A fine imposed by the Norwegian data protection authority in August could be expanded to the entirety of the EU, subjecting Meta to extensive daily penalties until it makes big changes to tracking ads. The Norwegian fine is based on a national decision to prohibit the type of digital profiling that Facebook and other Meta companies engage in, something that could potentially spark an EU ban if the decision is expanded across the bloc.
Norwegian regulator Datatilsynet began fining Meta the equivalent of $100,000 per day on August 14, in a decision that has a legal maximum of three months under national law. In early September, Meta lost a court appeal to end the fine. The regulatory action requires the company to cease use of tracking ads during the ban period or pay the fine for each day of operation, but the European Data Authority (EDA) could opt to make this decision permanent and expand it across the whole of the EU.
EDA “nuclear option” could mean effective EU ban for Meta
Datatilsynet ruled in July that Meta’s tracking ads were in violation of the General Data Protection Regulation (GDPR), given that they do not collect adequate user consent for the level and scope of personal information that is gathered to feed the machine. This led to a temporary ban in August, under the terms of which Meta is allowed to keep operating normally but must pay the large fine for each day that it does.
Meta appears to have decided to simply absorb the fine, which was limited to three months in total (or about $8 million, a relative drop in the bucket for the company). This strategy could backfire badly, however, if the EDA is in full agreement with Norway’s interpretation of the GDPR requirements.
Though Norway is not an EU member, it adheres to GDPR rules under a 2018 agreement that brought European Economic Area (EEA) countries into the regulatory fold. That also gives it the right to refer decisions based on the GDPR terms to the EDA, which can then decide if the legal reasoning is sound enough to apply across the entire bloc. Norway was able to make an emergency request on the basis of the amount of people potentially impacted, meaning that the EDA will take up the matter immediately and have to reach a decision within two weeks of completing an assessment of the completeness of the file that Norway has referred to it (a process that does not have a fixed timeline).
What this could mean, in the worst scenario possible for Meta, is that the EDA institutes an EU ban based on this decision sometime before the end of 2023. It would also open the door for all EU members to institute daily fines, and make the fine period permanent. While it is difficult to determine exactly how much Meta would be looking at in daily payments to continue its present use of tracking ads in the EU, such a decision would certainly change the math for the company.
Meta tracking ads model continues to take serious blows as competitors adapt
At this point it may take an effective EU ban to prompt change at Meta, which has repeatedly resisted updating how it handles tracking ads even as major competitors work on shifting to entirely new models.
The EDPB has some recent history in this area that does not bode well for Meta’s fortunes. At the beginning of the year it rejected Meta’s claim of contractual validity in collecting information for tracking ads, which pushed the social media giant to switch to a “legitimate interest” basis in a further bid to avoid collecting informed consent from its users. The Court of Justice of the European Union (CJEU) shot that down with a July decision. Seemingly out of rope, Meta announced in August that it would shift to a consent model for EU users, but did not set a timeline and has not moved to do so as of yet.
Meta’s reticence in the face of a possible EU ban is in contrast to its largest competitors, chiefly Google, which have apparently seen the writing on the wall as regards tracking ads legislation and are overhauling their models to increase user privacy. The ultimate effectiveness of efforts like Google’s “Privacy Sandbox” are still debatable, but the project has at least pledged to end the tracking cookie as a seemingly omnipresent part of web browsing.
The potential EU ban is not Meta’s only major regulatory worry in the region, as it continues to face uncertainty about the legality of its international data transfers under the GDPR. It has also been formally named as one of the large “gatekeeper” companies that the Digital Markets Act applies to, requiring them to come into full compliance with its terms by early March 2024.