding certain processing operations until Meta has provided adequate and sufficient commitments to ensure compliance with Articles 6(1) and, potentially, with the right to object under Article 21 GDPR. However, the DPC informed that it could not comply with that request.
  • Secondly, to share information on how would the DPC ensure that Meta complies with Article 6(1) GDPR. The DPC replied to the request, but the Norwegian authority viewed, essentially, that the DPC did not reply to the request adequately, and that the DPC did not provide any explanation on the reasons why is the DPC unable to provide the requested information.

Urgency procedure (Article 66 GDPR)

Following the aforementioned lack of assistance by the DPC, the Norwegian DPA initiated an urgency procedure according to Article 66 GDPR. The authority viewed that Meta’s shift towards legitimate interests was unlawful, and that essentially Meta shifted from one unlawful legal basis (contract) to another (legitimate interests). Thus, the authority argued that Meta had not brought its processing operations into compliance with Article 6(1) GDPR as the DPC's decisions had foreseen.

In this context, under Article 66(1) GDPR, a concerned supervisory authority – such as the Norwegian DPA – may, in exceptional circumstances (urgent need to act), immediately adopt provisional measures towards a controller on its own territory with a specified period of validity in accordance with Article 55(1) GDPR.

In the present case, the Norwegian supervisory authority considered that these conditions are met. The Norwegian authority viewed that Meta’s persistent state of non-compliance demanded immediate action to protect the rights and freedoms of data subjects. Additionally, the authority held that, since the DPC did not cooperate adequately (see two points above) - as it should have under Article 60 GDPR - Article 61(8) GDPR applied, which meant that the urgent need to act under Article 66(1) GDPR was presumed to be met and required an urgent binding decision by the EDPB pursuant to Article 66(2) GDPR.

Holding

Temporary ban on processing (order)

Pursuant to Article 66(1) GDPR and 58(2)(f) GDPR the Norwegian DPA consequently issued a temporary ban on Meta and Facebook Norway AS regarding the processing of personal data for behavioural advertising on Facebook and Instagram based on Article 6(1)(b) or 6(1)(f) GDPR. The order applies in Norway and remains valid provisionally for three (3) months from 4 August 2023 until 3 November 2023. However, the ban will be lifted if Meta would impelement remedial measures before that date. In this context, the authority welcomes a dialogue with Meta on elements such as limiting the scope of processing of personal data for behavioural advertising and introducing new user settings for behavioural advertising. Additionally, if the order is not complied with, the authority may impose a coercive fine of up to NOK 1,000,000 (approx. € 90,000) per day.

Urgent binding decision by the EDPB

Furthermore, subsequent to the issuance of the order, the Norwegian supervisory authority stated the intention to request an urgent binding decision by the EDPB correspondingly, pursuant to Article 66(2) GDPR, so that that final measures may urgently be adopted.

Comment

We note, that when Article 66(1) GDPR applies the urgency is presumed and the the EDPB must adopt a binding decision. Therefore, it seems that in an Article 66(1) GDPR the concerned DPA does not have to request the EDPB to adopt a binding decision. Nevertheless, the Norwegian DPA stated its intention to request an urgent binding decision from the EDPB. Moreover, it should be highlighted that the territorial scope of the issued order by the Norwegian supervisory authority has national applicability only (Art. 55(1) GDPR), and thus, is limited to Norway. However, the EDPB may adopt a decision with a wider territorial scope.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Norwegian Data Protection Authority




 Meta Platforms Ireland Limited
 4 Grand Canal Square

 Grand Canal Harbour
 Dublin 2
 Ireland


 Sent via email to dpo@fb.com; [REDACTED]


 Facebook Norway AS
 Dronning Eufemias gate 8

 0191 Oslo
 Norway




Your reference           Our reference                                         Date
                         21/03530-16                                           14.07.2023



Urgent and Provisional Measures – Meta


 1. Introduction

The Norwegian Data Protection Authority (hereinafter “NO SA”, “we”, “us”, or “our”) is the

independent supervisory authority responsible for monitoring the application of the General
Data Protection Regulation (hereinafter “GDPR”) with respect to Norway.

                                                                                                 2
The majority of the Norwegian population is registered users of social media services. Our
goal in the present context is to enable individuals to use and benefit from such services free

from harm. Specifically, this document sets out measures that are necessary to ensure that data
subjects can use the Facebook and Instagram services (hereinafter “Services”) enjoying full

respect for their right to data protection, and correspondingly, other fundamental rights and
freedoms such as the right to privacy, freedom of information and protections against
                3
discrimination. Most data subjects do not fully comprehend the intrusive profiling activities
they are subject to in the context of the Services, which is why we see it as important to protect

their rights and freedoms. Additionally, there are many vulnerable individuals using the
Services who need particular protection.





1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regardto the processingof personal dataand onthe freemovement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) OJ [2016] L 119/1.
2
3See section 7.2.1.4.
 As is made clear by Recital 2–4 GDPR, the right to data protection aims to ensure data subjects’ fundamental
rights and freedoms.

Postal Address:         Office address:  Phone:          Telefax:        Ent. reg:        Web Address:
P.O. Box 458 Sentrum    Trelastgata 3    +47 22 39 69 00 +47 22 42 23 50 974 761 467      datatilsynet.no
0105 OSLOThe present document is also intended to increase legal certainty for third party controllers

using the Services for advertising and promotion of their organisations.

On 31 December 2022, the Irish Data Protection Commission (hereinafter “IE SA”) issued
Decisions IN-18-5-5 and IN-18-5-7 (hereinafter “IE Decisions”). The IE Decisions found that
MetaPlatforms Ireland Limited(hereinafter “Meta”,“you”,or “your”) could not rely on Article

6(1)(b) GDPR for its processing of personal data for the purposes of behavioural advertising in
the context of the Services. Meta was ordered to bring those processing activities into
compliance with Article 6(1) GDPR within three months.


On 5 April 2023, the IE SA shared the compliance reports and supporting material that Meta
submittedtoit withthesupervisory authoritiesconcerned(hereinafter “CSAs”).Thedocuments
showed that Meta has shifted its legal basis to Article 6(1)(f) for a number of processing

activities. After having reviewed the documents at hand, we expressed concerns that Meta has
failed to show compliance with Article 6(1) and hence with the IE Decisions. Furthermore, we
find that additional violations in relation to Article 21 has arisen through the changes Meta

adopted pursuant to the IE Decisions.

Thus, on 5 May 2023, we formally requested the IE SA, as the lead supervisory authority, to
impose a temporary ban on processing of personal data for behavioural advertising purposes.

Nevertheless, on 2 June 2023, the IE SA informed us that it could not comply with such a
request, as explainedbelow. Sincethat time,the IE SAhas shared with us aprovisionalposition
paper outlining its preliminary assessment of the matter. However, no potential course of action

has been suggested in case the conclusion of the IE SA’s final assessment should be that Meta
failed to comply with the IE Decisions.

You have been notified by the IE SA of our intention to impose provisional measures, and you

have expressed your opinion accordingly in your letter dated 21 June 2023. You put forward
additional views in your letter dated 30 June 2023. We have taken your provided views duly
into account.


On 4 July 2023, the Grand Chamber of the Court of Justice of the European Union (hereinafter
“CJEU”) handed down its judgment in Case C-252/21, Facebook Inc. and Others v
Bundeskartellamt (hereinafter “Bundeskartellamt Judgment”). This judgment held that Meta
cannot rely on Article 6(1)(f) for processing of personal data for “the purposes of personalised
             5
advertising”.

After having carefully assessed the evidence at hand, we have reached the conclusion that Meta
has not brought its processing operations into compliance with Article 6(1) GDPR as

prescribed. We would like to stress that this is a conclusion based on substance rather than


4
      Both     available    at     https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-
5ecisions_en?f%5B0%5D=register_decisions_members%3A81 (accessed on 19 June 2023).
 Bundeskartellamt Judgment, para. 117.



                                                                                               2formalities. In other words, changing the compliance documentation as a paperwork exercise
would not amend the problems identified.

In our view, the persistent state of non-compliance following the IE Decisions demand
immediateactiontoprotecttherightsandfreedoms ofEuropeandatasubjects. TheIEDecisions
found serious violations of the GDPR on 31 December 2022, and should a delay in remedying

that violation be permitted, data subjects would be at acute risk and in practice lack effective
protection under the GDPR. The need to act has become ever more urgent in light of the
Bundeskartellamt Judgment, which signifies that Meta’s shift of legal basis to Article 6(1)(f) in
April 2023 was unlawful.


In light of the above, this letter imposes a temporary ban on Meta’s processing of personal data
of data subjects in Norway for targeting ads on the basis of observed behaviour (hereinafter
“Behavioural Advertising”) for which Meta relies on Article 6(1)(b) or 6(1)(f) GDPR. For the
avoidance of doubt, Behavioural Advertising includes targeting ads on the basis of inferences

drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated
location and how data subjects interact with ads and user-generated content. This definition is
in line with our understanding of the scope of the IE Decisions.

