Meta – Violation Found (Norway, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Norway's court upheld a decision by the Norwegian data protection authority that banned Meta from using behavioral marketing on Facebook and Instagram. This ruling is important because it confirms that companies must comply with data protection laws, even if they argue they are not the main decision-makers in data processing. Businesses should be aware that they can be held accountable for how they use personal data.
What happened
The court rejected Meta's request to stop a ban on behavioral marketing imposed by the Norwegian data protection authority.
Who was affected
Users of Facebook and Instagram in Norway whose data was used for behavioral marketing.
What the authority found
The court ruled that the Norwegian data protection authority had the legal right to impose a ban on Meta's marketing practices.
Why this matters
This case shows that companies cannot evade responsibility for data processing by claiming they are not the main operators. It highlights the need for compliance with data protection regulations.
GDPR Articles Cited
Entities Involved
On August 3 and 4 2023, Meta Platforms Ireland Limited (Meta Ireland) and Facebook Norway AS (Facebook Norway) requested a temporary injunction against the Norwegian DPA’s urgent decision from July 2023 (21/03530-16). This decision banned behavioural marketing on Facebook and Instagram under Article 6(1)(b) and (f) GDPR for three months, starting August 4th 2023. A temporary injunction would have prevented Meta from having to comply until further notice. The district court in Oslo heard Meta's argument on the 22nd and 23rd of August. Meta argued that the DPA's decision was invalid because, under the GDPR, Facebook Norway could not be considered a data controller under Article 4(7) GDPR and Articles 66(1) and 61(8) GDPR were used incorrectly by the DPA to make urgent decisions. Meta also raised arguments surrounding national law, such as, grounds of security under the Dispute Act, whether a main claim has been substantiated and whether prior notification had been given by the DPA under the Public Administration Act. The Oslo District Court decided in the favour of the Norwegian DPA and rejected Meta’s arguments. The Court concluded that the Norweigen DPA had a legal basis to direct the decision against Facebook Norway. The fact that Facebook Norway was not the controller was not disputed by the court. Facebook Norway does not determine the purpose or the means used to process, nor is Norway the place where most of the processing activities take place. The question was therefore, whether the prohibition against the processing of personal data in question for behavioral marketing can be directed against Facebook Norway, even though the company cannot influence the content of the services. The court relied on the case of C-645/19 Facebook Ireland Ltd. et al. to also conclude that that the processing was carried out in the context of the activities of a controller as defined by Article 3(1) GDPR. It used this same case to determine that the Norweigen DPA, despite not
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Meta in NO
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Meta - Norway (2023). Retrieved from cookiefines.eu
Last updated: