Norway Fining Meta $98,500 per Day for User Privacy Breach

Oslo - Datatilsynet, Norway’s Data Protection Authority, is fining Meta Platforms 1 million krone per day, or roughly $98,500.

Meta, the company behind Facebook, Instagram, and Whatsapp, is being penalized for alleged data privacy breaches, and the potential impact of this on Norway residents.

Datatilsyne has also banned Facebook and Instagram from carrying out any behavioral advertising activities, initially until October.

Read more about this story on the Datatilsynet website.

Meta Violating GDPR

Datatilsynet announced in July its intention to start fining Meta if the company failed to address the identified privacy breaches.

However its issues in Norway go deeper, with the DPA taking issue with Meta’s ongoing violation of the General Data Protection Regulation (GDPR) - a law that protects the misuse and abuse of EU resident personal data.

The dispute centers around Meta’s approach to behavioral sementation in advertising. The company has allegedly been using large amounts of user data - including geolocations - in targeted advertising campaigns. Consequently, Datatilsynet has banned such activities within Norwegian borders.

This is no small thing, with the company collecting data on what people post or comment, the unencrypted messages sent and received, hashtag usage and so forth. And when brought together, this information can be used to reveal incredibly personal information about users, from musical tastes and menstrual cycles to addictions and wider health issues.

The sun's setting on Meta's data privacy transgressions in Norway and beyond

Growing Concerns About Meta’s Privacy and Security Measures

By acting upon its previous threats, Datatilsynet made clear its dissatisfaction with the solutions that Meta proposed since July.

Their plan was to request EU customers for consent for advertisement targeting, with data captured from their in-platform behavior. Datatilsynet felt this insufficient, and that Meta should instead halt any data processing until an effective consent mechanism is activated.

Neither Facebook nor Instagram is banned in Norway. But the sentence underlines Datatilsynet efforts to persuade Meta to bring its data practices in line with EU standards. Norway’s DPA believes that Meta is brazenly exploiting its users by harvesting personal data excessively, and without consideration - infringing on what is a human right under both the European Union and United Nations.

The challenges Meta faces in Norway are not isolated. Earlier this year, the Irish Data Protection Commissioner, which acts as Meta's lead EU regulator, called on the company to re-evaluate the legal foundations of its ad-targeting processes. The directive stemmed from allegations that Meta had made adjustments to its algorithms. Still, subsequent investigations by European courts determined that these changes didn't meet the stringent standards of European privacy regulations.

Continental Consequences for Meta

The crusade against Meta’s data practices has only intensified, with the decision in Norway seen by European regulators as the opportunity it is to get the company singing from their hymn sheet.

And while Norway isn’t a de facto member of the EU, its membership of the Single Market makes it EU-adjacent enough to sense that this ruling will be a common precedent across Europe. Put another way, it’s like this Scandinavian hammer blow to Meta will cause a ripple effect across Europe. For if Datatilsynet's decision is endorsed by the European Data Protection Board, the fines imposed on Meta could become permanent, broadening their territorial scope to encompass the entirety of Europe.

As of now, the daily fines against Meta are scheduled to continue until November 3. With the stakes set high, and with increasing scrutiny from European nations, it remains to be seen how Meta will navigate this complex regulatory landscape.

Wider Implications for Businesses

This action against Meta is further evidence that European DPAs are finally learning how to effectively enforce GDPR standards, and it follows soon after similar legal action in Sweden against Google Analytics. It’s also clear from recent events in Sweden that all business types are liable for the misuse of EU citizen data, and all signs point to fines and other penalties increasing in the future.

Meta has since tried to circuvent its privacy requirements by introducing paid plans for users that don't want to be tracked - something that effectively places people's data privacy rights behind a pay wall.

Businesses that want to stay compliant should move away from cookies and other digital tech that collects personal user data.

However, the arrival of privacy-first internet technologies like TWIPLA means that they can still collect the data they need to drive business growth without infringing on the security of internet users or breaking data privacy requirements. Sign up today, and start migrating your digital technologies away from those that collect personal data.