Please note the limitations of the scope of our order. The order does not in any way ban Meta

from offering the Services in Norway, nor does it preclude Meta from processing personal data
for advertisement purposes in general. Only Behavioural Advertising as defined above is
affected to the extent that it is based on 6(1)(b) or 6(1)(f) GDPR. Practices such as targeting ads
based on information that data subjects have provided in the “About” section of their user

profile, or generalised advertising, is out of scope of this order. For example, the order does not
itself prevent an advertising campaign on Facebook which, based on profile bio information,
targets ads towards females between 30 and 40 years of age residing in Oslo and who have
studied engineering.

 2. Order


Pursuant to Article 58(2)(f) and 66(1) GDPR, we hereby issue the following order to Meta
Platforms Ireland Limited and Facebook Norway AS collectively:

       Personal data shall not be processed for Behavioural Advertising based on Article
       6(1)(b) or 6(1)(f) GDPR in the context of the Services.


In line with Article 66(1), the order applies with respect to data subjects in Norway and remains
valid provisionally for three (3) months. The order applies from 4 August 2023 until 3
November 2023. Nonetheless, the order will be lifted before that date if remedial measures are
implemented so that adequate and sufficient commitments to ensure compliance with Article

6(1) and 21 GDPR can be provided.

Please confirm compliance with the order by 4 August 2023.




                                                                                             3We consider Meta Platforms Ireland Limited as the controller, within the meaning of Article

4(7)GDPR, fortheprocessingofpersonaldatainquesti6n.FacebookNorwayAS,whosestated
purpose is related to sales of digital advertising, is also addressed as a recipient of this order as
it is a Norwegian establishment of the controller.

The present order is communicated to the other supervisory authorities concerned, to the

European Data Protection Board (hereinafter “EDPB”), to the European Commission, and to
the EFTA Surveillance Authority in accordance with Article 66(1) of the GDPR and Article
1(m) of the Decision of the EEA Joint Committee No 154/2018.     7


 3. Advance notification of a coercive fine

In case our order above is not complied with, we may decide to impose a coercive fine of up to
NOK 1 000 000 (one million) per day of non-compliance on Meta Platforms Ireland Limited

and/or Facebook Norway AS, individually or collectively, pursuant to the Norwegian Personal
Data Act Section 29. Any comments or remarks in this regard can be sent to
postkasse@datatilsynet.no and tobias@datatilsynet.no by 1 August 2023.


 4. Request for an urgent binding decision from the EDPB

Subsequent to the issuance of the present order, we intend to request an urgent binding decision
from the EDPB correspondingly, pursuant to Article 66(2), so that that final measures may

urgently be adopted. This will furthermore ensure a harmonised and consistent application of
the GDPR on the European level.

In this regard, you have a right to be heard, and we will facilitate your exercise of that right.

We therefore invite you to send us any views you may have, be it on procedure or substance.
Comments may be put forward by Meta Platforms Ireland Limited, Facebook Norway AS, or
both.


Please note that in case the EDPB agrees with our assessment, the EDPB may potentially issue
a decision with a wider territorial scope and without temporal limitations. We ask you to have
this in mind when preparing your response.


Please send any comments or remarks you may have to postkasse@datatilsynet.no and
tobias@datatilsynet.no by 20 August 2023.

 5. Factual background




6
 See company registration information from the Brønnøysund Register Centre, available on
7ttps://w2.brreg.no/enhet/sok/detalj.jsp?orgnr=916305656 (last accessed 12 July 2023).
  Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic
communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in
Article 101) to the EEA Agreement OJ [2018] L 183/23.



                                                                                              4On 31 December 2022, the IE SA issued Decisions IN-18-5-5 and IN-18-5-7 in which it found
that Meta did not rely on a valid legal basis for “processing of personal data for the purposes of
behavioural advertising” in the context of the Services. The IE SA required Meta to take the

necessary action to bring its said processing of personal data into compliance with Article 6(1)
GDPR in accordance with the conclusion reached by the Binding Decisions 3/2022 and 4/2022
of the EDPB.  9 10


The IE Decisions followed an investigation of the IE SA into, among other things, Meta’s legal
basis for processing data for Behavioural Advertising. At the time of the inquiry, Meta relied
on Article 6(1)(b) GDPR. However, in the IE Decisions, the IE SA concluded that Meta was

not entitled to carry out theprocessing at issueonthebasis Article6(1)(b)GDPR,in accordance
with the conclusion reached by the EDPB on this matter.

As a consequence, Meta changed its legal basis for some of its processing of personal data for

Behavioural Advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR, effective on 5
April 2023.


On 5 April 2023, the IE SA shared with the supervisory authorities concerned – including the
NO SA – the compliance reports and supporting material that Meta submitted to the IE SA with
the aim of showing compliance with the above-mentioned IE Decisions. The IE SA welcomed

feedback by 5 May 2023.

On 5 May 2023, we formally requested the IE SA, as the lead supervisory authority, in
accordance with Article 61(1) GDPR, to:


    1. issue a temporary ban on Meta’s processing of personal data for behavioural advertising
        purposes on the Services based on Article 6(1)(f) GDPR until the lead and the other

        supervisory authorities concerned are satisfied that Meta has provided adequate and
        sufficient commitments to ensure compliance with Articles 6(1) and 21 GDPR; and


    2. share a timeline with us and the other supervisory authorities concerned specifying how
        the IE SA will ensure in an expedient manner that Meta complies with Article 6(1)
        GDPR.


We also flagged that we may adopt urgent provisional measures pursuant to Article 66(1)
should the IE SA not be in a position to follow our request.




8IN-18-5-5 p. 153 and IN-18-5-7 p. 157, respectively.
9 EDPB Binding Decisions 3/2022 and 4/2022 are available at https://edpb.europa.eu/our-work-tools/our-
documents/binding-decision-board-art-65/binding-decision-32022-dispute-submitted_en          and
https://edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-42022-
dispute-submitted_en (accessed on 19 June 2023).
10 The EDPB Binding Decisions are addressed to the IE SA and do not directly concern Meta. See the Order of
the General Court in Case T-709/21, WhatsApp Ireland v European Data Protection Board.




                                                                                               5Our request was shared with Meta by the IE SA.

                                                                                    11
On 2 June 2023, the IE SA informed us that it could not comply with our request. The IE SA
referred to a document shared separately with all CSAs on 31 May 2023. Said document stated
that the IE SA’s assessments were ongoing and that it was awaiting feedback from Meta in that
regard, which had been requested by 2 June 2023. The IE SA also expressed that it would revert

to CSAs by the end of June 2023.

On 13 June 2023, we were advised by the IE SA that its assessment would not await Meta’s
feedback, but that the assessment would nonetheless be delayed until after 4 July so as to take

into account the judgment of the Court of Justice of the European Union (hereinafter “CJEU”)
in Case C-252/21, Facebook Inc. and Others v Bundeskartellamt, due on that date.

Meta expressed its opinion on us potentially adopting urgent provisional measures pursuant to

Article 66(1) in a letter dated 21 June 2023.

On 11 July 2023, we received a provisional position paper from the IE SA where it set out its
preliminary assessment on Meta’s compliance with the IE Decisions, taking into account

feedback from CSAs. [REDACTED] No information on potential further action after that date
was given even if the IE SA’s final conclusion should be that Meta did not comply with the IE
Decisions.


Attached to the IE SA’s provisional position paper was a letter from Meta dated 30 June in
which it expressed its opinion on matters raised by CSAs, including the NO SA.

 6. Legal background


   6.1. Principles and lawfulness requirements

The protection of personal data and privacy are fundamental rights enshrined in Article 8 of the
European Convention on Human Rights, Article 102 of the Norwegian Constitution, as well as
                                                                                    12
in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. The GDPR
gives effect to these fundamental rights.

Article 5(1) GDPR provides that:


        1. Personal data shall be:

        a) processedlawfully,fairlyandin atransparent manner in relation to thedata subject
            (‘lawfulness, fairness and transparency’);


11
  See the IE SA’s reply to our mutual assistance request in the IMI system (stating: “No, I cannot comply with
12e request”) dated 2 June 2023.
  The Charter of Fundamental Rights of the European Union is not implemented in the EEA agreement and is
not part of Norwegian law. However, the GDPR, which is interpreted in light of the Charter, is Norwegian law
pursuant to the Norwegian Personal Data Act Section 1.



                                                                                                6        b) collected for specified, explicit and legitimate purposes and not further processed
            in a manner that is incompatible with those purposes; further processing for
            archiving purposes in the public interest, scientific or historical research purposes

            or statistical purposes shall, in accordance with Article 89(1), not be considered to
            be incompatible with the initial purposes (‘purpose limitation’);
        c) adequate, relevant and limited to what is necessary in relation to the purposes for

            which they are processed (‘data minimisation’);
        d) accurate and, where necessary, kept up to date; every reasonable step must be taken
            to ensure that personal data that are inaccurate, having regard to the purposes for
            which they are processed, are erased or rectified without delay (‘accuracy’);

        e) kept in a form which permits identification of data subjects for no longer than is
            necessaryfor thepurposesfor whichthepersonal data areprocessed;personal data
            may be stored for longer periods insofar as the personal data will be processed
            solely for archiving purposes in the public interest, scientific or historical research

            purposes or statistical purposes in accordance with Article 89(1) subject to
            implementation of the appropriate technical and organisational measures required
            by this Regulation in order to safeguard the rights and freedoms of the data subject

            (‘storage limitation’);
        f) processed in a manner that ensures appropriate security of the personal data,
            including protection against unauthorised or unlawful processing and against
            accidental loss, destruction or damage, using appropriate technical or

            organisational measures (‘integrity and confidentiality’).

