Privacy & Cybersecurity Law Blog

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

The adoption of these provisional measures by the Norwegian DPA follows the Irish DPA’s recent decision on Meta’s contextual advertising and the decision by the Court of Justice of the European Union in the Meta v. Bundeskartellamt (Federal Cartel Office, Germany).

The Norwegian DPA expressed concerns about whether the use of the legitimate interests or contractual necessity legal bases by Meta in the context of behavioral advertising comply with the GDPR. As noted above, the Norwegian DPA’s order only covers targeted advertising based on “observed behavior.” Accordingly, it does not preclude Meta from processing personal data for advertising purposes, nor does it limit advertising or the targeting of ads, based on information that data subjects have provided through their Facebook profile or if they have provided their consent. The order also “does not in any way ban Meta from offering [its services] in Norway.”

The provisional measures were adopted pursuant to the GDPR urgency procedure (Article 66(1) of the GDPR) and will apply from August 4, 2023, until November 3, 2023. The order may be lifted before this date if Meta is able to implement measures addressing the Norwegian DPA’s concerns. The Norwegian DPA has also requested the European Data Protection Board to issue an urgent binding decision on this matter, in line with Article 66(2) of the GDPR.

Read the Norwegian DPA’s decision.