The Austrian Data Protection authority has issued a decision stemming from a 2020 complaint.
The Austrian Data Protection Authority (DSB) has decided that the use of Facebook’s tracking pixel directly violates the EU’s GDPR privacy law and the so-called “Schrems II” decision on transatlantic data flows.
None of your business (NOYB), the Austria-based privacy rights group, announced the decision on March 16, highlighting that Meta Platforms’ tracking pixel violates the General Data Protection Regulation (GDPR) and the Court of Justice of the European Union’s (CJEU) 2020 judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems. That case, known as Schrems II, decided that the use of US providers by EU citizens violates the GDPR, as US surveillance laws require US companies, like Facebook, to provide user’s personal information to US authorities.
The CJEU consequently annulled the “Privacy Shield” deal, after annulling the previous “Safe Harbor” deal in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Google or Amazon, Facebook has relied on so-called “Standard Contract Clauses” and “supplementary measures” to continue data transfers and calm its European business partners. Therefore, NOYB filed 101 complaints in August 2020 against websites still using Google Analytics and Facebook Tracking tools despite clear court rulings.
Wide-ranging implications
Max Schrems, Chair of noyb.eu, hailed the Austrian decision. “Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal”.
Many websites use Facebook tracking technology to track users and show personalized advertisement. NOYB says that when websites include this technology they also forward all user data to the US multinational and then “onwards to the US National Security Agency (NSA). The European Commission is currently in the process of introducing the third EU-US data transfer deal, but the fact that US law still allows bulk surveillance means that this matter “will not be solved any time soon”, according to NOYB.