The GDPR furthermore provides that controllers must rely on a valid legal basis to process
personal data. Such legal basis must be identified at the outset of the processing among the
ones exhaustively listed in Article 6(1) GDPR. Article 6(1) GDPR reads:

    1. Processing shall be lawful only if and to the extent that at least one of the following

        applies:

    (a) the data subject has given consent to the processing of his or her personal data for
        one or more specific purposes;
    (b) processing is necessary for the performance of a contract to which the data subject is
        party or in order to take steps at the request of the data subject prior to entering into a

        contract;
    (c) processing is necessary for compliance with a legal obligation to which the controller
        is subject;
    (d) processing is necessary in order to protect the vital interests of the data subject or of
        another natural person;
    (e) processing is necessary for the performance of a task carried out in the public interest

        or in the exercise of official authority vested in the controller;


13
  See Art. 6(1) of the GDPR. The notions of “personal data”, “processing”, and “controller” are defined in Art.
4(1), (2) and (7) GDPR.



                                                                                                 7    (f) processing is necessary for the purposes of the legitimate interests pursued by the
        controller or by a third party, except where such interests are overridden by the
        interests or fundamental rights and freedoms of the data subject which require

        protection of personal data, in particular where the data subject is a child.

In the present case, Meta has switched to Article 6(1)(f) GDPR as the legal basis for most of its

processing of personal data for Behavioural Advertising, which is a novelty in the wake of the
IE decisions. Hence, this provision is the focus of our analysis.


Article 6(1)(f) lays down three cumulative conditions in order for the processing of personal
data to be lawful. Firstly, the pursuit of a legitimate interest by the controller or by a third party;
secondly, necessity to process personal data for the purposes of the legitimate interests pursued;

and thirdly, that the interests or fundamental rights and freedoms of the person concerned by
the data protection do not override the legitimate interest pursued – a so-called balancing test.  14


With regard to the condition relating to the necessity of processing personal data, the CJEU has
noted that derogations and limitations in relation to the protection of personal data must apply
only in so faras is strictly necessary. Legal bases allowingprocessingofpersonal datawithout
                                                            16
a data subject’s consent must be interpreted restrictively. Consequently, necessity implies that
the legitimate interest pursued “cannot reasonably be achieved just as effectively by other

means less restrictive of the fundamental rights and freedoms of data subjects, in particular the
rights to respect for private life and to the protection of personal data guaranteed by Articles 7
and 8 of the Charter.”  17 This needs to be assessed in conjunction with the data minimisation
                                            18
principle set out in Article 5(1)(c) GDPR.

As regards the condition of balancing the opposing rights and interests at issue, Recital 47

GDPR states that:

        The legitimate interests of a controller, including those of a controller to which the
        personal data may be disclosed, or of a third party, may provide a legal basis for

        processing, provided that the interests or the fundamental rights and freedoms of the
        data subject are not overriding, taking into consideration the reasonable expectations

        of data subjects based on their relationship with the controller. […].

When assessing whether the interests or fundamental rights and freedoms of data subjects
override the legitimate interests of the controller, several factors should be taken into

consideration in performing the balancing test. Such factors include how compelling the
legitimate interest of the controller is; the nature and source of the legitimate interests; the


14See by analogy CJEU, judgment of 11 December 2019, Case C‑708/1, Asociaţia de Proprietari bloc M5A-
ScaraA, para. 40.
15See e.g. CJEU, judgment of 4 May 2017, Case C‑13/16, Rīgas satiksme, para. 30.
16Bundeskartellamt Judgment, para. 93.
17Ibid., para. 108.
18Ibid., para 109; EDPB, Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the
context of the provision of online services to data subjects, Version 2.0, 8 October 2019, para. 15.




                                                                                                   8degree of impact on the interests, rights and freedoms of the data subjects; the nature of the
data; the way that data are being processed; the source and accessibility of the data; the
reasonable expectations of the data subject; the status of the data controller and data subject as
                                                                                       19 20
well as what safeguards are in place beyond the minimum required by the GDPR.

In its guidelines on profiling, which have been endorsed by the EDPB, the Article 29
Working Party stated that:


        (…) it would be difficult for controllers to justify using legitimate interests as a lawful
        basis for intrusive profiling and tracking practices for marketing or advertising
        purposes, for example those that involve tracking individuals across multiple websites,
        locations, devices, services or data-brokering.  21


The Bundeskartellamt Judgment, which inter alia focused on Meta’s processing of personal
data for Behavioural Advertising across its own services and third-party services, is of
particular relevance to this case. In relation to Article 6(1)(f), the CJEU stated:

        In this regard, it is important to note that, despite the fact that the services of an online

        social network such as Facebook are free of charge, the user of that network cannot
        reasonably expect that the operator of the social network will process that user’s
        personal data, without his or her consent, for the purposes of personalised
        advertising. In those circumstances, it must be held that the interests and fundamental

        rights of such a user override the interest of that operator in such personalised
        advertising by which it finances its activity, with the result that the processing by that
        operator for such purposes cannot fall within the scope of point (f) of the first
        subparagraph of Article 6(1) of the GDPR.     22


   6.2. Right to object

In relation to data subjects’ rights, Article 12(1)–(2) GDPR reads:

        1. The controller shall take appropriate measures to provide any information referred

            to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34
            relating to processing to the data subject in a concise, transparent, intelligible and
            easily accessible form, using clear and plain language, in particular for any
            information addressed specifically to a child. The information shall be provided in

            writing, or by other means, including, where appropriate, by electronic means.
            When requested by the data subject, the information may be provided orally,
            provided that the identity of the data subject is proven by other means.


19CJEU, judgment of 11 December 2019, Case C‑708/1, Asociaţia de Proprietari bloc M5A-ScaraA, paras. 54–
58.
20See Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller
under Article 7 of Directive 95/46/EC (WP 217), which relates to the provision equivalent to Article 6(1)(f)
under the legal framework preceding the GDPR.
21Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes
of Regulation 2016/679 (WP251rev.01), p. 15.
22Bundeskartellamt Judgment, para. 117.




                                                                                                   9        2. The controller shall facilitate the exercise of data subject rights under Articles 15
            to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act
            on the request of the data subject for exercising his or her rights under Articles 15
            to 22, unless the controller demonstrates that it is not in a position to identify the
            data subject.

Furthermore, Article 13(2)(b) makes clear that the controller should provide data subjects with

information about:

        the existence of the right to request from the controller access to and rectification or
        erasure of personal data or restriction of processing concerning the data subject or to
        object to processing as well as the right to data portability

The right to object is one of the data subjects’ rights under the GDPR. In this respect, Article
21(1) to (4) GDPR reads:

        3. The data subject shall have the right to object, on grounds relating to his or her

            particular situation, at any time to processing of personal data concerning him or
            her which is based on point (e) or (f) of Article 6(1), including profiling based on
            those provisions. The controller shall no longer process the personal data unless
            the controller demonstrates compelling legitimate grounds for the processing which
            override the interests, rights and freedoms of the data subject or for the
            establishment, exercise or defence of legal claims.


        4. Where personal data are processed for direct marketing purposes, the data subject
            shall have the right to object at any time to processing of personal data concerning
            him or her for such marketing,whichincludes profilingto theextentthat it is related
            to such direct marketing.

        5. Where the data subject objects to processing for direct marketing purposes, the

            personal data shall no longer be processed for such purposes.

        6. At the latest at the time of the first communication with the data subject, the right
            referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the
            data subject and shall be presented clearly and separately from any other
            information.

If the controller decides to reject a data subject’s objection made under Article 21(1) GDPR, it

must provide the reasoning for the rejection since the controller has the burden of proof in
demonstrating that there are compelling legitimate grounds overriding the interests, rights and
freedoms of the data subject.

The right to object to processing of personal data for direct marketing pursuant to Article 21(2)
GDPR is unconditional and irrespective of the legal basis relied on by the controller. Article
21(2) gives data subjects the right to object at any time to processing of personal data
concerning them for direct marketing, which includes profiling to the extent that it is related to




                                                                                                10such direct marketing. There is no requirement that the data subject provides any reasoning, as
the purpose of the processing is immaterial, and there is no “need for any balancing of
           23
interests”.  It is enough that the data subject puts forth an objection for the objection to be
successful.

Whilst direct marketing is not a defined term in the GDPR, the interplay that exists between the
                                    24
GDPR and the ePrivacy Directive – namely that the ePrivacy Directive seeks t25translate the
rules of the GDPR into specific rules for the telecommunications sector – entails that there is
a presumption that the concept of direct marketing under the ePrivacy Directive will have the

same meaning also in the GDPR.
                   26
In CaseC-102/20, theCJEU clarifiedthatfor acommunicationto be for thepurposesof direct
marketing under the ePrivacy Directive, it must be ascertained whether the communication:


        (1) pursues a commercial purpose; and

        (2) is addressed directly and individually to a consumer.

