News
I Meta Tracking Tools Illegal – Austrian Data Protection Authority Holds That the Use Directly Violates the Gdpr and the “Schrems II” Decision
The Austrian Data Protection Authority (DPA) decided (6th of March 2023, D155.028, 2022-0.726.643) that the use of the Facebook Business Tools “Facebook Login” and “Facebook Pixel is violating the GDPR. The DPA held that the findings made in the “Google Analytics Decision” (22nd of December 2021, D155.027, 2021-0.586.2579; “GA”) were applicable to this case.
1. Background
The decision of the DPA stems from one of the 101 complaints filed by the NGO noyb against websites still using Google Analytics and Facebook’s (now "Meta”) tracking tools despite the CJEU’s ruling that the Privacy Shield is invalid.
The controller in question was a website operator using Facebook Pixel and Facebook Login. The controller´s direct contractual partner was Facebook Ireland Limited (now: Meta Platforms Ireland Limited; “Meta Ireland”) who subsequently used Meta Platforms Inc. to process data.
The DPA found that the considerations made regarding Data transmitted through Google Analytics can be applied to the Facebook Business Tools and to the case at hand.
2. Legal Analysis
With repeated reference to the Google Analytics decision, the DPA held in the decision as follows:
2.1. Personal data:
Referring to recital 26 of the GDPR, the DPA considered in its GA decision that, with regard to “identifiability” within the meaning of Art 4 No 1 GDPR, it is not necessary that the data processed must enable to immediately associate such data with the identity of the data subject. Referring to the decision of 5th January 2022, Ref. No. 2020-1013 (EDPS against the European Parliament), the DPA pointed out that the mere “segregation” by marking of a terminal device is to be considered as personal data. In this decision, the EDPS referred to tracking cookies such as Stripe and the GA cookies.
However, according to the DPA, these considerations can also be applied to Meta’s business tools:
- The implementation results in cookies being set up on the end device of the data subject;
- these cookies contain a unique, randomly generated value making it possible to individualize the data subject’s terminal device and record the data subject’s surfing behavior;
- using the so processed data, the data subject was presented with suitable personalized advertising.
In line with the GA decision and referring to ECJ judgments C-434/16 and C-582/14, the DPA found that it is not required that all information necessary for identification is with the controller (= the website operator).
In the case at hand the DPA stated that at least Meta Ireland had the possibility to link the data it received due to the implementation of Facebook Business Tools to the complainant's Facebook-account. Similar to the Fashion ID decision (ECJ judgment of 29th July 2018, C-40/17), in which the ECJ found that the implementation of the Facebook "Like" button results in the processing of personal data, the DPA found that the same must apply to the Facebook Login and the Facebook Pixel, as all of these tools are part of the "Facebook Business Tools" and therefore the same terms of use apply.
2.2. Data transfer
Referring to rulings of the Austrian Federal Administrative Court (BVwG) the DPA stated that the controller is obliged to only cooperate with processors that offer sufficient guarantees that the processing will be carried out in compliance with the provisions of the GDPR. In the case at hand the controller (established within the European Union) concluded a contract with Facebook Ireland as processor subject to the data processing terms and conditions for Facebook Business Tools. By accepting the Ts&Cs, the controller authorized Facebook Ireland to engage Facebook Inc. (and other Facebook companies) as its sub- processor(s). With regard to the aforementioned obligation of the controller, the DPA clarified that it makes no difference whether the personal data are transferred directly to the sub-processor (Facebook Inc. USA) or only after processing by Facebook Ireland. The fact that a data transfer to the USA has occurred is therefore attributable to the (Austrian) controller.
2.3. (Il)Legitimacy of the Data transfer to the US
With regard to the legitimacy of the data transfer, the website operator and Facebook Ireland invoked the Privacy Shield (the data transfer occurred on 12th August 2020, at which time Facebook’s Ts&Cs still referred to the Privacy Shield; information about Facebook no longer invoking the Privacy Shield was not published on the website at that time).
Since the ECJ already invalidated the Privacy Shield on 16th July 2020, and no adequate safeguards under Art 46 GDPR were in place at the time of the data transfer (Facebook's contract addendum including the conclusion of SCCs was only implemented after 12th August 2020; on the question of whether this would have led to a different decision by the DPA, see our conclusion), and neither the website operator nor Facebook relied on Art 49 GDPR at any point (the facts of which, in the opinion of the DPA, would not have been fulfilled anyway), the DPA came to the conclusion that the data transfer constituted a violation of the GDPR.
2.4. Violation of the GDPR by Meta Platforms Inc.?
The DPA needed to assess whether Meta Platforms Inc. (as a "data importer") could also be subject to the obligations set out in Chapter V of the General Data Protection Regulation.
However, the DPA concluded that there was no breach attributable to Meta Platforms Inc. In this regard, the DPA argued that a data transfer to a third country within the meaning of Art 44 GDPR only occurs when a controller or processor (“exporter”) makes personal data available to another controller, joint controller or processor (“importer”) located in a third country (see EDPA Guidelines 5/2021, adopted on 14 February 2023).
The DPA did not consider these requirements to be met in the present case. As the DPA saw it, Meta Platforms Inc. (as data importer) did not disclose personal data, but (only) receive it. In the opinion of the DPA, a differentiation must be made here: Every transfer of data necessarily involves a recipient. Meta Platforms Inc., as a (sub)processor, is necessarily part of the transfer at hand. However, the responsibility inherent in any transfer of data can be divided, since, in the DPA's view, there may be different degrees of responsibility depending on the stage of processing.
The DPA does not seem to consider the responsibility of the mere (sub)processor severe enough to justify its liability for a data transfer that violates Article 44 GDPR. This opinion is, of course, in line with the established case law of the BVwG, which sees the (sub)processor as the "extended arm" of the controller (the DPA also referred to the EDPA Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 07 July 2021, margin no. 63 et seqq; however, the cited section dealt with issues related to joint controllership).
3. Conclusion
Since the data processing that gave rise to this case, the Meta group has implemented an addendum for European data transfers that includes SCCs and a set of "safeguards and measures."
Would the DPA's decision be different today?
The DPA made no statement as to whether implementing the SCCs would have resulted in a different decision, but the DPA found that Meta Inc. qualifies as an electronic communications service provider within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S. intelligence agencies under 50 U.S.Code § 1881a ("FISA 702"). In the GA decision, the DPA clearly stated that the transfer of personal data to a recipient who is to be qualified as a provider of electronic communications services and as such is subject to surveillance by US intelligence services, data transfer cannot be based solely on the conclusion of SCCs.
As for Meta's safeguards (security program, encryption of data, policies and procedures, etc.), it is questionable whether they meet the DPA's requirement to be "effective." In the GA decision the DPA held that neither the technical measures nor the encryption technologies imposed were adequate means to prevent access and monitoring of US intelligence services. The same probably applies for Meta’s “safeguards and measures”.
Thus, the advice for European companies must still be to look for alternatives to US providers (at least as long as the EU-US DPF is not yet in place).
A machine translation into English of the DPA’s decision can be accessed here: noyb.eu/sites/default/files/2023-03/Bescheid%20redacted-EN.pdf
Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010