Datatilsynet (Norway) - 23-114365TVI-TOSL/08 and 23-114359TVI-TOSL/08
From GDPRhub
| Datatilsynet - 23-114365TVI-TOSL/08 and 23-114359TVI-TOSL/08 | |
|---|---|
 | |
| Authority: | Datatilsynet (Norway) |
| Jurisdiction: | Norway |
| Relevant Law: | Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 61(8) GDPR Article 66(1) GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 06.09.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Meta Datatilsynet |
| National Case Number/Name: | 23-114365TVI-TOSL/08 and 23-114359TVI-TOSL/08 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Norwegian |
| Original Source: | Application for a temporary injunction against the Data Inspectorate's decision (in NO) |
| Initial Contributor: | Sophia Hassel |
The Oslo District Court rejected Meta’s request to issue a temporary injunction against the Norwegian DPA’S earlier ban on behavioural advertisement under Article 6(1)(b) and (f) GDPR.
English Summary
Facts
On August 3 and 4 2023, Meta Platforms Ireland Limited (Meta Ireland) and Facebook Norway AS (Facebook Norway) requested a temporary injunction against the Norwegian DPA’s urgent decision from July 2023 (21/03530-16). This decision banned behavioural marketing on Facebook and Instagram under Article 6(1)(b) and (f) GDPR for three months, starting August 4th 2023. A temporary injunction would have prevented Meta from having to comply until further notice.
The district court in Oslo heard Meta's argument on the 22nd and 23rd of August. Meta argued that the DPA's decision was invalid because, under the GDPR, Facebook Norway could not be considered a data controller under Article 4(7) GDPR and Articles 66(1) and 61(8) GDPR were used incorrectly by the DPA to make urgent decisions.
Meta also raised arguments surrounding national law, such as, grounds of security under the Dispute Act, whether a main claim has been substantiated and whether prior notification had been given by the DPA under the Public Administration Act.
Holding
The Oslo District Court decided in the favour of the Norwegian DPA and rejected Meta’s arguments.
The Court concluded that the Norweigen DPA had a legal basis to direct the decision against Facebook Norway. The fact that Facebook Norway was not the controller was not disputed by the court. Facebook Norway does not determine the purpose or the means used to process, nor is Norway the place where most of the processing activities take place. The question was therefore, whether the prohibition against the processing of personal data in question for behavioral marketing can be directed against Facebook Norway, even though the company cannot influence the content of the services. The court relied on the case of C-645/19 Facebook Ireland Ltd. et al. to also conclude that that the processing was carried out in the context of the activities of a controller as defined by Article 3(1) GDPR. It used this same case to determine that the Norweigen DPA, despite not being the lead supervisory authority, could take action against an establishment on its own territory.
The Court concluded, 'with considerable doubt', that there were grounds for the use of Article 66(1) GDPR as the basis of the Norweigen DPA's decision. The question had been whether the threshold (extraordinary circumstances that required immediate action to protect the rights and freedoms of data subjects) under Article 66(1) GDPR had been met. The court pointed out the ambiguity of the threshold and stated that neither the regulation nor case law clarified how the provision should be appplied. Meta argued that processing of data for behavioral marketing without consent has been going on for years and therefore, could not be considered urgent. The court rebutted this, the fact that the breach of the rules is ongoing and not linked to a specific future event cannot, in the Court's view, be given decisive weight. This particulary applies in cases where the unlawful processing is extensive, invasive and concerns large groups. The court concluded that in 'situations where it is uncertain where the threshold for applying the exemption provision lies', the conditions in Article 66 (1) GDPR for taking urgent measures are met. Since the conditions for Article 66(1) GDPR were met, the court did not need to consider Article 61(8) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
OSLO DISTRICT COURT
VERDICT
Delivered: 06/09/2023
Case no.: 23-114365TVI-TOSL/08 and 23-114359TVI-TOSL/08
Judge: District Court Judge Henning Kristiansen
The case concerns: Petition for a temporary injunction against the Norwegian Data Protection Authority
decision
Case 23-114365TVI-TOSL/08
Meta Platforms Ireland Limited Lawyer Christian Reusch
Legal assistant: Attorney Nicholas
Barbantonis waterfall
against
The State v/Datatilsynet Attorney Hanne Jahren
Case 23-114359TVI-TOSL/08
Facebook Norway AS Lawyer Christian Reusch
Legal assistant: Attorney Nicholas
Barbantonis waterfall
against
The State v/Datatilsynet Attorney Hanne Jahren
No restrictions on access to public reproduction JUDGMENT
1 The proceedings
On 3 and 4 August 2023, Oslo District Court received petitions from Meta Platforms Ireland Limited
(Meta Ireland) and Facebook Norway AS (Facebook Norway) on temporary injunction
against the state v/Datatilsynet. In the petitions, demands were made that the Norwegian Data Protection Authority should
is prohibited from taking decisions on 14 July 2023 against Meta Ireland and Facebook Norway. The decision
applies to a ban on companies processing personal data for behaviour-based purposes
marketing based on GDPR art 6 (1) b) and f) in connection with the Facebook services
and Instagram, and has a duration of three months. A deadline for compliance with the decision was set
until 4 August 2023.
The plaintiffs requested that the court make a ruling without it having been previously carried out orally
negotiation. In particular, it was pointed out that the Norwegian Data Protection Authority had notified that it would consider imposing
the companies fined for failure to comply with the decision, and that it was not practical
possible to hold an oral hearing before the penalty began to run.
The court decided that the parties should be summoned to an oral hearing before taking a decision
the petitions, cf. the Disputes Act § 32-7 first paragraph. The parties were summoned by letter on 7 August 2023
oral hearing 22 and 23 August 2023.
The Norwegian Data Protection Authority decided on 7 August 2023 to impose a joint agreement between Meta Ireland and Facebook Norway
compulsory fine (as jointly and severally liable) for non-compliance with the decision on 14 July 2023.
The compulsory fine began to run from 14 August 2023 and amounts to one million kroner for each day
which goes without the ban being complied with.
In pleadings on 10 August 2023, Meta Ireland and Facebook Norway requested that the court again
assessed whether there was a basis for issuing a temporary injunction without prior oral notice
treatment.
In written comments to the petitions (response) on 11 August 2023, the state requested that
the negotiations were divided, so that the issue of security grounds was dealt with first.
The court notified the parties in a letter on 13 August 2023 that the decision to implement
oral hearing before the court ruled on the motions was upheld, and that it was not
it was decided to divide the negotiations.
A joint oral hearing was held for both cases in the Oslo courthouse on the 22nd and 23rd.
August 2023. The negotiations were conducted according to the main entry model.
- 2 - 23-114365TVI-TOSL/082 Background of the case
2.1 Briefly about the plaintiffs and the case complex
Meta Ireland is a company with its principal place of business in Dublin. The company is a party to agreements
which delivers the Facebook and Instagram services to users in Norway and the rest of Europe, and
is also responsible for processing the users' personal data with it
purpose of offering Facebook and Instagram.
Facebook Norway is a Norwegian limited company. The company is a subsidiary of Facebook Global
Holdings II LLC, which in turn is a subsidiary of Meta Platforms Inc. The company supplies
services related to sales support and marketing, including the resale of such services,
cf. the company's annual report for 2022.
The dispute in this case is part of an extensive complex of cases relating to the legality of
Meta Ireland's processing of personal data for behavioral marketing according to the EU
privacy regulation (Regulation (EU) 2016/679 - called General Data Protection
Regulation - GPPR) article 6 (1). The disputes are pending both before administrative bodies and
courts, and the parties in this case have not given any exhaustive explanation of which
administrative bodies and courts involved, which issues these cases
journeys and what is the status of the various processes. The court will in the following give a concentrated
and a more overview presentation of the background to the case, where to a limited extent
the overall case complex is explained.
2.2 More about the background of the case
The present dispute has its background in complaints by the privacy organization NOYB
sent to the Austrian Data Protection Authority in May 2018. The complaints concerned the processing of
personal data for behaviour-based marketing through the services Facebook and
Instagram.
The complaints were processed by the Irish data protection authority - Data Protection Commission (DPC) -
because it is a cross-border treatment and Meta Ireland has its own
main activity in Ireland, cf. GDPR art. 4 (23) cf. art. 56.
DPC processed the complaints in line with the cooperation mechanism that follows from GDPR art. 60, and
sent on 6 October 2021 (regarding the service Facebook) and 1 April 2022 (regarding the service
Instagram) issue draft decisions in the cases to the supervisory authorities concerned, including
The Norwegian Data Protection Authority. No agreement was reached between DPC and the various supervisory authorities
about all the questions raised by the complaints, and DPC therefore presented some of the questions
for the European Data Protection Board (EDPB), cf. GDPR art. 65.
- 3 - 23-114365TVI-TOSL/08EDPB made decisions in the cases concerning the relevant services – Facebook and
Instagram – 5 December 2022. Of the decision regarding the Facebook service point 1 no.
3 (Summary of the Dispute) it appears that the complaint concerned the question of whether there had been a breach of
further specified provisions in the GDPR and the EU's Charter of Fundamental Rights by Meta
Ireland built the processing of personal data on forced consent ("forced
consent”). In the decisions, it was assumed, among other things, that the processing of
personal data for behaviour-based marketing could not be authorized in GDPR art. 6 (1)
b), cf. binding decision 3/2022 regarding Facebook section 484 and 4/2022 regarding Instagram
section 451.
The DPC then made decisions on 31 December 2022 that Meta Ireland could not
base its processing of personal data for the purpose of behaviour-based marketing
GDPR art. 6 (1) b). Meta Ireland was further given a period of three months to remedy the situation
and at the same time imposed significant infringement fees/fines, see the decision regarding Facebook
sections 10.44 and 10.45 and the decision regarding Instagram sections 417 and 418.
In an email on 28 March 2023 to the Norwegian Data Protection Authority, Meta Ireland asked for a meeting to explain in more detail
for his view on certain questions that concerned the processing of personal data for
the purpose of behavioral marketing. The Norwegian Data Protection Authority answered the inquiry by e-mail on 14 April
2023 and indicated that the case was being considered by the DPC, as the leading supervisory authority. DPC
had come up with its final assessment/decision, and the Norwegian Data Protection Authority referred Meta
Ireland to dialogue with DPC regarding the implementation of this.
Meta Ireland explained in a letter on 3 April 2023 from its legal liaison to the DPC how
the company would fulfill the requirements, as stated by the DPC's decision on 31 December 2022.
The Norwegian Data Protection Authority addressed DPC in an email on 5 April 2023. In the email, the Norwegian Data Protection Authority asked, among other
other about the DPC's view on Meta Ireland's change of treatment basis to behaviour-based
marketing from GDPR art. 6 (1) b) to Art. 6 (1) f).
The DPC subsequently submitted Meta Ireland's reports on how the company planned to comply
the requirements that DPC had set for behaviour-based marketing, cf. the Norwegian Data Protection Authority's letter on 5 May
2023 first paragraph. The Norwegian Data Protection Authority requested DPC in the same letter to decide on a temporary
prohibition which meant that Meta Ireland could not base its processing on
personal data for the purpose of behavioral marketing according to GDPR art. 6 (1) f). Before
in the event that DPC would not follow up on the request, the Norwegian Data Protection Authority notified that it would assess
the possibilities of taking temporary measures in Norway pursuant to GDPR art. 66, cf. the letter
point 1. The letter was forwarded to Meta Ireland's legal liaison, cf. DPC's letter 25.
May 2023 and update to the supervisory authorities concerned on 31 May 2023.
- 4 - 23-114365TVI-TOSL/08 In a letter dated 31 May 2023, Meta Ireland commented via its legal liaison on the remarks
which DPC had received from some of the supervisory authorities concerned. It appears from the letter
the fact that Meta Ireland had particularly noted the content of the inquiry from the Norwegian Data Protection Authority.
DCP answered the Data Protection Authority's inquiry on 5 May 2023 about mutual assistance in a message sent
2 June 2023. From the notification form that was used, it appeared that DPC could not
comply with the request for a temporary ban ("No, I cannot comply with the
request»). On 9 June 2023, the Norwegian Data Protection Authority asked whether DCP could informally indicate whether
the supervisory authority could follow the Norwegian Data Protection Authority's request at a later date. Simultaneous
informed the Norwegian Data Protection Authority that it would await DPC's feedback, which had been announced towards the end
of June 2023.
On 9 June 2023, the Danish Data Protection Authority asked for a response from DPC on whether the Danish Data Protection Authority's request for a
temporary ban would be followed. The inquiry was not answered.
In an inquiry on 13 June 2023 to other affected supervisors, DPC announced that it would wait for the EU
the court's decision in case C-252/21 Facebook Inc. and Others v. Bundeskartellamt before
it decided whether Meta Ireland could base the processing of personal data in
connection with behaviour-based marketing on art. 6 (1) b) or f).
DPC commented in a letter on 21 June 2023 to Meta Ireland on certain issues related to
the proceedings in matters of emergency measures. Additional notes that applied to it further
the process of ensuring compliance was sent in a letter to DPC on 30 June 2023 from Meta
Ireland's Bar Association.
On 4 July 2023, the European Court of Justice ruled in case C-252/21 and concluded that the provision in
GDPR art. 6 (1) f) could not constitute a legal basis for the relevant processing of
personal data for behaviour-based marketing, see the decision sections 116 and 117.
The DPC then issued a new, preliminary assessment on 11 July 2023, in which supervisory bodies concerned
was invited to comment on the DPC's assessment that Meta Ireland did not process
the personal data in accordance with the GDPR regulations. Furthermore, DPC informed that it
would communicate the views of the supervisory bodies to Meta Ireland by 4 August 2023, and that
The DCP would finalize its assessments by 21 August 2023.
In the Norwegian Data Protection Authority's e-mail on 14 July 2023, DPC was informed that the Norwegian Data Protection Authority would on the same day
decide on temporary measures against Meta Ireland in Norway.
- 5 - 23-114365TVI-TOSL/08 In a decision on the same day, the Norwegian Data Protection Authority decided that Meta Ireland and Facebook Norway
could base the processing of personal data for behaviour-based marketing on
the provisions of GDPR art. 6 (1) b) or f). It appears from the decision that it applied
registered in Norway and that the order should have a duration of three months. At the same time, it was
informed that the ban would be lifted if Meta Ireland and Facebook Norway hit
measures that ensured that the processing was in line with GDPR art. 6 (1) and 21. It continued
announced that the Data Protection Authority would consider imposing Meta Ireland and Facebook Norway a
compulsory fine of up to one million kroner per day, collectively or individually, if Meta
Ireland and Facebook Norway did not comply with the ban.
On 20 July 2012, DPC sent a notice to the European Privacy Council and affected parties
supervisory authorities, where the DPC explained that it had not intended to reject
The Norwegian Data Protection Authority's request for mutual assistance, cf. the message of 2 June 2023. In the letter, it was
further explained the further plan for the proceedings.
Meta Ireland commented on the Norwegian Data Protection Authority's decision in a letter on 27 July 2023 from lawyer Thomas
Olsen. In the letter, Meta Ireland advised that the company was willing to change
the processing basis for behaviour-based marketing to consent (GDPR art. 6 (1) a)).
Furthermore, Meta Ireland requested that the Norwegian Data Protection Authority lift the ban and notified that the company
would dispute that there was a basis for making a decision with such content. Same day
Meta Ireland - through its legal liaison in Ireland - approached the DPC and informed
that the company was willing to take measures to establish consent as a basis for
the processing of personal data in connection with behaviour-based marketing, cf.
GDPR art. 6 (1) a). It was also stated that Meta Ireland would probably use at least three
months to implement this change.
On 31 July 2023, a video meeting was held between Meta Ireland and the Norwegian Data Protection Authority.
In a letter dated 1 August 2023 from the DPC to Meta Ireland's lawyers, it was communicated a
plan/timeline for the further proceedings.
The Danish Data Protection Authority asked in a letter on 3/4 August 2023 on confirmation that Meta Ireland and Facebook
Norway would comply with the decision of 14 July 2023 by the deadline of 4 August 2023, including if
the companies would introduce a temporary halt in the processing in question, and if so in
what extent. In a letter the same day from lawyer Thomas Olsen to the Norwegian Data Protection Authority did
Meta Ireland and Facebook Norway claimed that the companies had complied with the decision from
The Norwegian Data Protection Authority by confirming that Meta Ireland would in future base the processing on
personal data for behaviour-based marketing on consent. Furthermore, it was among
otherwise argued that the Norwegian Data Protection Authority's ban was unjustified, devastating for Meta
Ireland and contrary to the interests that the GDPR must protect.
- 6 - 23-114365TVI-TOSL/08Meta Ireland and Facebook Norway appealed in a letter on 1 August 2023 from lawyer Reusch
The Danish Data Protection Authority's decision on 14 July 2023. It was stated that the decision was invalid and it was demanded
reversal of the decision. At the same time, it was requested that implementation be postponed for that long
The Norwegian Data Protection Authority or the ministry processes the complaint. It was also announced that the companies would
file a petition for a temporary injunction if the decision was not overturned or postponed
implementation was not given no later than 3 August 2023
In a letter on 3 August 2023, the Norwegian Data Protection Authority rejected the complaint and refused to overturn the decision on 14 July
2023.
On 3 and 4 August 2023, Meta Ireland and Facebook Norway submitted requests for
temporary injunction to the Oslo District Court.
In a report on 18 August 2023, the DPC has made its final assessments in the supervisory cases
and a plan for the further handling of the cases.
3 The parties' submissions
3.1 Meta Platforms Ireland Limited and Facebook Norway AS have in brief
made applicable
The Norwegian Data Protection Authority's decision on 14 July 2023 is invalid.
The decision cannot be directed at Facebook Norway. Meta Ireland is not Facebook Norway's
parent company, and Facebook Norway supplies limited services to the Meta Ireland group.
Facebook Norway has nothing to do with the relevant data processing, is not
data controller according to GDPR art. 4 (7), and cannot comply with the decision. This follows
also by the EU Court's judgment in case C-645/19 and LB-2020-170405. Facebook Norway is
nor involved in the DPC process.
Neither the Personal Data Act nor the GDPR supports the view that Facebook Norway
must be able to be held responsible for the obligations of another EEA legal entity which
data controller. This is also based on legal practice. The provision in GDPR art.
60 (10) or preamble point 80 cf. art. 27 does not imply a different assessment. The concept
"establishment", which is used in GDPR art. 3 no. 2, art. 56 and art. 79, shall be interpreted narrowly, and
only includes entities that carry out relevant processing activities and have a real connection
to the relevant data processing.
- 7 - 23-114365TVI-TOSL/08Meta Ireland and Facebook Norway did not receive any advance notice and were not given the opportunity
to make a statement in advance, cf. the Public Administration Act § 16 first and second paragraph. That the parties were
familiar with the matter, is not sufficient. This particularly applies where it may be relevant to impose
the private party a sanction. Even if the party is aware that a decision can be made,
it may be necessary to give special notice that the administration is now actually considering this.
The decision is based on circumstances that had not previously been the subject of the proceedings
for DPC, including the question of the conditions in GDPR art. 66 was fulfilled, deadlines for
compliance, sanctions for non-compliance etc.
The Norwegian Data Protection Authority cannot assume that Meta Ireland shared information about the process with
Facebook Norway.
Regarding Meta Ireland's communications with the DPC, Meta Ireland and Facebook show
Norway that this is a separate inspection abroad. The correspondence with such body can
not constitute a separate notice or involve an invitation to make a statement.
The Norwegian Data Protection Authority's request for mutual assistance on 5 May 2023 does not constitute sufficient notice.
The inquiry mentions that the Norwegian Data Protection Authority is considering temporary measures, but does not explain
sufficient for what the case concerns and also does not contain information which means that
the plaintiffs could look after their interests. The inquiry lacks an explanation of the scope
of the acute situation, what alternative advertising models could be
practicable, time frames and sanctions for continued infringement.
The Norwegian Data Protection Authority's subsequent provocations in the injunction cases strengthen the impression of a
the decision is based on a flawed factual basis. In addition, DPC had instructed Meta
Ireland to wait to respond to the DPC's preliminary assessment had been published, which
first occurred on July 11, 2023.
For the above reasons, there is also a breach of Section 17 of the Public Administration Act, in that
the case was not as well informed as possible before a decision was made. The Norwegian Data Protection Authority carried out
no investigations to justify the decision, for example regarding haste, damage or
real possibility of compliance.
Both the breaches of the requirement for advance notification and proper investigation have had an impact
the decision, cf. section 41 of the Public Administration Act. Meta Ireland would inform the Norwegian Data Protection Authority about
significant aspects, including that the decision is unnecessary (lacks topicality). The Norwegian Data Protection Authority
further apparently has an incorrect understanding of how Meta Ireland's services work,
including the hide ad function, what behavioral marketing consists of, how
location data works and what users expect from the services.
- 8 - 23-114365TVI-TOSL/08 The conditions for emergency measures according to GDPR art. 61 (8) is not fulfilled. The main rule is that
national supervisory authorities are not competent to issue cross-border orders
cases, cf. art. 56. The competence here lies with the leading supervisory authority, cf. GDPR art. 60, which
establishes a cooperation mechanism. The purpose is to ensure equal application of the regulations and
predictability.
The Norwegian Data Protection Authority has not demonstrated that DPC has failed to respond to its request for
mutual assistance, cf. the inquiry on 5 May 2023. The Norwegian Data Protection Authority here requested that DPC share a
schedule, which was done on several occasions. The Norwegian Data Protection Authority has also accepted the answers
which DPC has given and has not indicated that DPC has neglected to respond to the enquiries.
DPC's assessment on 11 July 2023 constitutes an answer in any event. That the process takes a
couple of weeks longer than the time frame the provision sets out, does not justify that
the provision applies.
The present case is complicated and requires extensive case management. That the supervisors
must cooperate does not, however, require an unreserved acceptance of all demands. DPC had to
in any case have the opportunity to follow relevant administrative law requirements for the proceedings.