The advertising messages in issue in Case C-102/20 functioned as follows: a JavaScript code

of an advertising server (TAG) is connected with the place in question in the inbox on the
internet page consulted by the user of such an email inbox. For that reason, when a user opens
the internet page, a request (Adrequest) is sent to the advertising server in order to randomly

select an advertising banner from a basket constituted by advertisers and transmit it, such that
it appears in the user’s inbox.27

The CJEU concluded in Case C-102/20 that the advertising messages in issue, as described

above, are direct marketing. This implies that the advertisements pursue, by their very nature,
commercial purposes – at least when the aim of such advertisements is to promote services.       28

When assessing whether a communication is “addressed directly and individually to a

consumer”, the CJEU appears to have noted the following characteristics of the advertising
messages in question in coming to their conclusion that such advertising messages were
addressed directly and individually to a consumer:


    •   the displaying of the advertising message in the inbox of the private email service of the
        user concerned (para. 48)




23Article 29 Working Party, Guidelines on Automated individual decision-making and Profiling for the purposes

24 Regulation 2016/679 (WP251rev.01), p. 19.
  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing
of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and
electronic communications) OJ [2002] L 201/37.
25See Recital 4 ePrivacy Directive. While this recital refers to Directive 94/46/EC, it follow from Article 94(2)
that any references to that directive should be construed as references to the GDPR.
26CJEU, judgment of 25 November 2021 in Case C-102/20, StWL Städtische Werke Lauf a.d. Pegnitz.
27Ibid., para. 22.
28Ibid., para. 48.



                                                                                                  11    •   thereaching, directly and individually, oftheinboxes of oneormoreemail service users
        (para. 50)

    •   the recipients of advertising messages are individual in their capacity as users of a

        provider’s individual email service (para. 51)

    •   the user obtains access to their inbox only after having entered their registration data
        and password (para. 51)


    •   the displaying in a private space reserved to an individual which is intended for the
        consultation of private content (para. 51).

The CJEU also stated clearly that “it is irrelevant whether the advertising at issue is addressed
to a predetermined and individually identified recipient or is sent on a mass, random basis to

multiple recipients” (para. 50).

The Norwegian Consumer Authority assesses that the same considerations apply for marketing
via social media such as Facebook and Twitter as for marketing communications via electronic
communication methods, pursuant to Section 15 of the Norwegian Marketing Control Act (in
                                    29
Norwegian: markedsføringsloven).

   6.3. Competence, tasks and powers

With regard to the tasks and competence of supervisory authorities under the GDPR, Article

55(1) GDPR establishes the general rule that each supervisory authority is competent for the
performance of the tasks assigned to it and the exercise of the powers conferred on it in
accordance with the GDPR on the territory of its own country.   30


One of the tasks assigned to those supervisory authorities is the task of monitoring the
application of the GDPR and enforcing its application, as laid down in Article 57(1)(a) GDPR,

while another is the task of cooperating with other supervisory authorities, including sharing
information, and providing mutual assistance with a view to ensuring the consistency of
application and enforcement of that regulation, as laid down in Article 57(1)(g) GDPR. The 31

powers conferred on those supervisory authorities, for the performance of those tasks, include
various investigative and corrective powers, laid down in Article 58, including the power to
impose a temporary or definitive limitation including a ban on processing.


The performance of those tasks and the exercise of those powers presupposes, however, that a
supervisory authority is competent with respect to a particular instance of data processing. 32




29https://www.forbrukertilsynet.no/lov-og-rett/veiledninger-og-retningslinjer/forbrukertilsynets-veiledning-
markedsforing-via-e-post-sms-o-l, accessed on 2 May 2023.
30CJEU, judgment of 15 June 2021, Case C‑645/19, Facebook Ireland and Others, para. 47.
31Ibid. para. 48.
32Ibid. para. 49.




                                                                                               12In that regard, without prejudice to the rule on competence set out in Article 55(1) GDPR,
Article 56(1) GDPR establishes, with respect to “cross-border processing” (within the meaning

ofArticle4(23)GDPR) the“one-stop shop”mechanism,basedonan allocationofcompetences
between one “lead supervisory authority” and the other supervisory authorities concerned.
Under that mechanism, the supervisory authority of the main establishment or of the single

establishment of the controller is to be competent to act as lead supervisory authority for the
cross-border processing carried out by that controller, in accordance with the procedure set out
                      33
in Article 60 GDPR.

It must, however, be noted that the GDPR establishes exceptions to the general rule that it is
the lead supervisory authority which is competent to adopt decisions in the context of the “one-
                                                                34
stop shop” mechanism provided for in Article 56(1) GDPR. Most notably, Article 66 GDPR
provides for an urgency procedure. That urgency procedure makes it possible, in exceptional

circumstances, where the supervisory authority concerned considers that there is an urgent need
to act in order to protect the rights and freedoms of data subjects, immediately to adopt
provisional measures intended to produce legal effects on its own territory with a specified
                                                          35
period of validity which is not to exceed three months.

Pursuant to Article 61(8) GDPR, the urgent need to act under Article 66(1) GDPR is presumed

to be met if the lead supervisory authority fails to reply within the given time frame or refuses
to comply with a mutual assistance request, or otherwise fails to act in a specific case of cross-
border processing despite a request to that effect by a supervisory authority concerned.    36


 7. Our assessment of Meta’s compliance with Articles 6(1) and 21 GDPR and the need
     to adopt urgent and provisional measures


Under Article 66(1) of the GDPR, a supervisory authority concerned may, in exceptional
circumstances, adopt provisional measures towards a controller, if it considers that there is an
urgentneedtoactinordertoprotecttherightsandfreedomsofdatasubjects. Asoutlinedbelow,

these conditions are in our view met in the present case.

   7.1. The NO SA qualifies as a supervisory authority concerned


Meta’s processing of personal data for Behavioural Advertising takes place in the context of
the activities of several of its European establishments, including Meta and Facebook Norway
    37
AS. Thus, the relevant processing qualifies as “cross-border processing” within the meaning
of Article 4(23)(a) of the GDPR. Moreover, Meta is presumed to have its “main establishment”
in Ireland, as its central administration in the EU/EEA is located in that country. Therefore,


33Ibid. para. 50.
34Ibid. para. 57.
35Ibid. para. 59.
36Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119.
37On the notion of processing of personal data carried out “in the context of the activities of” an establishment,
see EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.1 (12 November 2019),
pp. 7-9.




                                                                                                 13pursuant to Article 56(1) of the GDPR, the IE SA is competent to act as “lead supervisory
authority” for such cross-border processing, in accordance with the procedure set out in Article

60 of the GDPR.

However, we qualify as a “supervisory authority concerned” within the meaning of Article
4(22) of the GDPR in that procedure, as the controller is established in Norway – through

Facebook Norway AS – and dat38subjects residing in Norway are likely to be substantially
affected by the processing. As such, we have the powers attributed to supervisory authorities
concerned under Article 60(11) and 66 of the GDPR.

   7.2. The need to protect the rights and freedoms of data subjects in Norway


Based on theevidence providedby the IE SA,we considerthat Meta’sprocessing in the context
of the Services for Behavioural Advertising results in several violations of the GDPR, which
are likely to entail significant risks for data subjects, including data subjects in Norway.


        7.2.1. Analysis of compliance with Article 6(1) GDPR

We have a number of concerns pertaining to Meta’s assertion that it has brought its
Behavioural Advertising activities into compliance with Article 6(1) GDPR. The below
assessment may not be exhaustive as we have chosen to focus on the main issues identified.


                   7.2.1.1.    Definition of processing in scope

We find that Meta has incorrectly understood what constitutes “processing of personal data
for the purposes of behavioural advertising” in the IE Decisions. 39

In this regard, we note how Meta defines non-behavioural “Limited Advertising Information”

[REDACTED].

In this regard, the following two statements from the Meta Privacy Policy, [REDACTED] is
of particular interest:

        [Under “How do we use your information?” and “How we show ads and other
        sponsored or commercial content”] The ads we show you will always be based on your

        basic information: your age, the gender you provide, and location. They’ll also be
        based on certain device information, like the device you’re using and the language
        you choose on that device, as well as information about the ads we show you and how
        you engage with those ads.


        [Under “What is our legal basis” and “Legitimate Interests”] Your activity and
        information that you provide: (...) Types of content that you view or interact with, and



38
39See Article 4(22)(a) and (b) of the GDPR.
  IN-18-5-5 para. 10.44(b) and IN-18-5-7 para. 417(b), respectively.



                                                                                               14        how you interact with it. This excludes the ads you see and interact with on Meta
        Products (…)

Our understanding of the privacy policy is that Meta considers the processing of:


    •   location information, including GPS location, data subjects’ activity on Meta products
        and the places data subjects’ like to go and the businesses and people data subjects are
        near; and

    •   information about ads that Meta shows and how data subjects engage with those ads,


to be based on Article 6(1)(b).

Meta’s use of location data to inform which ads are displayed to data subjects clearly
constitutes Behavioural Advertising. It is unclear to us what this location is estimated on the
basis of, if not the data subject’s behaviour.

For information about data subjects’ engagement with ads, we understand that data subjects
may click on “Hide Ad” and that one effect of this would be that the particular ad is not

shown to that data subject again. We agree with Meta’s assertion set out in its letter of 30 June
2023 that this in itself does not constitute processing for Behavioural Advertising. However,
to the extent that this or any other engagement with an ad is used to inform which other ads a
data subject should see, we find that the processing of personal data does take place for
Behavioural Advertising.


Therefore, the processing of location data and data subjects’ interactions with ads based on
6(1)(b) is not in line with the IE Decisions, and as such, it is unlawful.

                    7.2.1.2.   Data subjects’ reasonable expectations

[REDACTED], Meta relies on an assertion that the data subjects undisputedly want and
expect Behavioural Advertising based on monitoring and profiling of their behaviour. This

appears to have impacted Meta’s assessment of all elements of Article 6(1)(f).

Meta’s assertions in this context are unconvincing and problematic for several reasons:

    •   Limited documentation exists to support Meta’s assertion, and some of the available
        documentation directly contradicts it. A case in point is the Gallup survey referred to
        in EDPB Binding Decisions 3/2022 and 4/2022.       40The survey, which was

        commissioned by NOYB – European Center for Digital Rights, points out that most
        respondents perceive Facebook’s placement of advertising as primarily being
        motivated by advertisers’ interests as opposed to data subjects’ interests, and that the
        bulk of advertising on Facebook is not useful to them. Hence, the majority of data
        subjects do not want Behavioural Advertising. Another example is our 2019–2020

        Data Protection Survey, which more generally showed that 74 % of respondents view
40
  An informal translation of the survey is available at https://noyb.eu/sites/default/files/2020-
05/Gallup_Facebook_EN.pdf (accessed on 20 April 2023).



                                                                                                15        Behavioural Advertising negatively. In this regard it may also be relevant to note that

        in that same survey, only 10 % of respondents expressed trust in how social media  41
        platforms such as Facebook, Twitter and LinkedIn process their personal data.

    •   As a precondition for drawing conclusions about data subject’s expectations, Meta

        appears to believe that data subjects are fully informed of and comprehend how their
        personal data are processed for Behavioural Advertising, referring to its privacy
        policies. While it is presently out of scope to assess to what degree Meta’s privacy
        policies provide effective transparency, and regardless of whether the policies prove to
        be informative to an average data subject, many data subjects simply do not read them.

        It would be unrealistic to suggest that any significant proportion of data subjects have
        the time, capacity or desire to read in detail the privacy policies for all the apps and
        services they use, including those of the Services, nor that they can somehow be
        legitimately expected to do so.  42 43Hence, this precondition for Meta’s conclusions

        appears ill-founded.

    •   Additionally, it is important to avoid fallacious arguments that the contents of a
        privacy policy can dictate what constitutes data subjects’ reasonable expectations.

        Recital 47 GDPR usefully clarifies that when assessing what is reasonable to expect
        from a data subject’s perspective, the starting point of the assessment is the data
        subject’s relationship with the controller, i.e., not what the controller has told the data
        subject that they should expect. Moreover, the mere fulfilment of the controllers’

        transparency obligations is not sufficient to conclude that the processing is within the
        data subjects’ reasonable expectations in the context of the assessment under Article
        6(1)(f).


    •   If Meta’s assertion holds true – that data subjects want Behavioural Advertising – we
        fail to understand why Meta is not willing to introduce a prominent and easily
        available setting for Behavioural Advertising that data subjects can toggle. Meta’s
        allegation that Behavioural Advertising is in line with data subjects’ preferences,
        appears leveraged as an argument for why data subjects should not be able to freely

        exercise their preferences, which seems rather illogical.

The IE Decisions,issued subsequent to EDPB Binding Decisions 3/2022 and 4/2022,clearly
reject Meta’s representations that Behavioural Advertising is a core element of the Services.
Contrastingly, as an example, [REDACTED] states as follows:



41The full survey as well as information about its methodology is available in Norwegian at
https://www.datatilsynet.no/regelverk-og-verktoy/rapporter-og-
utredninger/personvernundersokelser/personvernundersokelsen-20192020/ (accessed on 20 April 2023).
42Receiving information pursuant to Article 12–14 GDPR is a right for data subjects, and only data subjects
decide to what extent they wish to exercise their data protection rights set out in Chapter III GDPR.
43To illustrate this point, the Norwegian Consumer Council organised a reading of the terms for all the apps on
an average phone, which lasted for 32 hours – and to add to that, terms and policies are continuously updated.
More information on the Norwegian Consumer Council’s #appfail campaign is available at
https://www.forbrukerradet.no/side/the-consumer-council-and-friends-read-app-terms-for-32-hours/ (accessed
on 20 April 2023).




                                                                                                  16        [REDACTED]

Finally, we note the statements of the CJEU in the Bundeskartellamt Judgment that data
subjects “cannot reasonably expect that the operator of the social network will process that

user’s persona44data, without his or her consent, for the purposes of personalised
advertising.”

In sum, we find that Meta’s assumptions in this regard were incorrect, and as a consequence,
Meta’s assessment of the elements of Article 6(1)(f) has been skewed correspondingly.


                    7.2.1.3.    Necessity

We find Meta’s assertion of necessity [REDACTED] unconvincing for the following reasons:

    •   Necessity is not granularly assessed for the individual legitimate interests pursued
        [REDACTED], which is what we consider to be the correct topic of assessment.

        Instead, Meta has seemingly considered necessity 45lated to overall goals of delivering
        highly personalised ads and maximising profit – which will invariably require
        intrusive monitoring. The assessment is therefore based on a flawed premise, which
        erroneously yields a perceived necessity of processing.


    •   There is no real assessment of whether it would be possible to still pursue a viable and
        revenue-generating business model if the extent of Behavioural Advertising and the
        degree of personalisation was curtailed, or if data subjects were granted more choice
        and involvement. We believe there is a need to assess a wider range of alternative
        advertising models. Here, it is worth noting that adaptation based on behaviour is just

        one way of achieving personalisation. Ads can for instance also be personalised based
        on a data subject’s declaration of their interests for advertising purposes.

    •   [REDACTED] Meta states that the processing is proportionate because it is
        “[REDACTED]”, which we again disagree with. Meta furthermore points to controls

        available to data subjects as well as the possibility to lodge objections.
        Notwithstanding how we would assess the appropriateness and effectiveness of those
        tools, we would like to point out that they are effectively hidden from view for most
        data subjects and that it would require many steps and an amount of active effort for
        data subjects to utilise them. Such tools being available for motivated data subjects

        does not mitigate the intrusive nature of the processing in general for all data subjects.
        Meta remains responsible for its processing of personal data, and this responsibility
        cannot be shifted over to the data subjects.


    •   [REDACTED], Meta points to the necessity to perform Behavioural Advertising as
        this is allegedly the only way for them to remain competitive in the market, referring

44
45Bundeskartellamt Judgment, para. 117.
  We note that Meta’s pre-tax profits for 2021 amounted to €1.184 billion. See
https://www.rte.ie/news/business/2022/1125/1338373-meta-ireland-ups-provision-for-regulatory-fines-by-2bn/,
last accessed on 3 July 2023).



                                                                                                 17        to other businesses carrying out this type of processing. We note that the fact that

        other entities carry out a certain processing is not in itself an argument for its
        lawfulness. Furthermore, we refer back to the fact that Meta has not assessed the
        viability of alternative advertising models.

Considering that it most likely is possible for Meta to generate a profit and to pursue its

legitimate interest in a number of ways that may be less intrusive to data47ubjects, while
considering that Meta has not demonstrated any attempts at doing so, we do not agree that
the current processing of personal data for Behavioural Advertising fulfils the necessity
criterion of Article 6(1)(f).


                    7.2.1.4.    Balancing test

We do not share Meta’s conclusions that its interests outweigh the interests, rights and
freedoms of data subjects.

As an overall observation, [REDACTED] excessively emphasises the benefits of the Services

with very little attention left to potential risks and adverse effects. A general lack of balanced
and nuanced assessments impacts the credibility [REDACTED].

We believe that certain possible adverse impacts to data subjects and risks to their
fundamental rights and freedoms have been underplayed in, or omitted from, Meta’s

assessment. The assessment furthermore appears to downplay the impact of the processing on
rights and freedoms.

We wish to highlight the following points missing [REDACTED]:


    •   There is no overview of data subjects’ interests that may be adversely affected by the
        processing at hand, though this is an element that needs to be assessed under Article
        6(1)(f).


    •   Meta fails to include several relevant elements48hen it comes to the assessment of the
        likelihood and severity of the potential risks identified [REDACTED].

            o Meta does not provide any explanation or reasoning for the qualification of the

                different risks identified in terms of the severity of the risks and the likelihood
                of the risks materialising.
            o As for the risk “potential for discrimination”, Meta states that the likelihood of
                the risk materialising is “[REDACTED]”. In this regard, Meta refers to the
                company no longer offering targeting options that relate to certain topics the

                data subjects may perceive as sensitive. The assessment does not include
                Meta’s considerations of whether data subjects can be discriminated against on

46[REDACTED]
47It is the controller who bears the burden of proving that personal data are processed lawfully. See
Bundeskartellamt Judgment, para. 95.
48We have concerns relating to the risk-based approach in quantifying the impact on the data subjects’ rights and
freedoms, as this seems to imply that the impact is of a prospective nature and outside of Meta’s control.




                                                                                                  18                the basis of other categories of data, nor whether the type of data identified as
                sensitive could be processed indirectly by Meta through their Behavioural
                Advertising activities.
                                                                                  49
            o In the same vein, when it comes to the risk for “filter bubbles”, Meta
                reiterates that certain sensitive or protected characteristics cannot be directly
                used for targeting. Again, Meta fails to consider whether such categories of
                data can be processed indirectly, which may imply a higher risk for “filter
                bubbles”. Moreover, we consider that Meta fails to take into consideration the

                potential negative societal impacts of such “filter bubbles”, regardless of the
                sensitivity of the data, and accordingly that this risk is not assessed to the
                extent appropriate.
            o In relation to the risks identified, Meta refers to the data subjects being offered
                a number of mechanisms to provide them with control over the types of
                                              50
                advertisements that they see. In our view, these measures would contribute to
                reducing the potential of discrimination to a rather limited extent. We also
                question how these ex post tools could be helpful to the data subjects in cases
                where they do not necessarily understand that they are seeing an ad or how an
                ad has been targeted towards them.


    •   There is also an assessment of the impact on human rights [REDACTED] pertains to
        Meta’s legitimate interests, it is arguably relevant also under the balancing test. Meta
        asserts that its Behavioural Advertising is designed to promote and benefit human
        rights protection. We find this assessment of human rights norms flawed and one-

        sided. For example:

            o Meta states that ensuring the viability of the Services is integral to the right to
                private life, without touching upon how the large-scale and intrusive
                processing of personal data may have a detrimental effect on privacy.

            o Regarding Meta’s statements on information freedom rights, [REDACTED]
                does not appropriately consider that Meta’s Behavioural Advertising, through
                its filtering and personalisation of content, may prevent certain data subjects
                from seeing information that is available to other data subjects. There is no
                assessment of how this may reinforce stereotypes or how it may affect political

                participation.

    •   Meta’s assertion that the processing in question fulfils the balancing test appears to be
        missing proper consideration of inter alia the categories of personal data which are
        being processed, the extent and manner of processing, and the number of data subjects

        affected.

    •   Also lacking in the balancing test is an assessment of whether special categories of
        personal data may be inferred and inadvertently processed in this context, especially in

        light of C-184/20. Furthermore, while we note that Meta in its letter dated 21 June

49
50[REDACTED]
  [REDACTED]



                                                                                                 19        2023 asserts that it does not process any such data, this is contrasted by the statements
        of the CJEU in the Bundeskartellamt Judgment.     51


    •   It appears that Meta has not taken into consideration the impact on vulnerable
        individuals.


    •   There is no assessment of the nature of Meta’s legitimate interests or how compelling
        they are.

    •   It appears that the “Why you’re seeing this ad?” tool on Instagram offers less

        information than the equivalent tool on Facebook. On Facebook, data subjects are
        presented with two categories for further exploration, “Your activity” and “Advertiser
        choices”. However, on Instagram, the “Your activity” category appears to be missing.
        This difference is not explained nor justified [REDACTED].

We also wish to highlight the following irrelevant factors included in Meta’s assessment:


    •   [REDACTED]

    •   [REDACTED], Meta lists safeguards it has adopted as mitigating measures. However,

        several of the measures listed appear to be measures already required by other
        provisions of the GDPR. Measures required for compliance with other GDPR
        provisions are not relevant as safeguards [REDACTED].

            o As an example, Meta refers to restrictions on targeting criteria. Several of the

                categories mentioned [REDACTED] are special categories falling under
                Article 9 GDPR. Thus, a restriction of processing of these categories of
                personal data already follows from the GDPR and cannot be considered as a
                mitigating measure when performing a balancing test under Article 6(1)(f).


    •   In their conclusion of the balancing test, Meta argues that Meta and third parties would
        be prejudiced if the processing could not be carried out. From this, it appears that
        Meta takes the approach that the point of departure for the assessment is that
        Behavioural Advertising is to be used. We do not agree with this approach. The fact

        that Meta has relied on Behavioural Advertising so far, does not imply that a possible
        conclusion that they are not able to rely on this kind of advertising on the basis of
        Article 6(1)(f) should be considered a prejudice inflicted on Meta relevant for the
        assessment. The legal basis for a processing of personal data should, in any case, be in
        place before the processing is initiated.






51
52Bundeskartellamt Judgment, paras. 71–72.
53[REDACTED]
  [REDACTED]



                                                                                                20Regardless of the shortcomings [REDACTED], when assessing whether Meta’s processing
for Behavioural Advertising fulfils the balancing test, the following elements are particularly
relevant:

    •   Meta’s commercial interests are not in themselves of a highly compelling nature, and
        there are a number of alternative advertising models that Meta can rely on in pursuit of

        its commercial interests;

    •   The data subjects cannot reasonably expect processing of their personal data for
        Behavioural Advertising.  54


    •   The processing of personal data for Behavioural Advertising entails continuous and
        comprehensive monitoring of data subjects’ behaviour on platforms many of them use
        frequently and may perceive as of a private nature;

    •   Intrusive profiling takes place through automated means resulting in detailed
        inferences that may or may not be correct and that the data subjects may or may not

        feel comfortable with;

    •   Processing of personal data for Behavioural Advertising is complex and opaque, most
        data subjects may not fully understand those processing operations, and it is difficult
        for data subjects to comprehend which inferences are made about them;


    •   The personal data processed in this context, including analyses of what type of content
        you are likely interested in, will speak to the personal life and personality of data
        subjects, meaning that it can be highly sensitive;

    •   It may be possible to infer special category data. In this regard, we have recently

        encountered two examples illustrating the issue:

            o A queer NO SA employee reviewed their ad topics and ad interests on
                Instagram and found that they included “Pride” and “Gay Love”. While these
                two categories are presumably not meant to speak to anyone’s sexual
                orientation but rather their interests, inferences can be made which would

                entail adverse effects to data subjects’ data protection rights. Furthermore,
                Article 9 GDPR may be applicable.
            o An individual has contacted us because they received content in their Facebook
                feed that advertised eyewear for people with a certain disease. The individual
                in question is in fact a caregiver for a child with that particular disease as well
                as a member of Facebook Groups related to the disease. The individual

                contacted the organisation having placed the ad, which responded that it had
                not specified any sensitive categories when targeting the ad. However, the
                organisation had availed of Meta’s automatised ad optimisation tools.



54Bundeskartellamt Judgment, para. 117.



                                                                                                21    •   There are over 250 mil55on average monthly active users on both Facebook and
        Instagram in the EU. In Norway, approximately 3.56 million adult individuals, or 82
        % of the adult population, have a Facebook account, while approximately 2.82 million
        adult individuals, or 65 % of the adult population have an Instagram account.     56

        Around 66 and 42 % of the adul57population in Norway are daily users of Facebook
        and Instagram, respectively;

    •   There are many vulnerable data subjects in need of particular protection using the

        Services, such as young people, elderly people and people with cognitive disabilities;

    •   Meta tracks data subjects inter alia across the Facebook and Instagram websites and
        apps and across locations;  58


    •   Data protection tools are generally hidden away from sight so that in practice they are
        effectively reserved for a minority of motivated data subjects looking for them or

        reading the privacy policy;

    •   Processing of personal data for Behavioural Advertising results in Meta filtering
        which ads are shown to which data subjects. As a result, certain data subjects may be

        prevented from seeing information that other groups in society will see, and data
        subjects cannot control this. Hence, there is a clear adverse effect on data subjects’
        freedom of information. This filtering also creates a potential for reinforcement of
        existing stereotypes, and it can leave data subjects open to discrimination. In the

        context of political advertising, it may adversely affect political participation. While
        these effects are often invisible, they are nonetheless profound, both to the data
        subjects and to society at large.

Based on the above, we find that the interests and fundamental rights and freedoms of data

subjects outweigh the legitimate interests of Meta.

                    7.2.1.5.    Threat of charging data subjects

[REDACTED] states that “[REDACTED]” The same is implied throughout [REDACTED].

This statement, which is not documented, may suggest that certain data subjects would be
penalised should supervisory authorities intervene in response to any potential violations of
the law related to Behavioural Advertising.

In our view, it is Meta’s responsibility to design a business model that is both lawful and

viable. Any failure to do so would lead to liability on the part of Meta, not its users. We also


55See information for February 2023 provided by Meta under the Digital Services Act:
https://transparency.fb.com/sr/dsa-report-feb2023/ (accessed on 5 May 2023).
56See https://www.ipsos.com/sites/default/files/ct/publication/documents/2023-04/Ipsos%20SoMe-
tracker%20Q1%202023.pdf (accessed on 29 June 2023).
57Ibid.
58We understand that Meta tracks individuals across third-party websites and apps as well, purportedly in
reliance on Article 6(1)(a) GDPR.




                                                                                                  22have concerns as to which data subjects Meta would seek to penalise – to be sure, any attempt
to penalise data subjects exercising their statutory data protection rights would not be
legitimate.

                   7.2.1.6.   Conclusion

In sum, we believe that the current processing has not been brought into compliance with

Article 6(1).

We would like to reiterate that this is a conclusion based on substance rather than formalities.
In other words, changing the wording [REDACTED] as a paperwork exercise would not
amend the problems identified.

