Norway’s data regulator has taken a bold step in its ongoing battle against Meta Platforms, the parent company of Facebook and Instagram. The Norwegian Data Protection Authority, known as Datatilsynet, has been imposing a daily fine of one million crowns (approximately $93,000) on Meta since August 14th, 2023. This hefty penalty has been levied due to Meta’s alleged violation of user privacy, specifically related to the harvesting of user data for targeted advertising purposes. It’s a scenario that has become all too familiar in the world of Big Tech.
What makes this situation particularly intriguing is the latest development – Datatilsynet’s decision to escalate the matter by referring it to the European Data Protection Board (EDPB). This decision has far-reaching implications, potentially making the fine permanent and expanding it to encompass the entire European Union (EU) and the European Economic Area (EEA). Norway, while not an EU member, is part of the European single market, which grants it certain privileges and responsibilities regarding data protection.
At its core, Datatilsynet’s action represents a significant pushback against major tech companies’ practices of exploiting user data for financial gain. The issue here revolves around Meta’s use of personal data to target advertising at users, a common practice among tech giants, often raising concerns about privacy and consent.
The duration of the imposed fine – three months – represents the maximum period allowed under Norwegian law. By referring the case to the EDPB, Datatilsynet is seeking a more comprehensive and longer-lasting resolution. This move underscores the seriousness of the alleged privacy breaches and the need for a unified approach to enforcing data protection regulations.
Tobias Judin, Head of the International Section at Datatilsynet, emphasized that Meta has shown a consistent disregard for their decision in Norway and continues to operate in violation of privacy laws across Europe. This is no minor issue, as Judin highlighted that over 250 million people have been impacted by Meta’s practices. To ensure compliance across the European level and prevent further violations, Datatilsynet seeks a final decision from the EDPB.
Meta, on the other hand, expressed surprise at Datatilsynet’s decision. The company cited its commitment to shifting to a legal basis of consent for advertising within the EU and EEA regions. They also mentioned ongoing discussions with relevant data protection authorities, primarily through their lead regulator in the EU, the Irish Data Protection Commission.
However, Datatilsynet has raised concerns about the vagueness of Meta’s plans regarding user consent and pointed out that user rights are currently being violated. This further reinforces Datatilsynet’s stance that a more decisive and permanent action is needed.
The EDPB’s response to this referral remains highly anticipated. The board confirmed that it had received the request to expand the fine’s scope but has yet to issue an official decision. The outcome of this case will undoubtedly set a precedent for how data protection issues involving major tech companies are handled within the EU and EEA.
This situation reflects a broader trend of increased scrutiny of tech giants’ data practices and privacy violations across Europe. Regulators are taking a more assertive stance to protect user data and ensure compliance with stringent EU data protection laws. The involvement of the EDPB and the potential extension of the fine to the EU highlights the importance of adhering to data privacy regulations in today’s digital landscape. It underscores that even the largest tech companies are not exempt from accountability when it comes to safeguarding user data and privacy rights.