Norwegian decision banning behavioural advertising on Facebook and Instagram

On 14 July, the Norwegian Data Protection Authority (DPA) imposed a temporary three-month ban on “behavioural advertising” on Facebook and Instagram to users based in Norway. The decision relied on the “urgency procedure” under the General Data Protection Regulation (GDPR), which exceptionally allows direct regulatory interventions by other national authorities than the authority of the country where the business is registered (here: Ireland). 

My initial view of the decision is that it is both a misuse of the urgency procedure and mischaracterizes the leading judgment from the EU Court of Justice (CJEU) on which it purports to rely (see my analysis of that judgment: part 1 and part 2). The decision misses the critical legal issue that it’s unclear to what extent the CJEU’s analysis applies to first-party personal data (collected by Facebook and Instagram) as the Court’s judgment expressly covered third-party data (collected “off-platform”). 

What is “behavioral advertising”?

First, let’s consider the scope of the Norwegian DPA’s decision. The decision is meant to apply to “behavioral advertising,” which it defines as 

targeting ads on the basis of inferences drawn from observed behaviour as well as on the basis of data subjects’ movements, estimated location and how data subjects interact with ads and user-generated content.

It further clarifies that: 

Meta’s use of location data to inform which ads are displayed to data subjects clearly constitutes Behavioural Advertising. It is unclear to us what this location is estimated on the basis of, if not the data subject’s behaviour.

Contrast this with Article 29 Data Protection Working Party’s (A29 WP) “Opinion 2/2010 on online behavioural advertising”:

Behavioural advertising is advertising that is based on the observation of the behaviour of individuals over time. 

This is distinguished from contextual advertising:

Contextual advertising is advertising that is selected based on the content currently being viewed by the data subject. In the case of a search engine, content may be derived from the search keywords, the previous search query or the user’s IP address if it indicates their likely geographical location.

Taking the A29 WP’s approach, it is by no means “clear” that the use of location data “constitutes Bevioural Advertising.” Like other data points, location could be collected concurrently (in a snap shot way) with displaying advertising. If there is no reliance on past location data associated with a user, then this is arguably not “profiling” and not “behavioural advertising” as understood until now.

The Norwegian DPA seemingly contends that the practices it identifies as “behavioral advertising” violate GDPR rules, regardless of whether these practices depend on first- or third-party data. The central argument of the decision is that it’s unlawful to process personal data based on legitimate interest in this context, potentially leaving user consent as the only viable alternative. However, the DPA also includes a brief reference to the “threat of charging data subjects,” appearing to imply that service charges as an alternative to consent may not be acceptable. This is in contrast with the Court of Justice of the European Union’s (CJEU) recent decision on Facebook v Bundeskartellamt, where it was suggested that users could be provided “if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations” (paragraph 150). (For more on the consent v payment issue, see the first part of my analysis of the CJEU judgment).

The Norwegian DPA used the GDPR’s “urgency procedure” (Article 66) as its legal foundation for this action, sidestepping the one-stop-shop principle that would typically give the Irish DPC precedence in matters related to Ireland-registered Meta. The DPA’s claim of an “urgent need to act” appears questionable considering that the lead authority, the Irish DPC, shared “a provisional position paper” with the Norwegian DPA only three days prior to this decision. This sequence of events may lead some to perceive that the Norwegian DPA acted hastily, prompted by frustration rather than careful deliberation.

The Irish DPC issued a statement quoted by TechCrunch which casts even more doubt over the Norwegian DPA’s “urgency” argument:

Having concluded its final decisions in these investigations, the DPC issued these to Meta and is now supervising compliance with the orders contained in the decisions. To that end, the DPC has assessed Meta’s compliance reports with the orders and sought views of all Concerned Supervisory Authorities (“CSAs”). The DPC has now produced a provisional assessment paper on the compliance reports that incorporates CSA views and considered the recent CJEU Bundeskartellamt judgement.

The DPC has provided its assessment to all CSAs and they have until Friday 21 July to make submissions to the DPC. Our Norwegian colleagues are in fact the first of our colleagues to respond to us and they have confirmed that they “found your analysis very thorough, thoughtful and sensible”. As you can see this process is very well advanced and the DPC intends to close out by way of a harmonised approach its supervision of Meta on this matter by no later than mid-August. All Supervisory Authorities who are party to this process are aware of this timetable.

The DPA seems to have acted precipitously in the absence of immediate conclusions or binding measures on Meta from the Irish DPC. It appears that the absence of immediate decisions from the Irish DPC, particularly on aspects not previously covered in their multi-year investigation, was interpreted by the Norwegian DPA as inaction. This interpretation seemingly led the Norwegian DPA to take significant action of their own. In doing so, they leaped over an enormous justificatory chasm.  

First- vs third-party data

The speed at which the Norwegian DPA acted seemingly resulted in a cursory review of the CJEU’s decision in Facebook v Bundeskartellamt. The Norwegian decision continually refers to paragraph 117 of that judgment as evidence for its claim that users can’t reasonably anticipate their personal data being used for “behavioral advertising”. However, it fails to consider the CJEU’s more nuanced analysis regarding first- versus third-party data. Furthermore, it overlooks paragraph 151, which limits the judgment’s conclusions on “reasonable expectations” to third-party data. (See also the first part of my analysis of the CJEU judgment).

Meta already relies on consent for targeting advertising based on what Meta defines as third-party data (as described in their privacy policy: “Using information from third parties to tailor the ads you see”). The potentially important nuance here relates to whether data that comes from Meta’s services other than Facebook/Instagram counts as “third-party.” But even on the broader definition of “third-party data” a large part of it is processed on the basis of user consent under Meta’s policy.

This situation underscores the importance of thorough legal analysis, as crucial considerations can easily be overlooked when decisions are made in haste. Hence, the use of the urgency procedure should remain exceptional and reserved for truly urgent situations.