Moving forward, looking at the adequate and sufficient commitments Meta may provide to
ensure compliance and to lift the ban, we would welcome dialogue on elements such as

limiting the scope of processing of personal data for Behavioural Advertising and introducing
new user settings for Behavioural Advertising.

        7.2.2. Analysis of compliance with Article 21 GDPR

Following the change of legal basis of some processing of personal data for Behavioural

Advertising to Article 6(1)(f), Meta appeared to frame objections to such processing as
objectionsunderArticle21(1)GDPR.Thiswouldimplythatdatasubjectscanonlyobjectbased
on grounds relating to their particular situation and that the success of the objection is
conditional on a case-by-case assessment.


Meta provides advertisements to individual data subjects on the Facebook and Instagram
services by displaying them on an individual data subject’s Facebook or Instagram account in
various ways, including for example:

    •   Onadatasubject’s Facebook feed(the constantlyupdatinglist ofstatus updates,photos,

        videos and more from friends, pages, groups and advertisers in the middle of the
        Facebook home page)
    •   On a data subject’s Instagram feed (the constantly updating list of photos and videos
        that appear from accounts that people follow and from advertisers)

    •   On a data subject’s Facebook or Instagram stories section (“you can use stories to share
        everyday moments with your friends and followers”)
    •   On a data subject’s Facebook or Instagram Reels feed (“you can create reels for a global

        audience or share them with your friends and family”)

The digital spaces mentioned above are personalised to each data subject, and they are unique
to each and every data subject. For Facebook specifically, this is supported by the following
wording in the Facebook Terms of Service : “Your experience on Facebook is unique to you



59https://m.facebook.com/legal/terms (Accessed on 1 May 2023)



                                                                                             23and unlike anyone else’s: from the Posts, Stories, events, ads and other content that you see in
Facebook News Feed or our video platform to the Facebook Pages that you follow and other
features that you might use, such as Facebook Marketplace and search…”.

We understand that an individual data subject’s experience on Instagram is also unique to them.
We therefore consider that an individual data subject’s Facebook or Instagram account,

including any of an individual data subject’s Facebook or Instagram feeds, is a private digital
space unique to that data subject.

In addition, only the data subject has access to the above spaces, as they need to log in to their
account to gain access. No-one else other than a Facebook or Instagram data subject has access

to their personalised, unique spaces.

Furthermore, data subjects’ Facebook and Instagram feeds and stories section contain content
of a private nature that data subjects’ connections have chosen to share with a specified group
of people, such as e.g. their Facebook “friends”, a custom list of their Facebook “friends”, or

their “close friends” on Instagram.

We consider it is clear that the processing of personal data for Behavioural Advertising pursues
a commercial purpose.

In light of this, we consider that processing of personal data for Behavioural Advertising in the

context of the Services constitutes “personal data processed for direct marketing purposes”
pursuant to Article 21(2) GDPR. Consequently, the data subject’s right to object to such
processing unconditionally and without providing a reason under Article 21(2) GDPR is
triggered.


Meta allows data subjects to object to processing for Behavioural Advertising through a
dedicated objection channel, accessible to data subjects on the Services by:

    •   Navigating to the Meta Privacy Policy;
    •   Scrolling down to the section entitled “You have the following rights under the GDPR

        and other relevant data protection laws”;
    •   Clicking the sub-section “Object”; and
    •   Clicking the link “right to object to” or “object”.

Going through these steps will lead the data subject to a new page where you have to:


    •   Select your country of residence;
    •   Select whether you need help with either Facebook or Instagram;
    •   Indicate whether you are under or over 18 years of age;

    •   Select whether you want to manage your information or report something to Facebook;
    •   Select the option “I want to object to the use of my information”; and
    •   Select “I want to object to the use of certain activity information to show me ads”




                                                                                             24This last option, "I want to object to the use of certain activity information to show me ads",
was added by Meta as a direct result of changing the legal basis of some processing of personal
data for Behavioural Advertising from Article 6(1)(b) GDPR to Article 6(1)(f) GDPR.

The data subject is then presented with a form where they are prompted to explain how this
processing impacts them, and to provide any additional information they believe will help Meta

review their objection. The data subject is obliged to enter text in the fields with the titles
"Please tell us how that product or service is using your personal information for which you are
submitting this objection" and "Please tell us why you want to object to that product or service's
use of your personal information", otherwise the data subject cannot submit their objection.

Following this, the data subject can send their objection to Meta for consideration.

We note that in Meta's privacy policy, it states as follows:

        You can object to our processing of your information when we rely on legitimate
        interests or perform a task in the public interest. We will consider several factors when

        assessing an objection [emphasis added], including:

            •   Our users' reasonable expectations
            •   The benefits and risks to you, us, other users or third parties

            •   Other available means to achieve the same purpose that may be less invasive
                and do not require disproportionate effort

        Unless we find that we have compelling legitimate grounds for this processing which
        are not outweighed by your interests or fundamental rights and freedoms [emphasis

        added], or the processing is needed for legal reasons, your objection will be upheld. In
        that case, we will cease processing your information. To learn more about the
        circumstances in which an objection may be successful, please visit the Help Centre.

The data subject is not at this point told that they may object to the processing of their personal
data for direct marketing purposes without providing a reason.


We further note that in Meta's “Help Centre” the data subject is told how to submit an objection
under the heading “How can I submit an objection?”, and this tells the data subject that they
will be asked to complete a form where they must explain the reasons for their objection. The
datasubjectis alsotoldthattheyshouldusetheformwheretheywanttoobjecttotheprocessing

of their personal data for direct marketing.

Meta repeatedly states [REDACTED] that it will stop processing personal data for Behavioural
Advertising only where objections are “valid”, and that a dedicated team of specialist personnel
will assess the validity of objections.


Meta further states in its letter dated 21 June 2023 referenced above that it:





                                                                                                25        considers a 'valid objection' to be one that meets two basic criteria, in that it (a) relates
        to Behavioural Advertising Processing and (b) is submitted by a genuine user based in
        the European Economic Area (to confirm Meta Ireland is the controller and the GDPR

        applies).

        and;

        At no point in the process does Meta Ireland undertake a balancing assessment to seek

        to determine whether it has compelling legitimate grounds to override the user's valid
        objection and continue Behavioural Advertising Processing.

We consider that in conjunction with its shift from Article 6(1)(b) GDPR to Article 6(1)(f)
GDPR as a legal basis, Meta has introduced restrictions to the right to object to processing for

direct marketing purposes under Article 21(2) GDPR that are not legally permissible:

    •   A data subject is at no point informed of Meta's criteria to determine whether an
        objection to Behavioural Advertising is valid or not. Data subjects are instead told that

        they must provide reasoning for their objection – even their objection to Behavioural
        Advertising as a form of direct marketing. They are furthermore informed that all
        objections submitted through Meta's online form (which is the only way a data subject
        can submit an objection) will be assessed by Meta before a decision is made as to

        whether a data subject 's objection is upheld or not. We find that this is not in line with
        Articles 12(1) and (2) and 13(2)(b) GDPR.
    •   When Meta requires data subjects to provide reasoning for their objection to

        Behavioural Advertising as a form of direct marketing, Meta requires more personal
        data than is necessary in order to comply with such request. We find that this is not in
        line with Article 5(1)(c) GDPR (the data minimisation principle) and further such
        processing does not appear to have a legal basis under Article 6(1) GDPR.


On a side note, pursuant to Article 21(4) GDPR, the right to object shall be explicitly brought
to the attention of the data subject and be presented clearly and separately from any other
information, at the latest at the time of the first communication with the data subject.   60We

cannot see that Meta presents to data subjects the right to object to processing of personal data
fordirect marketing clearly andseparately from otherinformation, particularlyas Metarequires
data subjects to submit their objections on one form that is tailored only to a data subject's right
to object under Article 21(1) GDPR.


   7.3. The exceptional circumstances

There are several exceptional circumstances at play, pursuant to Article 66(1) GDPR:


60
  While the user notification about change of legal basis referenced [REDACTED] would not be sufficient to
fulfil Article 21(4) GDPR, we take note of the fact that this notification was not displayed during our tests in the
period of 5 April to 5 May 2023.



                                                                                              26    •   The IE SA has very recently issued the IE Decisions ordering Meta to bring its

        Behavioural Advertising into compliance with Article 6(1), which directly affects the
        rights and freedoms of hundreds of millions of data subjects across Europe and the
        majority of the adult Norwegian population.

    •   Meta has consequently changed its legal basis as of 5 April 2023 – from Article 6(1)(b)
        to Article 6(1)(f) – for most of its processing of personal data of data subjects in Europe
        (including in Norway) for Behavioural Advertising. Indeed, as noted by Meta, this is

        not just a nominal change, as “[t]o enable its reliance on Article 6(1)(f) GDPR for
        Behavioural Advertising Processing, [Meta] has […] substantially redesign[ed] its
        infrastructure, processes, and systems relevant to carrying out Behavioural Advertising
                     61
        Processing”.
    •   Nonetheless, as is evident from our assessment above, Meta’s Behavioural Advertising

        is clearly still not compliant with Article 6(1) despite the deadline for complying with
        the IE Decisions has elapsed.
    •   The CJEU addressed the lawfulness of Meta’s processing of personal data in the

        Bundeskartellamt Judgment of 4 July. As explained above, the court stated that Meta
        cannot rely on Article 6(1)(f) GDPR for Behavioural Advertising; however, Meta
        continues to do so.