The decision further undermines the one-stop shop mechanism and counteracts Meta Ireland's ability to
comply with the processes for DPC. Furthermore, it is also not the case that Meta Ireland has for a long time
been aware that consent is the only legal basis for processing, cf. elderly
case law which supports that also art. 6 (1) b) could be applied.
The conditions for taking measures under the emergency procedure in Article 66 (1) have not been met.
The provision only applies in special cases and presupposes an urgent need
to take measures to protect the rights and freedoms of data subjects. The provision must be interpreted
restrictively, cf. the European Privacy Council's decision in case 01/2021 section 165-167.
The Norwegian Data Protection Authority has not pointed to urgent circumstances that justify the decision.
Behavior-based marketing is very widespread and has been going on for many years, including the whole
the period the GDPR has been in force. Meta Ireland has recently given users more
control over your own personal data, by giving the opportunity to object
treatment, which has reduced the need for emergency measures. In addition, the procedure will be expedited
disrupt the ongoing process for the DPC and in practice represent an impossible obligation.
The decision de facto means that Meta Ireland must temporarily stop Facebook and
Instagram services in Norway.
The plaintiffs also point out that the Norwegian Data Protection Authority had no objections to DPC's preliminary
assessment. The supervisory bodies agreed that the transition to art. 6 (1) f) which
basis of processing for behaviour-based marketing was not legitimate, cf. in particular
The Norwegian Data Protection Authority's email of 14 July 2023 to DPC. None of the other affected inspections have been successful
emergency measures.
- 9 - 23-114365TVI-TOSL/08 There was also no urgent need for the decision as a result of the decision in
The Bundeskartellamt case. The DPC relied on this decision in its assessment. Furthermore, it is
nor is it relevant that Norwegian administrative law enables faster processing according to GDPR art.
66 (1). Nor can it be that the DPC has complied with basic case management requirements
constitute a special or urgent circumstance which justifies exceptional emergency measures. IN
in addition, the Norwegian Data Protection Authority's process delays Meta Ireland's opportunities to find a solution.
The decision is disproportionate, cf. GDPR art. 83, 84 and preface points 4, 129 and 148, ECM
and the administrative law proportionality principle. The decision requires that Meta Ireland
with three weeks' notice and within fifteen working days shall make fundamental changes in
its services for Norwegian users. This is not possible, and it will therefore also have limited
effect of re-allocating resources to fulfill the decision, cf. also Section 51 of the Public Administration Act
(2). The Norwegian Data Protection Authority's proposed advertising model is also not expedient. In addition shows
Meta Ireland that the decision has already been fulfilled, in that Meta Ireland has already committed
himself to change the basis for the relevant data processing to GDPR art. 6 (1) a). The
a detailed compliance plan is available.
The decision is further contradictory and unclear. It is also contrary to other legislation,
including EMF Art. 6.
There are grounds for protection, both according to the alternative in the Disputes Act section 34-1 first paragraph letter
a) and b).
Meta Ireland's main claim will be significantly hampered if it is not granted temporarily
security, cf. Swedish Disputes Act section 34-1 first paragraph letter a). The claimants will in practice be disenfranchised
the possibility of legal review as a result of the decision having a time limit of three
months. It will take significantly longer to complete a lawsuit. Meta Ireland will
could potentially be compensated for accrued daily fines in such a lawsuit, but the lawsuit will
difficult to contribute to replacing the loss of reputation and turnover resulting from the decision. One like that
injunction will also not constitute any preemption of the main claim, cf. in particular LE-2008-
48261.
Temporary injunction is also necessary to avoid significant damage and inconvenience, cf.
Disputes Act section 34-1 first paragraph letter b). The decision will cause irreversible damage to
the services' reputation - both in Norway and internationally - and will also impose a
significant financial loss. It is difficult to estimate how big this loss will be. Meta
Ireland and Facebook Norway refer here to negative publicity in Norwegian and international media.
There are also a number of advertisers who have questioned the consequences of this
the case will get.
The fact that the state is searchable cannot be decisively emphasized.
- 10 - 23-114365TVI-TOSL/08 The threshold for ascertaining that there is a security reason should be significantly lower for
Facebook Norway. The company has limited turnover and the basis for imposing
the company's trading duties are very thin.
It is not possible to avoid the negative consequences of the decision without a temporary injunction.
The decision is onerous and it is not possible to comply with this during the period in which the decision is made
Power. The damaging effects will occur if an injunction is not granted. Attempt to go around
Administrative complaints and petitions for deferred implementation have not resulted.
Temporary injunction will not cause the state damage or inconvenience that is obvious
disproportionate to the plaintiffs' interest in an injunction being decided, cf. the Disputes Act § 34-1
second paragraph. It is unreasonable that the compulsory fine runs before the validity of the underlying
the decision is legally binding. Furthermore, there is no real rush in the matter. The treatment
of the case is already under consideration by the DPC and Meta Ireland has undertaken to change
the treatment basis for a consent model. The need for an injunction is due
The Norwegian Data Protection Authority's inadequate investigation and lack of advance notice. In addition, the main requirement
value significantly.
Meta Platforms Ireland Limited has submitted the following claim in case 23-114365TVI-TOSL/08:
1. The decision's order to refrain from processing "Personal data" by 4 August 2023
[…] for Behavioral Advertising based on Article 6 (1) b) and 6 (1) f) GDPR in the
context of the Services" shall not be in effect until there is a final judgment
on the validity of the decision.
2. Meta Platforms Ireland Limited must take legal action within two weeks of the court's decision
verdict.
3. Meta Platforms Ireland Limited is awarded costs.
Facebook Norway AS has submitted the following claim in case 23-114359TVI-TOSL/08:
1. The decision's order to refrain by 4 August 2023 from processing "Personal data for
Behavioral Advertising based on Article 6 (1) b) and 6 (1) f) GDPR in the context
of the Services" shall not be in effect until there is a legally binding judgment on
the validity of the decision.
2. Facebook Norway AS must take legal action within two weeks of the court's ruling.
3. Facebook Norway AS is awarded legal costs.
- 11 - 23-114365TVI-TOSL/083.2 The State v/Datatilsynet has briefly applied
The Norwegian Data Protection Authority's decision on 14 July 2023 is valid.
The decision can also be directed at Facebook Norway, as an "establishment" of Meta Ireland.
Facebook Norway carries out effective and actual activity in Norway, in the form of
marketing services on Facebook and Instagram. The company has a fixed structure and a
physical office on Norwegian territory. This is sufficient to be considered an establishment
according to the practice of the European Court of Justice.
Neither the provision in GDPR art. 61 (8) or art. 66 (1) regulates who shall be
addressee of the decision. The consideration of ensuring effective compliance means that the decision can also
is directed at companies in the same group. Whether the establishment can control the person in question
the processing cannot be decisive, cf. GDPR art. 4 (16), art. 27 and preamble point 80.
The assessment topic is whether the decision applies to the processing of personal data carried out in
connection with the establishment's activities, cf. the EU Court's judgment in case C-645/19
Fcaebook Ireland sections 85 and 96. The Norwegian Data Protection Authority's decision applies to the processing of
personal data carried out in connection with Facebook Norway's activities i
Norway.
The plaintiffs have not proven procedural errors that may have had an impact
the decision's content.
Meta Ireland and Facebook Norway have already commented on the matter, cf. Meta Ireland's letter of 21.
June 2023, which contains a thorough account of Meta Ireland's view on the terms of
emergency measures. Measures on Norwegian territory were notified there. It must be assumed that
the statement was also issued on behalf of Meta Ireland's operations in Norway. The Norwegian Data Protection Authority took
all these inputs into consideration when the decision was made.
In the alternative, it is stated that Meta Ireland and Facebook Norway have been given the opportunity to comment
before the decision was made. The Norwegian Data Protection Authority notified possible emergency measures in the request for
mutual assistance 5 May 2023. It was clear from the notice what kind of decision it was
applicable to meet. The notice was shared with Meta Ireland by the DPC in line with the procedures set out below
GDPR, cf. that the leading supervisory authority must be the sole point of contact, cf. GDPR
species. 56 (6). It is also likely that the information was shared with Meta Ireland's operations
in Norway. In any case, it is Meta Ireland's duty to ensure that emergency measures are carried out by
their establishment on Norwegian territory, cf. GDPR art. 66 (19) and art. 60 (10). The state shows
further to the fact that employees of Facebook Norway have been in contact with the Norwegian Data Protection Authority regarding
The EDPB decision.
- 12 - 23-114365TVI-TOSL/08 Again, in the alternative, it is stated that Meta Ireland and Facebook Norway have otherwise received
knowledge that a decision is to be taken and has had reasonable cause and time to express himself,
so that notification must be considered unnecessary, cf. the Public Administration Act § 16 third paragraph c. Meta Ireland
stated in the letters from June 2023 much of the same that the Norwegian Data Protection Authority took into account then
the decision was made. In any case, the arguments were brought forward in the revision petition and in
ahead of the compulsory fine decision, without them leading.
The conditions for urgent measures in GDPR article 61 (8) have been met. The Norwegian Data Protection Authority presented
request for mutual assistance to DPC on 5 May 2023, where, among other things, it was requested
that the DPC shared a timetable for how it would ensure that Meta Ireland quickly followed through
the requirements according to the GDPR. The deadline for responding to the inquiry was 5 June 2023, but the DPC postponed it
letter 30 May 2023 up to reply on 30 June 2023. In response to the Norwegian Data Protection Authority on 2 June 2023 announced
DPC that it would not comply with the request ("No, I cannot comply with the request").
The Norwegian Data Protection Authority did not hear anything more by the deadline of 5 June 2023, nor did it receive any reply
the inquiry on 9 June 2023. The DPC stated on 13 June 2023 that it would await the decision in
The Bundeskartellamt case. Nor was information from DPC given in the letter of 11 July 2023
about any measures to ensure compliance.
Subsidiarily, it is stated that the conditions for taking measures according to GDPR Article 66 (1) have been met.
There is a "special case" in this case. In DPC's decisions from December 2022,
Meta Ireland given a three-month deadline to ensure compliance. As of July 2023, the requirements were not
fulfilled. Meta Ireland also did not impose a temporary ban afterwards
The Bundeskartellamt decision. At the same time, Meta Ireland trains the process. It exists
serious breaches of the regulations with extensive illegal use of large amounts of data, and that
there is an urgent need for measures to be taken.
The Norwegian Data Protection Authority's decision is not disproportionate, neither according to EEA law nor Norwegian internal law
administrative law.
It is not disproportionate to order the cessation of illegal activities. of the plaintiffs
interests are primarily of an economic nature. These interests must be reconciled
with regard to Norwegian users' privacy and rights according to the GDPR and the extent of
the illegal use of data.
The claim that it is not possible to comply with the decision has not been substantiated. It is
No evidence was provided to support the claim. Meta Ireland already has one today
protest solution that can be used, and has also taken other measures in recent times, including
other related to children. It has not been documented that the company will need three months to
make necessary changes. Nor has Meta Ireland demonstrated that the company has taken action
remedial measures, by initiating new processes, after they became familiar with the requirements.
The plaintiffs' statement is based solely on a party submission without probative value.
