Social media giants Facebook and Instagram will soon be temporarily banned in Norway from tracking users online to target them with advertising.

The Norwegian Data Protection Authority ordered U.S. technology firm Meta, the parent company of Facebook and Instagram, to stop showing users in Norway personalized ads based on their online activity and estimated locations. The ban kicks in from August, according to an order obtained exclusively by POLITICO and sent to Meta on July 14.

Meta’s advertising practice on Facebook and Instagram currently involves the “processing of very private and sensitive personal data through highly opaque and intrusive monitoring and profiling operations,” wrote Norway’s Datatilsynet agency.

The ban on so-called behavioral advertising will last three months, starting from August 4. Facebook and Instagram will be able to show people customized ads but only based on information given by users in the “about” section of their profiles.

You may like

Meta will face daily fines of 1 million Norwegian Krone (€89,500) if it doesn’t comply with the order.

The temporary ban could be lifted if Meta finds a way to legally process personal data and give users the rights to opt out of targeted advertising based on tracking, the order said.  

The restriction comes after the Court of Justice of the European Union on July 4 ruled that Meta was unlawfully collecting people’s data to target them with ads without their explicit consent and based on the firm’s “legitimate interest.”

Meta is also currently under scrutiny from its lead privacy regulator, the Irish Data Protection Commission, over its advertising practices. The Dublin-based authority fined the social media company in January a total of €390 million for infringing Europeans’ privacy. It ordered Meta to find a new legal basis for its business model. The tech company has appealed the decision.

The Irish Data Protection Commission plans on making a decision on Meta’s legal basis for its targeted advertising operations “by no later than mid-August,” said the agency’s Deputy Commissioner and Spokesperson Graham Doyle. 

The Irish regulator oversees Meta under the General Data Protection Regulation (GDPR) for the whole of Europe because the tech company has its regional headquarters there. Other European countries such as Norway are able to issue national decisions for a time limit of three months in a “case of urgency” under the GDPR.

“The persistent state of non-compliance following the [Irish] decisions demand[s] immediate action to protect the rights and freedoms of European data subjects,” wrote the Norwegian data agency in its order.

The Norwegian regulator is the first European privacy authority to severely restrict Meta’s data-driven business following the EU’s top court ruling. It said it also plans to request an urgent binding decision from the European Data Protection Board (EDPB) — the region’s network of privacy regulators — to decide on final measures.

The Irish Data Protection Commission said it has consulted with other European authorities and sent them a provisional assessment of Meta’s compliance with the GDPR for targeted advertising following the new court ruling. Authorities have until July 21 to make their submissions to the Irish DPC, Doyle said. 

In a response, Matt Pollard, spokesperson for Meta, said: “The debate around legal bases has been ongoing for some time and businesses continue to face a lack of regulatory certainty in this area … We continue to constructively engage with the Irish DPC, our lead regulator in the EU, regarding our compliance with its decision. We will review the Norway DPA’s decision, and there is no immediate impact to our services.”