    •   The existence of exceptional circumstances, which justify the adoption of urgent and
        provisional measures under Article 66(1) GDPR, is further evidenced by the fact that IE
        SA has not adopted any measures towards Meta in response to our express request to
                                                                                           62
        that effect, nor has it indicated that any measures will be imposed in the future.    As
        noted by Advocate General Bobek in Facebook Ireland and Others, “[a] failure to act
        in a specific case of cross-border processing by the LSA, despite a request to that effect

        byanSAC,may[…]enablethelattertoadopttheurgentmeasuresconsiderednecessary
        to protect the interests of data subjects.”

   7.4. The urgent need to act


As outlined above, Meta’s processing of personal data for Behavioural Advertising gives rise
to several infringements of the GDPR that result in significant risks for data subjects, including
data subjects in Norway. While it is true that Meta’s processing for Behavioural Advertising

has been ongoing for many years, what is new and what warrants urgent action, is that the IE
Decisions to bring the processing into compliance with Article 6(1) was issued on 31 December
2022 with a three-month deadline to comply, as well as the unlawful changes Meta adopted as
        64
a result. At present, the IE Decisions have still not been complied with. Despite the fact that
European supervisory authorities through the IE Decisions have clearly instructed Meta to


61Meta’s Compliance Reports to the IE SA dated 3 April 2023.
62See section 3 above.
63Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119.
64Meta’s shift of legal basis for some Behavioural Advertising activities to Article 6(1)(f) on 5 April 2023 is a
novelty. Since Article 6(1)(f) is not a suitable legal basis for that processing, this shift arguably constitutes a new
violation of the GDPR in its own right.




                                                                                              27remedy the state of non-compliance, after a thorough and extensive inquiry, the violation still
persists. This prolonged state of non-compliance demands immediate action, to protect the

rights and freedoms of data subjects. Not taking urgent action to ensure compliance with the
recent IE Decisions would leave data subjects at acute risk and effectively deprive them of the
protections they are entitled to under the GDPR, including the right to seek effective remedy
against controllers from supervisory authorities.    65 Furthermore, it would undermine the

authority and powers of data protection authorities and invite dilatory strategies from non-
compliant controllers.

The urgency of the provisional measures must be assessed in relation to the need to protect the
                                       66
rights and freedoms of data subjects.    In this regard, see in particular section 7.2.1.4, which
shows that the adverse effects on data subjects and their fundamental rights and freedoms are
considerable. The unlawful processing affects the majority of the population of Norway and the

EEA, and as noted above, the processing entails processing of very private and sensitive
personal data through highly opaque and intrusive monitoring and profiling operations. Meta
has not taken duly into account the impact of its Behavioural Advertising practices on
vulnerable individuals. Additionally, data subjects’ freedom of information, right to political

participation and protections against discrimination is at risk.

An additional element underpinning urgency is the Bundeskartellamt Judgment of 4 July 2023,
which essentially rejected that Meta can rely on Article 6(1)(b) and 6(1)(f) GDPR for

Behavioural Advertising. Nonetheless, Meta continues to do so. This recent clarification from
the Grand Chamber of the CJEU warrants immediate action.

The consequences of not adopting urgent measures is that Meta is allowed to processing of

personaldataunlawfullyinviolationofmentionedIEDecisionsindefinitely,whileitessentially
continues its dialogue and negotiates with the IE SA. We fear that such a process could
potentially take several years. However, compliance with legally binding orders is not a matter
of negotiation. The IE Decisions were issued in line with good administration where Meta’s

views were duly heard. Therefore, no postponement of compliance with the IE Decisions is
acceptable.

The only way to ensure data subjects’ rights and freedoms until Meta remedies its processing

of personal data for Behavioural Advertising, and to avoid potentially irreparable harm to them,
is to urgently impose a temporary ban on the processing activities found unlawful on 31
December 2022 and 4 July 2023.


Moreover, it should be stressed that – as noted above – through its shift of legal basis, Meta has
introduced restrictions to the right to object to processing for direct marketing purposes. This
entails that the exercise of the right at issue is considerably impeded, and that the adoption of
urgent measures to remedy this situation is warranted. In this respect, Recital 137 GDPR states


65
66See Article 77 GDPR.
  See Recital 137 GDPR.



                                                                                               28that an urgent need to act in order to protect the rights and freedoms of data subjects exists “in
particular when the danger exists that the enforcement of a right of a data subject could be

considerably impeded.” We consider that the enforcement of rights of a high number of data
subjects could be considerably impeded due to the mentioned obstacles in obtaining the right
to object, which were introduced by Meta on 5 April 2023.


In any event, in the present case, the urgent need to act may be presumed to be met, in
accordance with Article 61(8).

Pursuant to Article 61(1), we requested the IE SA to provide a timeline for how it would ensure
that Meta complies with Article 6(1) GDPR in an expedient manner. We have not received such

information. Instead, we have received a timeline for the finalisation of the IE SA’s assessment
of compliance. That is not the same thing, as the information received does not indicate which
corrective measures the IE SA is prepared to impose following a finding of non-compliance nor

any timeframe for such imposition. The IE SA has not indicated that it intends to share any
information additional to the result of its compliance assessment. Furthermore, we have not
received any explanation as to why it was not possible to provide the requested information.
Therefore, Article 61(8) applies, which means that the urgent need to act under Article 66(1) is

presumed to be met.

Additionally, the IE SA has not taken any measures against Meta, despite our request to that
effect submitted to the IE SA pursuant to Article 61(1) GDPR. Again we refer to the Opinion

of Advocate General Bobek in Facebook Ireland and Others, which states that not acting on a
request from a CSA may enable the CSA to adopt urgent measures considered necessary to
protect the interests of data subjects.


For the reasons set out above, we have decided to adopt the urgent and provisional measures
laid down in the present order pursuant to Article 66(1) of the GDPR.

 8. Need for advance notification


Pursuant to Section 16 of the Norwegian Public Administration Act (in Norwegian:
forvaltningsloven), a party who has not already expressed their opinion on the case should
receive advance notification before a decision is made. In the present case, Meta has expressed
its opinion on the case through its letters dated 21 and 30 June 2023, and hence the obligation

to provide advance notification does not apply.

For the sake of clarity, Facebook Norway AS is merely an establishment of Meta as the
controller, and as such, we consider that Meta’s comments also cover and represent Facebook

Norway AS’ views.



67
68See Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119.
  Opinion of Advocate General Bobek in Case C‑645/19, Facebook Ireland and Others, para. 119.



                                                                                             29In any case, even if the obligation to provide advance notification had applied, the exemption
in Section 16 third paragraph letter c would be applicable. This is because you, as a matter of
fact, were informed by the IE SA that we may adopt provisional measures entailing a ban, you
received a copy of our assessments dated 5 May 2023, and Meta and any relevant subsidiaries

had reasonable opportunity and time to express an opinion (which, again, you have done).

On a side note, there is an urgent need for us to act, the present order is temporary, it does not
entail a financial sanction, and through this letter, Meta has been afforded a right to be heard
before the case is assessed by the EDPB in light of potentially adopting final measures.


 9. Right of appeal

As this decision has been adopted pursuant to Chapter VII GDPR, pursuant to Article 22(2) of
theNorwegianDataProtectionAct,thepresentdecisionmaynotbeappealedbeforethePrivacy
Appeals Board (in Norwegian: Personvernnemda). However, the present decision may be

challenged before Oslo District Court (in Norwegian: Oslo tingrett) in accordance with Article
78(1) GDPR, Article 25 of the Norwegian Data Protection Act and Article 4-4(4) of the
Norwegian Dispute Act (in Norwegian: tvisteloven).   69

 10. Right to access the case documents


As a party in the present case, you have the right to get access to the case documents we hold
in accordance with Section 18 of the Norwegian Public Administration Act, unless one of the
exceptions set out in Sections 18 or 19 of the latter Act applies.


 11. Public access to documents

Under Section 3 of the Norwegian Freedom of Information Act (in Norwegian:
offentlighetsloven), all case documents we hold are, as a rule, subject to public access. If you
believe that you are lawfully entitled to obtain that any of the case documents – including

documents you will share with us in response of the present order – be partly or entirely
exempted from public access, please notify us and provide an explanation for your claim.

If you have any questions regarding the present order, please contact Tobias Judin at

tobias@datatilsynet.no.



Kind regards



Line Coll
Director General

69
  See Section 22 of the Act of 15 June 2018 No. 38 relating to the processing of personal data (in Norwegian:
personopplysningsloven).



                                                                                             30Anna Kristin Ulfarsdottir
Specialist Director

Anne Eidsaa Hamre
Legal Adviser

Guro Fiskvik Åsbø

Senior Legal Adviser

Luca Tosoni
Specialist Director

Sebastian Forbes
Senior Legal Adviser


Tanja Czelusniak
Senior Legal Adviser

Tobias Judin
Head of International Section


Trine Smedbold
Senior Legal Adviser






























                           31