- 13 - 23-114365TVI-TOSL/08 The State further points out that over one month passed from the decision being made to the compulsory fine
started running. The plaintiffs have also had many years to ensure compliance with the regulations,
without taking measures or preparations. Among other things, it is indicated that it is now almost eight
months from the DPC decisions came without the necessary changes being made. Themselves
the processing has been illegal at least since 2018, cf. the DPC decisions on 31 December
2022.
The Norwegian Data Protection Authority's decision is not too vague. It is the claimants' responsibility to ensure compliance
GDPR. Meta Ireland has not complied with the decision.
The Danish Data Protection Authority's decision is also not invalid on other grounds, including a breach of the EMF Art.
6, breach of the principle of illegal cooperation or insufficient justification.
There are no grounds for protection, neither according to the provision in the Disputes Act §34-1 first
paragraph letter a or b.
Implementation of the compulsory fine decision cannot be averted by a temporary injunction.
In any case, the plaintiffs can have the decision tried in the event of compulsory recovery of the fine.
Any claims can also be brought forward through a compensation claim against the state.
It has not been established that the plaintiffs will suffer significant damage in the form of loss of reputation
or that they will suffer a financial burden as a result of the decision. It has previously been established,
both by the Irish supervisory authority, by the European supervisory authority and other supervisory authorities
in Europe, that the processing of personal data for behavioral marketing is
illegal. No further loss of reputation is likely as a result of that
a ban on the illegal processing is laid down. The case received a lot of negative publicity, even before
The Norwegian Data Protection Authority's decision. In this, it is Meta Ireland that has mostly been mentioned.
Any loss of reputation is not irreversible in any case. If the plaintiffs subsequently get
determined that the Norwegian Data Protection Authority's decision was invalid, any loss of reputation can be corrected. The
the stated loss of reputation is in any case inextricably linked to the plaintiff's financial interests.
In any case, it would be disproportionate to decide on an injunction with that content
the plaintiffs request.
If a temporary injunction is decided in this case, it will be done by the Norwegian Data Protection Authority
decision without content.
The Norwegian State v/Datatilsynet has submitted the following claim in both cases:
1. The request for a temporary injunction is not accepted.
2. The State v/Datatilsynet is awarded legal costs.
- 14 - 23-114365TVI-TOSL/084 Court's comments
According to § 34-1 of the Disputes Act, cf. § 34-2, the plaintiff must - in order to succeed in a petition for
temporary injunction - as a starting point, establish the main claim and grounds for protection.
The insurance reason must always be proven; from this there are no exceptions, see Schei
etc., notes to the Disputes Act § 34-2 on Juridika, updated as of 1 March 2023, point 1.
The main claim is that the Norwegian Data Protection Authority's decision on 14 July 2023 is invalid. It is not stated that
the decision/decision on 7 August 2023 to impose Meta Ireland and Facebook Norway
compulsory fine is invalid on an independent basis. The decision on a compulsory fine is, however, based on
Meta Ireland's and Facebook Norway's failure to comply with the decision on 14 July 2023.
If the decision on 14 July 2023 is invalid, in the court's view, there will be no basis either
to collect the compulsory fines, and there is therefore no reason to make separate assessments of
whether the two resolutions are invalid.
The court will first deal with the question of whether there is a probable cause for protection. The plaintiffs
has stated that securing the claim can both be based on the alternative in the Disputes Act § 34-1 first
subsection letter a) and letter b).
4.1 The question of whether there are grounds for protection
The plaintiffs have, among other things, with reference to the preparatory work (Ot.prp. no. 65 (1990-91) p.
292), asserted that the provision in letter a) can be invoked as a security reason also in
cases where the stated main claim is that an administrative decision is invalid.
In the case of petitions for temporary injunctions that are directed against invalid administrative decisions
is the normal alternative in the Disputes Act section 34-1 first paragraph letter b) which is invoked, cf.
Flock, Midlertidig sikring, p. 143 and Schei et al., notes to the Disputes Act section 34-1 point 4.
It is nevertheless not considered excluded that the provision in letter a) can also be used as
defense against invalid administrative decisions, cf. the minority's comments in Rt-1996-342,
the preparations for the provision and Flock p. 97. However, the court is not aware that it
there is recent case law where the alternative in letter a) is used as a basis for
injunction which is directed against an invalid administrative decision. As laid down by Flock p.
97, the court considers that it will normally be the alternative in letter b) that will constitute the legal one
the basis for establishing security grounds where the petition is directed against an invalid
administrative decision.
The court therefore first looks at the question of whether there is probable cause for protection
the alternative in the Disputes Act section 34-1 first paragraph letter b).
- 15 - 23-114365TVI-TOSL/08 In the court's view, the assessment of whether there are grounds for protection will be the same for Meta
Ireland and Facebook Norway. There are no relevant individual differences
between these companies which indicates that the assessment may turn out differently. In this lies that
the court does not consider that there is reason to attach decisive importance to the fact that Facebook Norway is
financially weaker than Meta Ireland or that the company has a more distant connection to itself
the processing activity.
4.1.1 The question of whether there is a ground for security pursuant to Section 34-1 subsection 1 of the Disputes Act
letter b)
The alternative in the Disputes Act section 34-1 first paragraph letter b) states as a condition that it is
necessary for a temporary arrangement in a disputed legal relationship to avert a significant one
damage or inconvenience. The provision allows for a complex assessment of how important it is
Disputed legal relations are for the plaintiff, however great the plaintiff's need for temporary
injunction, how intrusive a temporary injunction will be, the defendant's behavior etc., cf.
Rt-2002-108. Where the injunction is directed against an administrative decision, the force will i
the damage/disadvantage the plaintiff is exposed to in the decision is central, see Flock p. 143.
The plaintiffs initially argued in the present cases that it existed
hedging ground according to the alternative in letter b) because it was appropriate to impose Meta Ireland and
Facebook Norway enforces fines of significant amounts. It was shown that it is highly unreasonable
that the compulsory fines should begin to run before the validity of the underlying decision was
legally decided.
The starting point according to Norwegian procedural legislation is that a temporary injunction cannot be granted
used to defend against a monetary claim or to prevent recovery measures taken by
the bailiff authorities or a court, cf. Rt-1993-1595, LB-2022-161199 cf. HR-2023-348-
U (appeal denied), Schei et al., notes to the Disputes Act § 32-1 point 3 and Flock p.
43 and pp. 45-46. In these cases, the claimant is directed to use the means which
procedural legislation combined with Norway's obligations under international law and
agreements with foreign states give access to. In the Borgarting Court of Appeal ruling i
case LB-2022-161199, this is explained as follows:
The rationale for the Court of Appeal's view is, firstly, that temporary injunction after
§ 32-1 third paragraph of the Swedish Disputes Act can only be claimed by the person who has a claim based on
other than the payment of money. A claim that involves the payment of money cannot
justify temporary injunction. The same must apply when the claim actually expires
that there is no basis for an alleged monetary claim, cf. Rt-1993-1595 and LE-1996-551.
Although A's claim formally concerns the validity of an administrative decision, the claim in
the reality that there is no basis for the contribution claim against him. The administrative decision
purpose and content is to provide a legal basis for collecting the contribution. Court of Appeal
- 16 - 23-114365TVI-TOSL/08 has, on this basis, come to the conclusion that there is no reason to demand temporary
injunction, cf. the Disputes Act § 32-1 third paragraph, and that the petition must be dismissed.
The background for there being narrow frameworks for using temporary injunctions as a defence
against a monetary claim, is that the defendant/debtor has a wide right to raise objections
during execution, cf. Rt-1993-1595. In the appeals committee's ruling, there is particular reference to
that according to the Enforcement Act § 4-2 third paragraph there is a wide right to present
objections to a special basis for coercion (such as an administrative decision) and that
Section 6-6 of the Enforcement Act allows for disputes relating to objections made under
the execution can be transferred to processing by general process. During the execution it will
among other things, also be an occasion to assert that it is impossible to fulfill
the duty to act, as the plaintiffs have done in this case, cf. Enforcement Act § 13-14
third paragraph cf. section 13-8 fourth paragraph.
The purpose of a compulsory fine is that it should be a "pecuniary penalty for a defaulter
fulfillment, designed with the particular aim of achieving the strongest possible psychological effect", cf.
Andenæs et al., General criminal law, 6th edition, p. 10 (section 36). As for the requirement
against Meta Ireland, however, it is difficult to see that the fine in itself will have such an effect.
The parties agree that the fine cannot be enforced in Ireland (or any country other than Norway),
and Meta Ireland, according to the information, does not have values or turnover in Norway that can be taken
attachment in. It is, after this, difficult to see that the compulsory fines which are aimed at Meta Ireland
constitutes some real fulfillment pressure.
The plaintiffs have – probably for the reasons mentioned above – clarified that the allegation that it
there are grounds for safeguarding because Meta Ireland and Facebook Norway have been imposed fines, not
is maintained.
If there is to be grounds for insurance, this must therefore be based on circumstances other than
that the plaintiffs have been imposed compulsory fines.
In the petitions for a temporary injunction it was, as a basis for its existence
security reason, stated that Meta Ireland and Facebook Norway would be forced to have to
consider limiting its services in Norway to reduce the enforcement risk while the decision
is in force, which would in turn cause reputational damage and financial loss to the companies. It was
also indicated that the users will suffer irreversible damage if the services are restricted, cf.
the petition from Meta Ireland point 3.2.2.
- 17 - 23-114365TVI-TOSL/08Meta Ireland and Facebook Norway have so far not complied with the Norwegian Data Protection Authority's decision and
the compulsory fines have started to run. The companies have also not notified that they intend to
comply with the decisions at an earlier point in time than what is based on the dialogue between
Meta Ireland and DPC, cf., among others, Position Paper of DPC 18 August 2023, where 24
November 2023 has been set as the final deadline for compliance. Meta Ireland and Facebook Norway
has now also asserted that it is impossible to comply with the Norwegian Data Protection Authority's decision, while that
originally it seems to have been assumed that this would be possible, cf.
the argumentation in the petitions related to this and lawyer Reusch's disposition for
the main post point 5.4.2.
In the court's view, the plaintiffs for this reason have also not demonstrated that they will suffer a loss
loss of reputation or financial loss as a result of the companies restricting the services in line
with the Norwegian Data Protection Authority's decision. The reason for this is that there is no evidence that the companies
will decide any such limitation of the services. If the companies do not adjust accordingly
decision, the consequence will be that compulsory fines are incurred, but objections to these
the fines can therefore be presented at the enforcement stage, and some coercive basis for enforcement
as mentioned, the fines against Meta Ireland outside Norway do not exist.
In the court's view, it cannot be ignored that it will also have positive effects
reputational and financial effects, if Meta Ireland and Facebook Norway
AS chooses to align itself with the Norwegian Data Protection Authority's decision. In this way, the companies will be able to
show that they meet regulatory requirements and are prepared to take quick measures to improve
users' privacy. Neither the plaintiffs nor the state have argued that this can be
a possible effect of fulfilling the decision. As it is not likely that Meta Ireland and
Facebook will adapt to the decision, there is no reason to go into this in more detail.
The question is whether the companies will suffer a loss of reputation or financial loss as a result
of the Norwegian Data Protection Authority's assessment that they are acting in breach of the GDPR. Meta Ireland and Facebook
In this connection, Norway has shown, among other things, that the Norwegian Data Protection Authority's treatment of the case has
received broad, negative media attention, and that the companies will be able to lose market shares.
The companies have also presented anonymised inquiries from advertisers who submit
questions about what consequences the Norwegian Data Protection Authority's decision has, how it will affect
the advertiser, what he can answer to his customers, etc. The point of view is here – as the court understands it
that - that the plaintiffs will suffer loss of reputation and other financial loss by not complying
according to the Norwegian Data Protection Authority's decision.
In the court's view, Meta Ireland and Facebook Norway have not proved that the companies
to a significant extent will suffer financial loss or loss of reputation by not complying with the Norwegian Data Protection Authority
decision.
- 18 - 23-114365TVI-TOSL/08 In this assessment, the court first emphasizes that it is highly unclear whether it is
Meta Ireland and/or Facebook Norway who will be exposed to any financial loss
as a result of the Norwegian Data Protection Authority's decision, or if there are other companies in the same group. It is
not informed whether the income from advertising sales in the Meta Ireland/Facebook group goes to
some of these companies. The starting point is that the damage/disadvantage that justifies
the security ground must affect the claimant, cf. Flock p. 105.
However, it cannot be ignored that damage/disadvantage that affects other companies in
the group/group can justify that there are grounds for protection in relation to the claimants.
The negative publicity that has been shown will probably affect Meta Ireland and
Facebook Norway, because these are part of the same group/group. Despite this, it must
in the court's view, emphasis is placed on the fact that no information has been presented about or attempted
substantiated that the negative review etc. will have direct financial consequences for them
the two companies' operations.
Secondly, the court shows that the Norwegian Data Protection Authority's decision will not be binding on Meta
Ireland and Facebook Norway if it is invalid; the companies do not have to respect
the decision, see Eckhoff/Smith, Vervaltningsrett, 12th edition, 2022, p. 500. It is not
evidence that the companies will expose themselves to penalties or other sanctions by not
comply with the decision, in addition to the fact that compulsory fines will be incurred.
Thirdly, the court emphasizes that any reputational and financial loss will
be time-limited, cf. LB-2019-119376. The court here points out that the Norwegian Data Protection Authority's decision has a
time limit of three months, and that Meta Ireland has confirmed that the company intends
to fulfill the decision from the end of November 2023, cf. DPC's timetable. The court does not consider it so
made it likely that Meta Ireland and Facebook Norway will be permanently and irreversibly affected
financial or non-financial loss in this short period. Loss of turnover as necessary
occur during the period the decision is in force, can be compensated through compensation, cf. LB-2018-
4746.
Fourthly, the court emphasizes that Meta Ireland – by confirming that the company will
fulfill the Norwegian Data Protection Authority's decision within a few months and by cooperating with DPC - have
signaled willingness to comply with regulatory requirements. Under these circumstances, it is
hard to see that it will represent any great reputational or commercial
burden to communicate that the companies will need a few months to implement
necessary changes in their systems.
Fifthly, the court shows that it is only the Norwegian Data Protection Authority that has taken emergency decisions, and that
other European supervisors relate to the process led by the DPC. It is in this one
in connection with, among other things, presented a statement from the Danish Data Protection Authority to the Danish media,
where it appears that the supervisory authority – like other European supervisory authorities – is awaiting the outcome of it
Irish process. Although the Norwegian Data Protection Authority's decision in this case receives media coverage also in
- 19 - 23-114365TVI-TOSL/08abroad, the court cannot see that there is evidence that this will have negative
reputational or commercial consequences outside Norway. This applies in particular
as Meta Ireland has confirmed that the company will meet the requirements set by the DPC
within relevant deadlines.
Sixth, there is uncertainty about negative reputational consequences for Meta
Ireland and Facebook Norway are due to the Norwegian Data Protection Authority's decision or that the companies continue to
process personal data for behaviour-based marketing without consent, and in violation
with the requirements that European supervisors and courts have derived from the GDPR.
Seventh, questions may be raised about any negative reputational effects
consequences cannot be reversed by a final judgment which states that the Norwegian Data Protection Authority
decision was invalid, possibly that this will be the conclusion after Meta Ireland and Facebook
Norway submits objections during the execution of the compulsory fines, cf. in particular LB-2018-
4746, where this point is highlighted.
Even if it is assumed that Meta Ireland and Facebook will suffer damage or inconvenience that
the decision is not set aside, the court in any case does not consider that the threshold for this constitutes
hedging grounds have been reached, cf. the wording "substantial".
The question of what weight should be placed on the fact that a business must make adjustments in
the turnover of goods and services as a result of changed framework conditions was for consideration in
Borgarting Court of Appeal case LB-2018-4746. The Norwegian authorities had adopted new rules
on the standard packaging of snus, which the plaintiff – Swedish Match AB – stated was in violation
with EEA law. The new rules entailed costs for restructuring the production in order to
meet requirements for packaging etc. which was estimated at around NOK 40 million. IN
in addition, the new requirements entailed detailed and extensive requirements for the packaging, including
color and degree of gloss, surfaces etc., cf. Tobacco Damage Act § 30 and regulations on content in and
labeling of tobacco products etc.
In the decision, the Court of Appeal pointed out that costs for production adjustment do not amount to
substantial damage or inconvenience necessitating an injunction, because the consequences of
the order – if this turned out to be illegal – could be demanded to be replaced by the state.
The Court of Appeal pointed out that the case concerned a purely financial loss which could
is compensated through a compensation lawsuit, and that the state was in any case eligible, cf. also LB-
2019-119376 and LB-2023-87007.
- 20 - 23-114365TVI-TOSL/08 That it can be demanding to quantify and document the loss, according to the Court of Appeal
see no decisive argument that there was a reason for protection, because in one
compensation case is sufficient to make a loss probable. The Court of Appeal pointed out that in
this assessment often lies an essential element of discretion. The court also indicated that
the plaintiff had limited himself to suggesting that the injunction would over time affect sales, and that
the effect of the measure thus appeared remote and uncertain.
The decision in LB-2018-4746 shows, in the court's view, that the scope of
the injunction institute, in cases that exclusively concern financial interests and there
the state is the counterparty, is narrow. This applies in particular where the measure sought to be averted by
the injunction does not threaten the plaintiff's existence or cause irreparable damage. Whether
whoever is affected by the legislation/decision has good opportunities to succeed in any eventuality
later lawsuits, is not given decisive weight, cf. the Court of Appeal's reference to that
It was not necessary to consider this. That in LB-2018-4746 it was about implementation
of a law/regulation, and not a decision, does not imply that the assessment will be different in the present
case.
In the court's view, it is not likely that the business, either in Meta Ireland or
Facebook Norway will be threatened by any losses related to the Norwegian Data Protection Authority
decision. It is uncertain whether any loss will occur at all, cf. the court's comments above.
In all circumstances, a party who has suffered a financial loss because a decision
is not treated in the correct way, normally have a legal claim to have this loss covered
competent administrative body according to general tort law rules, without it being
necessary to prove guilt, cf. Bernt, comments to the Administrative Law § 41 on Court Data, note
1042.
A further condition according to the provision in the Disputes Act section 34-1 first paragraph letter b) is that
the injunction is necessary to "avoid" significant damage or inconvenience, cf. Rt-1999-
1220. The injunction requirement here means that the Norwegian Data Protection Authority's order by 4 August 2023 to
refrain from processing personal data for behaviour-based marketing should not have
effect before there is a final judgment on the decision's validity. The question is what it will
say that the decision shall not be "in effect", cf. the injunction requirement as this appears from
the claim. As mentioned, the imposition of the compulsory fines cannot constitute a basis for
establish that there is a basis for insurance. Some others direct and noticeable
The decision has no consequences for the claimants, beyond what the Data Protection Authority announces
assessment of the legality of Meta Ireland's and Facebook Norway's processing of
personal data for behaviour-based marketing. The courts cannot intervene and
order the Norwegian Data Protection Authority to make a decision with a different content, but can - in a preliminary ruling
assessment - finding that the Norwegian Data Protection Authority's decision is invalid. The question is about such a one
preliminary assessment by a trial court in an order that will not necessarily
become legally binding during the period the decision is in force, is at all suitable to "avoid" it
damage or disadvantage that the Norwegian Data Protection Authority's decision will cause to the claimants. In the court's view is
- 21 - 23-114365TVI-TOSL/08 this is unlikely, and this also indicates that the condition of security grounds according to Section 34-1 of the Disputes Act
first paragraph letter b) is not fulfilled.
On this basis, the court concludes that there is no probable cause for protection
according to the Disputes Act section 34-1 first paragraph b).
4.1.2 The question of whether there is a ground for protection according to Section 34-1 subsection 1 of the Disputes Act
letter a)
Meta Ireland and Facebook Norway have further stated that there are grounds for safeguarding
the alternative in the Disputes Act section 34-1 first paragraph letter a).
According to this provision, there are grounds for protection "when the defendant's conduct makes it so
necessary with a temporary securing of the claim because the prosecution or implementation
of the claim otherwise will be made significantly more difficult".
The security reason in letter a) cannot involve anticipated fulfillment of the main requirement.
The main claim in this case is that the Norwegian Data Protection Authority's decision is invalid. The injunction requirement
for its part assumes that the decision shall not have effect until there is a legally binding one
decision in the case.
The plaintiffs have argued that success in the injunction claim will amount to nothing
anticipated fulfillment of the main requirement. In this connection, it is stated that the main requirement
is not a "prior enforcement of the invalidity issue", but a temporary ban on
to implement the Norwegian Data Protection Authority's decision.
When one ignores the compulsory fines, there is nothing left to implement. What the plaintiffs are asking
if, is that the court must confirm that the decision has no legal effects. This is in the court's opinion
almost the same as the court finding that the decision is invalid, because it
administrative law's starting point is that an invalid ban or order does not get
legal effects in accordance with the content, cf. Eckhoff/Smith p. 498 and Hans Petter Graver,
General administrative law, 5th edition, p. 571. If it concerns a burdensome
decision, such as an injunction, the decision will as a general rule be considered null and void, cf.
Eckhoff/Smith p. 499.
As the court sees it, the injunction requirement herewith represents a anticipated fulfillment of
the main requirement. For this reason alone, the plaintiffs cannot succeed in their allegation
that there are grounds for protection according to the Disputes Act section 34-1 first paragraph letter a).
- 22 - 23-114365TVI-TOSL/08 The need for an injunction under the alternative in letter a) must be due to "the defendant's conduct" and the
must be "necessary" to intervene against this behaviour. In the preparatory work, it is shown that
"usually there must be a certain outward course of action or behavior which gives reason to fear
because there will be a violation of a right if intervention is not taken", cf. Ot.prp. no.
65 (1990-91) p. 262. The question here is which of the plaintiffs' rights will eventually become
violated by the Norwegian Data Protection Authority's decision and which justifies the need to intervene.
