Austria’s data protection authority found that Meta’s tracking technologies violated EU data protection law by transferring personal data to the US, where government surveillance was possible.
In August 2020, the European privacy rights group NOYB filed a number of complaints against websites using Google Analytics for data export. Several EU DPAs have declared Google Analytics illegal, and some, like France’s CNIL, have advised against its use without additional safeguards. This is the first time Facebook’s tracking technology violated the EU’s GDPR.
All the decisions follow the European Union’s top court’s July 2020 ruling that struck down the high-level EU-US Privacy Shield data transfer agreement after judges again found a fatal conflict between US surveillance laws and EU privacy rights. Privacy Shield’s predecessor, Safe Harbor, was overturned in 2015.
Noyb calls the Austrian DPA’s data transfer breach finding “groundbreaking” and says it should warn other sites not to use Meta trackers (the complaint concerns Facebook Login and the Meta pixel).
A local news website (whose name is redacted from the decision) stopped using Meta’s tracking tools in August 2020, after the complaint was filed. Given how much personal data Meta processes, the decision could have far-reaching effects for its technology. Given the legal uncertainty around EU-US data transfers, the breach finding could affect scores of sites not yet targeted in this batch of strategic complaints, as well as any EU site still using Meta’s tracking tools.
Despite two U.S. Court of Justice rulings, Facebook has claimed its commercial customers can use its technology. “The first regulator told a customer that Facebook tracking technology is illegal,” said Max Schrems, chair of noyb.eu.
“Many websites track users and show personalized ads using Facebook tracking technology. Websites using this technology send user data to US multinationals and the NSA. “The fact that US law still allows bulk surveillance means that this matter will not be solved any time soon,” Noyb said in a press release.
Meta downplayed the Austrian DPA’s decision. A company spokesperson said the finding is “based on historical circumstances” and “does not impact how businesses can use our products”. Full statement: