Austrian DSB: Meta tracking tools illegal

Austrian DSB: Meta tracking tools illegal

In a landmark decision in one of Noibs 101 complaints, the Austrian Data Protection Authority (DSB) ruled that Facebook’s use of tracking pixels directly violates the GDPR and the so-called “Screams II” ruling on transatlantic data flows. In the year In 2020, the Court of Justice (CJEU) ruled that using US service providers violates the GDPR, as US surveillance laws require US companies to hand over users’ personal data to US authorities.

The 2020 CJEU decision has reached the real world. In the year In July 2020, the CJEU ruled that a transfer to a US provider falling under FISA 702 and EO 12.333 violates the international data transfer rules contained in the GDPR. As a result, the CJEU canceled the “privacy shield” of the transfer agreement in 2015, after canceling the previous agreement “Safe Harbor”. Although this caused shock waves in the tech industry, US suppliers and EU data exporters largely ignored the issue. Like Microsoft, Google or Amazon, Facebook relies on so-called “standard contractual clauses” and “additional measures” to continue data transfers and reassure its European business partners. Therefore nob In August 2020, it filed 101 complaints against websites that still use Google Analytics and Facebook’s tracking tools, despite clear court rulings.

“Facebook has pretended that its business customers can continue to use the technology, despite two court rulings to the contrary. Now the first regulator has told a client that using Facebook’s tracking technology is illegal.He said. – Max Schrems, Chairman of noyb.eu

Illegal data transfer via Facebook Login and Meta Pixel. The DSBs decision to declare Google Analytics illegal also applies to the tools provided by Meta: “Facebook login” and “meta pixel”: if these tools are used, the data will inevitably be transferred to the USA, the data is at risk of surveillance. European website operators are therefore advised not to include any tools from Meta on their websites.

A decision that applies to all EU websites. Many websites use Facebook’s tracking technology to track users and display personalized advertising. When websites incorporate this technology, they transmit all user data to the US International and the NSA. Although the European Commission is considering publishing a third EU-US data transfer agreement, the fact that US law still allows mass surveillance means that this issue will not be resolved in the near future.

A long term solution. In the long term, there seem to be two options: Either the US adjusts its threshold protections to allow foreigners to support its technology industry, or US suppliers will have to host foreign data outside the United States. As you know, Meta is unable to prevent European citizens’ information from being intercepted by American intelligence agencies due to its US-based system.

There is no penalty. There is no information on whether a fine has been issued or if the DSB is planning to issue a fine. The GDPR foresees fines of up to 20 million euros, or 4% of global turnover, in such cases, but data protection authorities seem reluctant to issue fines despite more than two years of regulators ignoring two CJEU rulings.