As regards the possibility of - by injunction - preventing compulsory fines from being incurred, shows
the right to the comments above related to the alternative in the Disputes Act section 34-1 first paragraph letter
b). The same points of view apply to the assessment according to the letter option
a). Some other direct implementation measures are not relevant. The question therefore becomes about that
represents an infringement of Meta Ireland's and Facebook Norway's rights that
The Danish Data Protection Authority has made a decision which is possibly invalid and which it is necessary to act on
against, in order for the plaintiffs to receive the protection to which the legislation entitles them.
The court refers here to the assessment under option b) relating to which scope of action
the plaintiffs have and what negative consequences the Norwegian Data Protection Authority's decision will have for Meta
Ireland and Facebook Norway. The points that are pointed out there suggest that neither
it is necessary for the court to lay down precautionary measures which enable the claimants to exercise unhindered
their rights, cf. Flock p. 97.
According to the wording, it is further a condition that the pursuit or implementation of the claim will
be made difficult if an injunction is not decided, cf. the word "otherwise". Questions can be asked
by whether this condition is met if the main requirement is to get to know a
administrative decision invalid. The person who is subject to an (invalid) decision in the form of an injunction
or prohibition, may, as mentioned, choose not to comply with it. The person will like
rule not lose the opportunity to have the decision set aside (as invalid) even if it is not
temporary injunction is decided, but will still be able to pursue this claim even without it
an injunction. Neither the prosecution nor the implementation of the requirement that the decision
deemed invalid is made difficult if an injunction is not granted.
The question is whether this is different in this case because the decision in question has
a time limit of three months. The plaintiffs have argued that because of
the decision's time limit in practice will be deprived of the possibility of judicial review because it will take
significantly longer time to complete an ordinary lawsuit. It is shown that the plaintiffs
will potentially be able to get compensated daily fines in such a lawsuit, but that it will be
difficult to replace loss of reputation or financial loss as a result of the decision. The court
understand the statements so that the focus is on the consequences of the invalid decision - not on
the possibility of having the invalid decision set aside through an ordinary lawsuit.
- 23 - 23-114365TVI-TOSL/08 The court assumes that the question of the decision's validity can both be drawn into a
lawsuits concerning compensation for unjustified compulsory fines and compensation for other matters
economic loss. The plaintiffs will have a current interest in invoking the invalidity grounds in
such a lawsuit, regardless of the time limitation of the decision, cf. the Disputes Act §
32-2 cf. § 1-3 second paragraph and LB-2011-90334. If, on the other hand, the invalid decision does not
has had some consequences for the plaintiffs, for example in terms of reputation or
financial loss, it is difficult to see that it is "necessary" to have someone temporarily
securing the claim, cf. the court's assessment of grounds for securing under the alternative in the Disputes Act section 34-
1 first paragraph letter b) above.
The court has subsequently come to the conclusion that there is no probable cause for security, either after
the provision in the Disputes Act section 34-1 first paragraph letter a) or b). It is not after this
necessary for the court to decide whether the injunction requested will be disproportionate
from a balancing of interests, cf. the Disputes Act 34-1 second paragraph.
Requests for a temporary injunction will not be accepted after this.
4.2 The question of whether a main claim has been established
Main requirements and security grounds are basically independent conditions for it to be decided
injunction. In principle, there is nothing in the way of the court taking a decision on one of
the terms in isolation, see illustration, cf. LB-2018-4746 and LB-2019-119376. When it comes to
the question of whether there are grounds for protection, in some cases there may still be one
connection between the assessment of this condition and whether it has been made probable
main requirement, cf. Flock p. 107 and the examples highlighted there.
In the court's view, in this case we are not faced with a case where there is reason to stop
more relaxed requirements for the security reason because the Norwegian Data Protection Authority's decision is subject to a or
several clear grounds for invalidity. Which the court will immediately get into in more detail, travel
the question of whether there is a main claim a number of complicated legal questions, cf. LB-
2019-119376, where it was about contract interpretation based on a complex and extensive
fact. At the same time, there are no weighty elements that indicate that there is
security ground; in the court's view, the present case does not constitute a borderline case. The court
refers here to the assessment under point 4.1 above.
For these reasons, in the court's view, it is also not necessary to go into more detail about whether
it is probable that it is a main requirement for the court to be able to take a decision in a sound manner
the question of security grounds.
- 24 - 23-114365TVI-TOSL/08 The court will nevertheless briefly and more overview comment on the most central statements which
the plaintiffs have asserted in relation to the main claim. The assessments must be seen in the light of that
the court has come to the conclusion that the petitions cannot proceed because it is not available
insurance reason. The attention given to the main requirement must also be seen in context
with the fact that this is an injunction case where the parties need a quick clarification.
4.2.1 The question about the decision can be addressed to Facebook Norway AS
Meta Ireland and Facebook Norway have asserted that the ban on processing
personal data for behaviour-based marketing based on GDPR art. 6 (1)
letter b) or f) cannot be directed at Facebook Norway because the company is not
data controller according to GDPR art. 4 No. 7.
In the decision on 14 July 2023, the decision to direct the order is also against Facebook Norway
justified by the fact that this company is an establishment of a data controller, cf. decision p. 4:
Facebook Norway AS, whose stated purpose is related to sales of digital advertising,
is also addressed as a recipient of this order as it is a Norwegian establishment of the
controller.
The Norwegian Data Protection Authority has further indicated that the decision to direct the decision also against Facebook
Norway is because this is necessary to ensure compliance with the decision. It is also
pointed out that Facebook Norway facilitates and enables the illegal
treatment activity in Norway.
It is not in dispute that Facebook Norway is not responsible for processing, and is not
determines the purpose of the processing or which means are used, cf. also LB-2020-
170405. It is also not in dispute that the company is not a subsidiary of Meta Ireland.
The company's business is linked to the sale, purchase and dissemination of online advertising on
Facebook and Instagram, cf. the company's annual report for 2022, the company's articles of association
purpose and LB-2020-170405.
The state has indicated that Facebook Norway is a contracting party in agreements with advertisers, and has
presented Meta's conditions for self-service advertising to substantiate this. Of these
the conditions state that certain orders for advertisements in Norway can be made through
Facebook Norway, so that the company is also a contracting party in agreements with the advertisers, cf.
the conditions point 16 and "Special provisions that apply to certain advertisers i
Norway". The court does not perceive that this is disputed.
As mentioned further, there is no disagreement that the Norwegian Data Protection Authority's decision on compulsory fines does not
can be enforced against Meta Ireland in Ireland, or that the company has assets in Norway which
coverage (for the compulsory fine) can be sought i.
- 25 - 23-114365TVI-TOSL/08 The question is about the ban on the relevant processing of personal data for
behaviour-based marketing, possibly the order to cease such treatment, can
is directed at Facebook Norway, even if the company cannot influence the content of the services.
The legal basis for the emergency measure that the Norwegian Data Protection Authority has taken is GDPR art. 61 No. 8
and/or art. 66 no. 1. The wording of these provisions does not clarify whether measures can also
is directed at companies that are not responsible for processing or can influence the content of
the services.
The State has particularly pointed out that the provisions in question only give authority to take measures
on the territory of the relevant Member State. However, the court cannot see that this provides anything
contribution to the solution of the interpretation question in question. The same applies according to the law
view the state's reference to the provision in GDPR art. 4 no. 16 a), which defines the term
"main business". The provision regulates where a data controller shall be deemed to have
its main activity, which is particularly important in determining which supervisory authority
who have expertise in relation to the business. The starting point is that it is the place for
the controller's main administration which is decisive. Exceptions apply if
decisions about "purposes and means in connection with the processing of
personal data" is met at another of the company's offices within the EEA area,
and this office has the authority to implement the decisions. This also applies there
the processing takes place in a group, cf. paragraph 36 and Skullerud et al.,
The Personal Protection Ordinance, legal commentary on Juridika, updated per April 1, 2023, Notes
to art. 4 (16). Here, too, the company with decision-making authority is to be considered
the main business; exceptions apply where "the purpose of the processing and the means which
used is determined by another company" (the court's emphasis). Facebook Norway has
however, no such decision-making authority and Norway is not the place where most
the processing activities take place.
The state has further referred to the provisions in GDPR art. 27 and recital 80, which apply
representatives of businesses that are not established in the EEA area. From recital 80
it appears that the appointed representative should be subject to enforcement measures in the event
non-compliance on the part of the controller or data processor.
In the court's view, these provisions also do not provide any guidance for the question of interpretation
in this case; whether emergency measures can be directed at other companies in a group, which are not
data controller or has any decision-making authority with regard to the person in question
the treatment. The rationale for appointing a representative is to ensure that
supervisory authorities and data subjects who have rights under the regulation can keep it
data controller or the data processor responsible for ensuring that processing takes place in accordance
with the regulation's provisions. Without a representative who is subject to enforcement action
in the EEA, it will often be impossible in practice to exercise public authority or enforce it
rights vis-à-vis businesses that are not themselves established here. It is therefore difficult to see
- 26 - 23-114365TVI-TOSL/08 why the provision should provide some guidance for the assessment of whether a national
supervisory authority can take measures where all the affected businesses are established within
EEA.
In the court's view, the provision in the GDPR also does not provide art. 60 (10) some contribution to the solution
of the question of interpretation. The provision imposes a duty on the data controller to meet
necessary measures to ensure compliance with this decision with regard to
processing activities that are carried out in connection with "all the data subject's businesses" i
EEA. The provision does not regulate who the leading supervisory authority is - or others
supervisory authorities – can direct a decision against.
The state has further shown that it follows from the case law of the European Court of Justice that emergency measures also
can be directed at Facebook Norway, in the capacity of being an establishment of Meta Ireland, cf.
GDPR clause 22. Clause 22 determines that the regulation will apply
where the data controller has operations within the EEA area regardless of how
this business is organized, and regardless of where the processing of
personal data takes place. In this case, it is clear that all those concerned
the businesses are established within the EEA area and that also the relevant processing
takes place here.
Central to the state's argument is the decision in C-645/19 Facebook Ireland Ltd. etc.
The case concerned, among other things, the question of whether a national supervisory authority (the Belgian one)
could bring a case about cross-border processing of personal data (in this
in the case of the processing of information on Belgian citizens) before a Belgian court.
The activities of the Belgian company - Facebook Belgium BVBA - were mainly
parallel to the business Facebook Norway runs (advertising and sales of
advertising space), see judgment section 94. The decision concerned enforcement measures, cf. art. 58 no.
5. The European Court of Justice found that the activities of the Belgian company were closely connected
with the relevant processing of personal data, as Facebook Ireland was
responsible for. On this basis, the court concluded that the processing was carried out
as part of activities carried out for a data controller, cf. GDPR article 3 no. 1.
When it came to the issue of the Belgian supervisory authority (which was not leading
supervisory authority) could initiate supervisory proceedings etc. against the establishment in Belgium, the court added
to reason (section 96):
In the light of all the foregoing, the answer to the third question referred to is that
Article 58(5) of Regulation 2016/679 must be interpreted as meaning that the power
of a supervisory authority of a Member State, other than the lead supervisory
authority, to bring any alleged infringement of that regulation to the attention of a
court of that Member State and, where appropriate, to initiate or engage in legal
proceedings, within the meaning of that provision, may be exercised both with
respect to the main establishment of the controller which is located in that authority's
- 27 - 23-114365TVI-TOSL/08 own Member State and with respect to another establishment of that controller,
provided that the object of the legal proceedings is a processing of data carried out in
the context of the activities of that establishment and that that authority is competent
to exercise that power, in accordance with the terms of the answer to the first
question referred.
It follows from this that a national supervisory authority which is not the leading supervisory authority in
within the meaning of the regulation, can also take measures against an establishment on the authority's own
territory. The prerequisite is that the processes implemented relate to the processing of
personal information that is made within the scope of this establishment's activities and
that the procedures for cooperation and uniform application of the regulations have been followed, cf. GDPR
chapter VII.
In the case in question, the Belgian court had questioned whether the interpretation which
The European Court of Justice had relied on case C-210/16 Wirtschaftsakademie Schleswig-
Holstein, that German supervisory authorities had competence to make decisions in disputes
on the protection of personal data, even if the controller was Facebook Ireland
and the subsidiary Facebook Germany only engaged in the sale of advertising services and
marketing activities, could be maintained under the new regulation, cf. section 38
and 39.
In the court's view, the issue that was presented to the European Court of Justice in C-210/16 is therefore
parallel to the question that this case raises, cf. judgment section 45. EU Court of Justice
concluded that the German supervisory authority could take measures against the local
the establishment even if it exclusively engaged in marketing activities, cf. the judgment
section 64. The court here perceives that it is this issue that the EU Court commented on
in case C-645/19 paragraphs 85-96. The decisive factor here is therefore whether the measure applies to one
processing that is carried out within the framework of the relevant establishment's activities, cf.
section 96. In both decisions it is assumed that the activity carried out by the establishments
related to marketing etc. is closely connected with – or forms an integral part of –
the operations of Facebook Ireland, cf. C-645/19 paragraphs 93-95 and C-210/16 paragraph 60.
The court has subsequently come to the conclusion that the Norwegian Data Protection Authority had a legal basis for correcting the decision
also against Facebook Norway, even if this company was not responsible for processing or on
independent basis could affect how the relevant treatment of
personal data took place. The decision cannot therefore be considered invalid on this point.
- 28 - 23-114365TVI-TOSL/084.2.2 The question of whether the decision is invalid as a result of a breach of the duties of
advance notification and proper investigation, cf. the Public Administration Act § 16 and 17
For a procedural error to lead to invalidity, it is sufficient that there is not one
completely remote – possibly real or reasonable – possibility that the error has been significant
for the decision, cf. Administration Act § 41 and HR-2017-2376-A section 24. It is not
necessary to prove or make it probable that the decision would not have been made or made that way
burdensome without the fault; it is enough that "there is reason to expect" that the fault "may" have had
meaning, cf. Rt-2009-661 section 72, Bernt, comments to section 41 of the Administration Act on
Court data, note 1040, and Eckhoff/Smith p. 486. The assessment depends on the specific conditions in
the case, including how serious the error is and the nature of the decision. Where the procedural error has
led to insufficient or incorrect basis for decision on a point of importance for the decision,
or the error in any other way involves the disregard of basic requirements for proper
treatment, it generally takes quite a bit to establish that the decision is invalid, cf.
Rt-2009-661 section 72.
In legal theory, it is assumed that normally little is needed to establish invalidity there
there is a breach of the rules on advance notice. This applies in particular where someone is exposed
for a particularly burdensome intervention and there is evidence that the case has not received one
proper treatment.
Among other things, Meta Ireland and Facebook Norway have asserted that the decision is
unnecessary and that the companies would inform the Norwegian Data Protection Authority about significant aspects of
significance for the decision. Among other things, it has been pointed out that the Norwegian Data Protection Authority has an apparent
incorrect understanding of how Meta Ireland's services work, both in terms of “hide
advertisement" function, what "behavioral marketing" is and how location data
works. The plaintiffs have also pointed out that the Norwegian Data Protection Authority has an incorrect understanding of the users
expectations. In addition, it has been shown that the decision is vague and impossible to fulfill within that period
deadlines that have been set, and that this would have been clarified if the companies had been notified
appropriately.
The court does not consider that there is reason to go into more detail on the question of the requirements for
advance warning and investigation has been breached, as it has in any case gone further
information would not have led to the decision having a different content, cf. Bernt, notes to
Section 41 of the Administration Act on Court data, note 1052. As the court sees it, it does not exist
evidence that there is a failure in the decision-making basis that could potentially have
influenced the decision's content.
- 29 - 23-114365TVI-TOSL/08 In this assessment, the court points out, first of all, that Meta Ireland and Facebook Norway
have confirmed that they will comply with the interpretation of GDPR art. 6 as DPC's and the Norwegian Data Protection Authority's
decision is based on. In connection with this, the plaintiffs have asserted that the Norwegian Data Protection Authority
decision is not "current" because it has already been fulfilled, cf. lawyer Reusch's disposition for
the main post point 5.6. In that Meta Ireland and Facebook Norway have stated that they want to
comply with the orders from the supervisory authorities within the time frame set by the DPC
up to, the dispute here mainly relates to the need for urgent measures to be taken.
In light of this, it is somewhat difficult to see in what way the plaintiffs have the information
highlighted, and which the Norwegian Data Protection Authority either should not have emphasized or has misunderstood, could have
led to the decision taking on a different content. In this assessment, the court also places importance on
that the statements that the Norwegian Data Protection Authority must have misunderstood key terms or key
functions are not explained or substantiated in more detail in the evidence. This applies
for example the definition of behaviour-based marketing, as explained in the resolution p.
3 and pp. 14–15. It is also not explained what the "hide the ad" function consists of and
why the Norwegian Data Protection Authority has had an incorrect perception of how this works. Equivalent
concerns the use of location data, which is discussed in the decision p. 15. As regards the question
about what the users' expectations/wishes are, this is commented on in the decision pp. 15–17.
The plaintiffs have further argued that the extensive "evidence provocations" which the state
has put forward in this case shows that the decision is based on a flawed decision-making basis.
The court will also note that the provocations have not been complied with, and that it appears
likely that the information in question would not have been presented under it either
administrative treatment, cf. that it has been argued that
the documentation/information concerns protected (confidential)
trade secrets. In Meta's pleadings on 18 August 2023 are the provocations
described as "irrelevant". If the provocations were irrelevant, however
difficult to understand that the basis for the decision failed in that the documentation in question
or the information was not submitted. In any event, the plaintiffs could choose to
present the evidence to prove that the Data Protection Authority's decision-making basis failed, cf.
Disputes Act § 22-12.
As regards the compulsory fine, the court points out that this was notified in the decision on 14 July 2023
point 3.
The court further refers to the fact that Meta Ireland and Facebook Norway submitted in a letter on 1 August 2023
appeal against the Norwegian Data Protection Authority's decision. The complaint was extensive (on 25 pages) and contained
references to investigations and assessments that the companies thought the Norwegian Data Protection Authority should
taken into account in the decision on 14 July 2023, among other things related to users' expectations (p. 12).
The court assumes that the companies in this complaint had the opportunity to raise all of them
circumstances which are now cited as the basis for the decision of 14 July 2023 being invalid as
as a result of a lack of advance notice. The Norwegian Data Protection Authority dealt with the question of conversion in
- 30 - 23-114365TVI-TOSL/08 letter 3 August 2023, and concluded that no new information had been submitted which
changed the conclusion in the decision.
Meta Ireland and Facebook Norway made further comments in a letter on 4 August 2023
from lawyer Thomas Olsen. Both the letter/complaint on 1 August and the letter on 4 August 2023 were
commented in the Norwegian Data Protection Authority's letter and decision on 7 August 2023, where the compulsory fine was decided.
It appears from the decision that the Norwegian Data Protection Authority has assessed the statements that the fixed deadlines
were too short (p. 3) and also the statements relating to the fact that the decision has been fulfilled (p. 4). The court can
after this do not see that Meta Ireland and Facebook Norway have invoked factual or legal
circumstances which the Norwegian Data Protection Authority has not assessed.
In summary, the court considers it a remote – or more theoretical – possibility
that a lack of prior notification or investigation may have influenced the decision. There is a reason
to assume that such an error cannot have had a decisive effect on the decision's content, cf.
Section 41 of the Public Administration Act. The court considers that, in this assessment, there is no reason to separate
between Meta Ireland and Facebook Norway, and points out that the actual circumstances which
the decision is based on are essentially the same, and that a complaint/petition for reversal has been submitted
on behalf of both companies.
4.2.3 The question of the conditions for emergency measures according to GDPR art. 61 (8) or art. 66 (1) was
fulfilled
In its decision on 14 July 2023, the Norwegian Data Protection Authority referred to GDPR art. 66 (1) as a basis for
the decision to take emergency measures. Subsidiarily, reference is made to GDPR art. 61 (8).
By GDPR art. 66 (1) it is stated:
In exceptional circumstances, where a supervisory authority concerned considers that
there is an urgent need to act in order to protect the rights and freedoms of data
subjects, it may, by way of derogation from the consistency mechanism referred to in
Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopted
provisional measures intended to produce legal effects on its own territory with a
specified period of validity which shall not exceed three months. The supervisory
authority shall, without delay, communicate those measures and the reasons for them
adopting them to the other supervisory authorities concerned, to the Board and to the
Commission.
- 31 - 23-114365TVI-TOSL/08 The question is whether there are extraordinary circumstances that make it necessary
to act immediately to protect the rights and freedoms of data subjects. The provision has its own
background in that proceedings according to the procedures in art. 60 to 65 can take a long time, cf. Skullerud
etc., notes to art. 66 on Jurisprudence. It is not in dispute that the other conditions which
consequences of the wording, including related to the time limit and the scope of the decision, are
fulfilled.
The wording points in the direction that a lot is needed for the exemption provision to come about
for application. The court refers to the use of the words "exceptional"/"exceptionnelles"/
the extraordinary and the formulations "urgent need"/"urgent d'intervenir"/"dringender".
Handlungsbedarf", combined with paragraph 137, where it is indicated that it can be
basis for taking urgent measures where there is a risk that the enforcement of the registered
rights may be made significantly more difficult. The court assumes that the exemption provision
must be practiced restrictively, cf. EDPB's decision 01/2021 section 167 regarding GDPR art. 66
(2) and the EU Court's decision in case C-645/19 section 63 et seq.
The State has asserted that the provision allows the supervisory authorities to have a discretion
when assessing whether the conditions have been met. The wording can draw in this direction, cf.
the wording "considers"/"kann"/"considère"/"mener".
When it comes to the more detailed interpretation of the provision, it is presented sparingly
authoritative sources. Reference has been made to Attorney General Bobek's proposal for a decision in case C-
645/19 Facebook Ireland Ltd. section 135, where it appears that direct proceedings from
the leading supervisory authority's side may indicate that the provision will be applied,
without the court being able to see that this provides any significant guidance, cf. art. 61 (8) second sentence.
