Facebook and Instagram owner Meta will be fined one million crowns ($100,000) per day over privacy breaches unless it takes remedial action, Norway’s data protection authority said on Monday, in a move that could have broader European implications. The fine — the highest ever in Europe — came after an investigation into how Meta harvested data to target advertising at users, a practice known as behavioral advertising. It also found that the company was not correctly notifying users about how their information would be used. The Norwegian watchdog said that Meta cannot harvest user data in Norway, such as their physical locations, and use it to target advertising at them, a business model common to many Big Tech companies. It also said that Meta was not correctly informing users about how their information would be processed and wasn’t asking for consent.
The ruling follows a lengthy legal battle with Austrian lawyer Max Schrems, who argued that the changes forced users to agree to process their personal information for ad targeting without clearly explaining what it was doing and why. The decision will likely pressure the EU and the United States to reach a new transatlantic deal on data transfers within the next six months and on other companies that transfer people’s data between the two regions.
It also gives the European Data Protection Supervisor (EDPB) more discretion over how to penalize breaches by companies, which could lead to higher fines than those imposed under GDPR. Meta said it expected to file an appeal with the Irish Data Protection Commissioner and European Courts, but that was unlikely to change the outcome.
The Irish watchdog, which is the lead regulator for Meta, had previously ordered that the company stop transferring European data to the United States by Dec. 12, the exact date that an executive order signed by President Biden would buy EU and U.S. officials critical months to finalize a new data privacy pact to replace the defunct Privacy Shield. That new framework, once approved, should allow American companies to legally transfer data between the two regions by eliminating a critical legal loophole in which people’s data can be collected without their knowledge or consent. That would give people the power to challenge how their data is collected. But that’s a separate issue from the fine the Irish regulator imposed on Meta on Monday. The fines imposed by Datatilsynet are for violations that occurred before the implementation of GDPR in May. The EDPB’s forthcoming decisions on those cases are expected in 2023. If no new agreement is reached by the end of 2023, the fines for past violations could rise dramatically to as much as 4% of Meta’s global annual revenues. The record-setting fines are a reminder of that risk.