Austrian DPA finds use of Facebook tracking technology in violation of EU data protection law
The data protection authority of Austria has determined that the utilization of tracking technologies by Meta has contravened EU data protection legislation, as the personal data of individuals was transmitted to the United States where it was susceptible to government surveillance.
This conclusion is a result of multiple complaints lodged by the European privacy rights group, noyb, in August 2020, which also targeted the usage of Google Analytics by websites regarding the same data export concern. Several EU DPAs have subsequently determined that the utilization of Google Analytics is illegal, with some, such as France's CNIL, issuing warnings against employing the analytics tool without additional safeguards. However, this is the initial determination that Facebook's tracking technology has violated the European Union's General Data Protection Regulation (GDPR).
Related: Meta says goodbye to its NFTs
This ruling follows another
The judgments made by the various EU DPAs are all in line with a ruling made in July 2020 by the highest court of the European Union, which invalidated the EU-US Privacy Shield data transfer agreement. This ruling, similar to one made in 2015 that invalidated the agreement's precursor, Safe Harbor, highlighted a fundamental conflict between US surveillance laws and the privacy rights of individuals in the EU.
In response to the latest data transfer breach discovery by an EU DPA, noyb - the European Center for Digital Rights - has enthusiastically proclaimed it as 'groundbreaking.' The group argues that the Austrian authority's decision should serve as a warning to other websites that it is not advisable to employ Meta trackers, specifically Facebook Login and the Meta pixel.
The DPA's verdict concerns the usage of Meta's tracking technologies by a local news website (the identity of which has been redacted from the decision) as of August 2020. The website in question ceased using the technology soon after the complaint was lodged. However, the decision's implications could extend far beyond the specific website as Meta processes a significant amount of personal data. While the finding of the data breach is limited to only one of the websites targeted by noyb in its strategic complaints, it may have implications for many others, and potentially for any EU website that still employs Meta's tracking technologies. This is due to the ongoing legal uncertainty surrounding data transfers between the EU and the US.
Related: Meta halts minting and selling
Noyb maintains that Meta’s tracking technologies are illegal
Max Schrems, the chair of noyb.eu, stated that 'Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal.'
noyb has also stated in a press release that numerous websites employ Facebook tracking technology to monitor users and display personalized advertisements. When websites utilize this technology, they forward all user data to the US multinational and subsequently to the US National Security Agency (NSA). While the European Commission aims to publish the third EU-US data transfer agreement, the continued allowance of bulk surveillance by US law implies that this issue will not be resolved anytime soon.
Meta, on the other hand, has reacted to the news by downplaying the significance of the Austrian DPA's decision. In a statement, a spokesperson for the company asserted that the ruling is 'based on historical circumstances' and suggested that it 'does not impact how businesses can use our products.'
Here is the company's statement in its entirety:
‘This decision is based on historical circumstances and only relates to a single company in connection with its use of Facebook Pixel and Facebook Login on a single day in 2020. While we disagree with many aspects of the decision, it does not impact how businesses can use our products. This case stems from a conflict between EU and US law which is in the process of being resolved.’
The EU must protect its users’ data
The Austrian DPA's decision, which is 46 pages long, outlines the rationale for determining that a local website's usage of Meta's tracking technologies breached the GDPR's data transfer requirements. The regulation stipulates that data on EU users must be adequately protected if it is transmitted outside of the bloc to third countries such as the US. However, the DPA discovered that none of the potential protections for such data exports, such as an adequacy decision, were applicable in this case. Therefore, it concluded that the violation of GDPR Article 44, which deals with data transfers, had occurred.
Furthermore, the decision's other significant aspect is that the data gathered by Meta's tracking technologies, which includes a large number of data points such as IP address, user ID, mobile OS and browser data, screen resolution, Facebook cookie data, and much more, constitutes personal data under EU law.
Some of the modifications that Meta made to its data transfer terms and conditions shortly after noyb lodged its complaints were made too late to impact the outcome. Nonetheless, noyb implies that any changes to the terms or additional measures taken by Meta are unlikely to have a significant impact. This is because personal data is still accessible to Meta, which means it can be shared with US security agencies. For example, implementing 'zero knowledge' encryption as a supplementary measure to enhance data protection is not an option for an adtech giant like Meta, whose business model relies on tracking and profiling internet users by processing their data.
Max Schrems, speaking to another tech news outlet, stated that the DPA had already determined in the Google decision that such adjustments to data transfer terms are insufficient to overcome US law. He added, 'I would assume this would not lead anywhere given the case law.'
The DPA's decision cites Meta's transparency reports directly, where the company documents government data access requests. The report demonstrates that 'the Meta Group regularly receives data access requests from US secret authorities,' and that 'the data access requests also concern users from Austria.’ Requests can encompass subscriber information as well as records related to account activity and stored content, such as messages, photos, videos, timeline entries, and location data.
Meta remains unscrupulous
the Austrian DPA's finding that the use of Facebook tracking technologies by a local news website violates EU data protection law has significant implications for many other websites employing such technologies. The decision is a result of multiple complaints filed by the European privacy rights group noyb, which also targeted Google Analytics over the same data export issue. The ruling's significance extends beyond this particular website, as Meta, the adtech giant that processes a significant amount of personal data, employs similar tracking technologies.
Despite the changes Meta made to its data transfer terms and conditions, the DPA's decision suggests that no such changes are likely to be effective since US law continues to permit bulk surveillance, making it impossible to ensure adequate data protection for EU users' personal data. Therefore, the ruling highlights the ongoing legal uncertainty surrounding data transfers between the EU and the US and raises questions about the future of Facebook's tracking technologies in the EU.Advertisement