The state has submitted a decision on 10 May 2021, in which German supervisory authorities (The Hamburg
Commission for Data protection and freedom of information) placed a ban on
processing/transfer of personal data concerning users of the application
WhatsApp from the data controller(s) for this service to Facebook Ireland. In the
In the case in question, German supervisory authorities had approached the Irish authorities, but the
the Irish supervisory authority had not answered/handled the inquiry, see the decision pp. 11–12. IN
decision, it was assumed that Meta Ireland could not process the personal data
for own purposes (processing grounds were missing), and the questions that were the subject of the case have
in the court's view points of similarity with the present case. Whether the circumstances in which
the German case was more serious or acute than in the present case and if the leading one
the supervisory authority had acted more or less directly, it is, however, difficult
for the court here to decide without further evidence. The parties in this case have in small
degree attempted to shed light on the extent to which the German case has points of similarity with - or differences
recede - the case being dealt with here.
- 32 - 23-114365TVI-TOSL/08 The same applies to a decision made by Italian supervisory authorities on 21 December 2022
aimed at Meta Ireland. The decision deals with, among other things, treatment that amounted to
remove posts on Facebook and Instagram, where users were advised not to vote for it
the upcoming parliamentary elections in Italy, cf. resolution point 1.1. In the decision, it is indicated that the
the Italian supervisory authority over a long period had not received any
feedback or assessment from DPC as the leading supervisory authority, see the resolution point 3
second and penultimate paragraph.
It is linked, according to this doubt, to the closer scope of GDPR art. 66 (1). This
applies to both the question of the threshold for when the provision comes into application,
whether or not the supervisory authority has discretion according to the provision that may be
excepted examination, the meaning that the lead supervisory authority has an ongoing
proceedings and whether private parties can invoke the provision directly, etc.
The plaintiffs have claimed that the provision in art. 66 (1) does not apply
because the decision is not urgent. Among other things, it is shown that the case is being processed by it
leading supervisory authority (DPC), that the Norwegian Data Protection Authority has had no objections to DPC's plan for
proceedings, that behaviour-based marketing is common practice and has been considered legal
for a long time, and that it is of no consequence that the Norwegian Data Protection Authority has the opportunity to act more quickly
than DPC.
In the court's view, these points are relevant when assessing whether the conditions according to
GDPR art. 66 (1) is fulfilled. It is not the case that the regulatory breach in this case links
itself to a specific future time, and where it is necessary to intervene before this occurs
(for example where information is to be transferred to a third party). As stated by the plaintiffs
has the processing of information for behavioral marketing without consent continued
over years. The court also points out that, in this case, active proceedings are ongoing at the DPC,
which involve a number of inspections and where most of these have decided to deal with
the plan laid down by the DPC. Overall, these arguments point in the direction that it should not
exceptions are made from the cooperation mechanism in GDPR art. 60 ff.
The State, for its part, has referred to the assessment in the decision points 7.3 and 7.4 (the decision pp. 27–30),
where, among other things, it is pointed out that the processing of personal data is behaviour-based
marketing lacks a legal basis, that it is extensive (concerns many people)
and involves the processing of private and sensitive personal data. In the decision adds
The Norwegian Data Protection Authority on the grounds that the processing of personal data has taken place for many years, but
that it is in particular Meta Ireland's failure to comply with the DPC's decision on 31 December 2022,
which had a three-month deadline for compliance, compared to Meta Ireland's
made illegal adaptations as a result of the decision, which makes it necessary to make
immediate measures (p. 28). The decision further explains the contact with DPC and the
feedback that the Norwegian Data Protection Authority has received.
- 33 - 23-114365TVI-TOSL/08 In the court's view, the points that the state has pointed to are also relevant for the assessment of
whether there are grounds for taking urgent measures. That the breach of regulations occurs on an ongoing basis, and is not
relating to a specific future event, in the court's view cannot be attributed decisively
weight. This must particularly apply in cases such as the present one, where the illegal processing
is comprehensive, intrusive and concerns large groups. In a situation where it is uncertain
where the closer threshold for applying the exception provision is located, the right is –– below
considerable doubt - came to the conclusion that the terms of GDPR art. 66 (1) to take urgent measures is fulfilled.
Following this, the court does not go into whether the conditions according to GDPR art. 61 (8) is fulfilled.
4.2.4 Other statements
Meta Ireland and Facebook Norway have further stated that the decision is disproportionate, unclear,
impossible to fulfill, contrary to other legislation (including ECHR) and that it already is
fulfilled.
In the court's view, none of these statements can be substantiated.
When assessing whether the decision is disproportionate, the court points out that the question in this
the issue is not whether the processing in question is legal or about Meta Ireland and Facebook
Norway will comply with the decisions. Both companies have confirmed that they will comply with the order
about changing the treatment basis. The court agrees with the state that it can be considered difficult
disproportionately to order the cessation of an illegal activity. This particularly applies when
The plaintiffs' interest is primarily of an economic nature and there are clear and
extensive breach of the requirements for the processing of personal data. It is not
proved through the presentation of evidence that the changes necessary to comply
the decision will have greater, negative consequences for the users of the services. In the court's view
nor have the plaintiffs demonstrated that it will be impossible to comply with the decision by
set deadlines. The plaintiffs have presented information about which work processes are
necessary to perform in order to comply with the consent obligation, but this information is not
further substantiated with evidence, cf. for example the supporting document presented
("Compliance was not possible within the Norwegian Data Protection Authority's deadlines"). It is also not possible to read
out of the plaintiffs' explanation/argument that the work will take at least three months, or that
it will not be possible to move forward faster by establishing temporary solutions that do not
appears just as elaborate.
- 34 - 23-114365TVI-TOSL/084.3 Case costs
The state has won the cases, and according to the main rule in the Disputes Act § 32-2 cf. § 20-2 other cf.
first paragraph claims to have their legal costs covered. There is no significant evidence
reasons that make it reasonable to exempt Meta Ireland and Facebook Norway from
responsibility for costs, cf. the Disputes Act § 20-2 third paragraph.
Attorney Jahren has submitted cost statements, which show that 114 hours have been worked
the case brought by Meta Ireland and 33 hours in the case concerning Facebook Norway. The
an hourly rate of NOK 1,600 is used. The total cost requirement amounts to NOK, respectively
182,400 and NOK 52,800. The court considers that the costs have been necessary and places
the tasks as a basis.
END
In case no. 23-114359TVI-TOSL/08
1. The request is not accepted.
2. In case costs, Facebook Norway AS pays the state v/Datatilsynet 52,800 -
fifty-two thousand eight hundred - kroner within 2 - two - weeks from the service of
the ruling.
In case 23-114365TVI-TOSL/08
1. The request is not accepted.
2. In case costs, Meta Platforms Ireland Limited pays the state v/Datatilsynet
182,400 - one hundred and eighty-two thousand four hundred - kroner within 2 - two - weeks from
the service of the ruling.
The court adjourned
Henning Kristiansen
Guidance on the right to appeal in civil cases is attached.
- 35 - 23-114365TVI-TOSL/08- 36 - 23-114365TVI-TOSL/08 Guidance on appeals in civil cases
In civil cases, the rules in the Disputes Act, Chapters 29 and 30, apply to appeals. The rules for appeals against judgments,
appeals against rulings and appeals against decisions are slightly different. Below you will find more information and guidance
about the rules.
Appeal period and fee
The deadline for appealing is one month from the day the decision was made known to you, unless the court has set one
other deadline. These periods are not included when the deadline is calculated (legal holiday):
- from and including the last Saturday before Palm Sunday up to and including Easter Monday
- from and including 1 July to and including 15 August
- from and including 24 December to and including 3 January
The person who appeals must pay a processing fee. You can get more information about the fee from the court that has
processed the case.
What must the statement of appeal contain?
In the statement of appeal, you must mention
- which decision you are appealing
- which court you are appealing to
- name and address of parties, representatives and legal representatives
- what you think is wrong with the decision that has been made
- the factual and legal justification for the existence of an error
- what new facts, evidence or legal justifications you want to present
- whether the appeal concerns the entire decision or only parts of it
- the claim the appeal applies to, and which result you require
- the basis for the court to hear the appeal, if there has been any doubt about it
- how you think the appeal should be processed further
If you want to appeal a district court judgment to the Court of Appeal
Judgments from the District Court can be appealed to the Court of Appeal. You can appeal a judgment if you think it is
- errors in the factual circumstances that the court has described in the judgment
- errors in the application of the law (that the law has been interpreted incorrectly)
- errors in the proceedings
If you wish to appeal, you must send a written statement of appeal to the district court that heard the case. If
you are conducting the case yourself without a lawyer, you can appear in the district court and appeal orally. The court may allow that too
attorneys who are not lawyers appeal orally.
It is usually an oral hearing in the Court of Appeal that decides an appeal against a judgment. In the appeal process
the court of appeal must concentrate on the parts of the district court's decision that are disputed, and as they are
associated with doubt.
The Court of Appeal can refuse to hear an appeal if it comes to the conclusion that there is a clear preponderance of probability that
the judgment from the district court will not be changed. In addition, the court can refuse to process any claims or grounds of appeal, itself
whether the rest of the appeal is processed.
The right to appeal is limited in cases involving an asset value of less than NOK 250,000
If the appeal concerns an asset value of less than NOK 250,000, consent from the Court of Appeal is required for the appeal
must be able to be processed.
When the Court of Appeal considers whether to grant consent, it emphasizes
- the nature of the case
- the parties' need to have the case tried again
- whether there appear to be weaknesses in the decision that has been appealed, or in the processing of the case
If you want to appeal a district court ruling or decision to the Court of Appeal
As a general rule, you can appeal a ruling on the grounds of
- errors in the factual circumstances that the court has described in the ruling
- errors in the application of the law (that the law has been interpreted incorrectly)
- errors in the proceedings
- 1 - 23-114365TVI-TOSL/08 Rulings that apply to the proceedings, and which are taken on the basis of discretion, can only be appealed if you
believes that the exercise of discretion is unjustified or clearly unreasonable.
You can only appeal a decision if you think so
- that the court did not have the right to make this type of decision on that legal basis, or
- that the decision is obviously unjustified or unreasonable
If the district court has given judgment in the case, the district court's decisions on the proceedings cannot be separately appealed. Then
the judgment can instead be appealed on the basis of errors in the proceedings.
You appeal rulings and decisions to the district court that made the decision. The appeal is normally decided by
ruling after written consideration in the Court of Appeal.
If you want to appeal the Court of Appeal's decision to the Supreme Court
The Supreme Court is the appeal body for the Court of Appeal's decisions.
Appeals to the Supreme Court against judgments always require the consent of the Supreme Court's appeals committee. Consent is only given when
The appeal concerns issues that have significance beyond the case in question, or that for other reasons are particularly important to
have the case dealt with by the Supreme Court. Appeals against judgments are normally decided after an oral hearing.
The Supreme Court's appeals committee can refuse to take appeals against rulings and decisions for consideration if the appeal is not
raises questions of importance beyond the case in question, nor do other considerations suggest that the appeal should be tried.
The appeal can also be refused if it raises extensive evidentiary issues.
When an appeal against rulings and decisions in the District Court has been settled by ruling in the Court of Appeal,
as a general rule, the decision is not further appealed to the Supreme Court.
Appeals against the Court of Appeal's rulings and decisions are normally decided after written consideration in the Supreme Court
appeal committee.
- 2 - 23-114365TVI-TOSL/08
