About a month after the Court of Justice of the European Union (‘CJEU’) issued its ruling in the Schrems II case, noyb filed 101 complaints regarding data transfers from the European Economic Area (‘EEA’) based websites to Google LLC and Facebook Inc located in the United States (‘US’).
In order to coordinate the work of the various data protection authorities (‘DPA’), the European Data Protection Board (‘EDPB’) created a special task force. This decision by the Austrian DPA arises from one of those complaints.
Facts of the complaint:
In August 2020, the data subject visited a website that was hosted by an Austrian media company, while he was logged into his personal Facebook account. At the time, the company made use of the Facebook login tool. This tool facilitates a user’s access to services not offered by Facebook without the creation of additional accounts. The company also made use of the Facebook Pixel tool, which was able to track the visitor’s activities on its website.
The data subject argued that mere access to the website triggered an unlawful transfer of personal data to the US and that this was in contravention of the General Data Protection Regulation (‘GDPR’). Therefore, he filed a complaint against the media company for using these tracking tools and further argued that Meta infringed various provisions of the GPDR.
While the Austrian DPA was investigating the complaint, the media company deactivated these tracking tools and argued that it had concluded an agreement with Meta Platforms Ireland Limited and therefore any transfers, including transfers outside the EU, were compliant and justified in the light of media privilege.
Outcome of the complaint:
The Austria DPA held that Meta Platforms Inc, did not violate Article 44 GDPR as it was a data importer falling outside the scope of Chapter V GDPR. The Austrian DPA did not extensively elaborate on the subjective qualification of Meta under the GDPR as it did not have enough evidence to qualify it as a controller.
The Austrian DPA upheld the complaint against the Austrian media company for three reasons. Firstly, merely deactivating the tracking tools after receiving the complaint did not prevent an infringement of Article 44 GDPR as the violation had already occurred. Secondly, the media privilege claim did not fall within the scope of the journalistic exception as the tracking tools were implemented for tracking purposes and to facilitate the login procedure and for the sole purpose of disseminating information, opinions or ideas to the public. Furthermore, once the data was transferred to Meta Ireland, it could be used for further purposes. Thirdly, there was no lawful basis for the international data transfer and thus a violation of Chapter V GPDR had occurred.
Consequences of the complaint:
The decision by the Austrian DPA is a clear indication that the use of Facebook’s tracking pixel directly violates the GDPR and the decision of the CJEU in the Schrems II ruling.
In light of this decision, numerous websites that use the Facebook tracking tools to track users and display personalized advertisements may need to reconsider their approach in this regard and keep track of other DPAs following the example of the Austrian DPA.
Does your organization make use of tracking tools or do you have questions about the impacts of this decision? Contact us, the Experts in Data Privacy at email@example.com for more information.