On 18 June 2024, the Data Protection Board ruled that the Norwegian Data Protection Authority (DPA) cannot impose daily fines on Meta for not complying with a ban on behavioral marketing on Facebook and Instagram.
Background and Ruling
- Ban on Marketing: The Norwegian DPA had banned behavioral marketing due to GDPR violations. Meta failed to comply, leading to the imposition of daily fines in a subsequent decision.
- Daily Fines: Under Norwegian law, daily fines are permissible to enforce compliance. The DPA applied this to Meta, imposing NOK one million per day.
- Appeal Board’s Decision: The Data Protection Board ruled that these fines could not be applied to international companies like Meta, stating that Norwegian law’s provision for daily fines is limited to domestic entities. The reason cited for this is that the ability to impose daily fines stems from national law, and thus cannot apply to foreign entities even in an emergency decision pursuant to Article 66 GDPR.
Implications of the Decision
- Enforcement Disparity: The ruling creates a situation where Norwegian companies can be fined daily, but international firms might escape such penalties, leading to potential inequities in enforcement.
- Call for Legal Clarity: The DPA expressed concern over this interpretation and urged lawmakers to clarify the law to ensure consistent application across all companies, regardless of their origin. I agree that the reasoning is strange and the consequences quite ridiculous.
👉 Read the decision here and the DPA statement here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
