Austrian DSB: Meta Tracking Tools Illegal
In a groundbreaking decision in one of noybs 101 complaints, the Austrian Data Protection Authority (DSB) has decided that the use of Facebook’s tracking pixel directly violates the GDPR and the so-called “Schrems II” decision on transatlantic data flows. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US companies, like Facebook, to provide user’s personal information to US authorities.
- Decision by Austrian DSB (in German)
- Autotranslated Decision (EN)
- Case Summary on GDPRhub (EN)
2020 CJEU ruling hits the real world. In July 2020, the CJEU ruled that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal "Privacy Shield", after annulling the previous deal "Safe Harbor" in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Google or Amazon, Facebook has relied on so-called "Standard Contract Clauses" and “supplementary measures” to continue data transfers and calm its European business partners. Therefore, noyb filed 101 complaints in August 2020 against websites still using Google Analytics and Facebook Tracking tools despite clear court rulings.
“Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal.” – Max Schrems, Chair of noyb.eu
Illegal Data transfers via Facebook Login and Meta Pixel. The DSBs decision to declare Google Analytics illegal, also applies to the "Facebook Login" and "Meta Pixel" tools provided by Meta: If these tools are used, data is inevitably transferred to the USA, where the data is at risk of intelligence surveillance. European website operators are therefore advised not to include any tools from Meta on their websites.
Decision relevant for almost all EU websites. Many websites use Facebook tracking technology to track users and show personalized advertisement. When websites include this technology they also forward all user data to the US multinational and onwards to the NSA. While the European Commission is still aiming to publish the third EU-US data transfer deal, the fact that US law still allows bulk surveillance means that this matter will not be solved any time soon.
Long Term Solution. In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States. It is well known that due to its U.S.–based system, Meta is categorically unable to ensure that the data of European citizens is not intercepted by U.S. Intelligence agencies.
No penalty. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty. The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in such cases, but data protection authorities seem unwilling to issue fines, despite controllers ignoring two CJEU rulings for more than two years.