Austrian DPA finds use of Facebook tracking technology in violation of EU data protection law

Russell Kidson
Mar 17, 2023

The data protection authority of Austria has determined that the utilization of tracking technologies by Meta has contravened EU data protection legislation, as the personal data of individuals was transmitted to the United States where it was susceptible to government surveillance. 

This conclusion is a result of multiple complaints lodged by the European privacy rights group, noyb, in August 2020, which also targeted the usage of Google Analytics by websites regarding the same data export concern. Several EU DPAs have subsequently determined that the utilization of Google Analytics is illegal, with some, such as France's CNIL, issuing warnings against employing the analytics tool without additional safeguards. However, this is the initial determination that Facebook's tracking technology has violated the European Union's General Data Protection Regulation (GDPR).

Related: Meta says goodbye to its NFTs

Austrian DPA finds use of Facebook tracking technology in violation of EU data protection law

This ruling follows another

The judgments made by the various EU DPAs are all in line with a ruling made in July 2020 by the highest court of the European Union, which invalidated the EU-US Privacy Shield data transfer agreement. This ruling, similar to one made in 2015 that invalidated the agreement's precursor, Safe Harbor, highlighted a fundamental conflict between US surveillance laws and the privacy rights of individuals in the EU.

In response to the latest data transfer breach discovery by an EU DPA, noyb - the European Center for Digital Rights - has enthusiastically proclaimed it as 'groundbreaking.' The group argues that the Austrian authority's decision should serve as a warning to other websites that it is not advisable to employ Meta trackers, specifically Facebook Login and the Meta pixel.

The DPA's verdict concerns the usage of Meta's tracking technologies by a local news website (the identity of which has been redacted from the decision) as of August 2020. The website in question ceased using the technology soon after the complaint was lodged. However, the decision's implications could extend far beyond the specific website as Meta processes a significant amount of personal data. While the finding of the data breach is limited to only one of the websites targeted by noyb in its strategic complaints, it may have implications for many others, and potentially for any EU website that still employs Meta's tracking technologies. This is due to the ongoing legal uncertainty surrounding data transfers between the EU and the US.

Related: Meta halts minting and selling

Noyb maintains that Meta’s tracking technologies are illegal

Max Schrems, the chair of, stated that 'Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal.'

noyb has also stated in a press release that numerous websites employ Facebook tracking technology to monitor users and display personalized advertisements. When websites utilize this technology, they forward all user data to the US multinational and subsequently to the US National Security Agency (NSA). While the European Commission aims to publish the third EU-US data transfer agreement, the continued allowance of bulk surveillance by US law implies that this issue will not be resolved anytime soon.

Meta, on the other hand, has reacted to the news by downplaying the significance of the Austrian DPA's decision. In a statement, a spokesperson for the company asserted that the ruling is 'based on historical circumstances' and suggested that it 'does not impact how businesses can use our products.' 

Here is the company's statement in its entirety:

‘This decision is based on historical circumstances and only relates to a single company in connection with its use of Facebook Pixel and Facebook Login on a single day in 2020. While we disagree with many aspects of the decision, it does not impact how businesses can use our products. This case stems from a conflict between EU and US law which is in the process of being resolved.’

The EU must protect its users’ data

The Austrian DPA's decision, which is 46 pages long, outlines the rationale for determining that a local website's usage of Meta's tracking technologies breached the GDPR's data transfer requirements. The regulation stipulates that data on EU users must be adequately protected if it is transmitted outside of the bloc to third countries such as the US. However, the DPA discovered that none of the potential protections for such data exports, such as an adequacy decision, were applicable in this case. Therefore, it concluded that the violation of GDPR Article 44, which deals with data transfers, had occurred.

Furthermore, the decision's other significant aspect is that the data gathered by Meta's tracking technologies, which includes a large number of data points such as IP address, user ID, mobile OS and browser data, screen resolution, Facebook cookie data, and much more, constitutes personal data under EU law.

‘As a result of the implementation of Facebook Business Tools, cookies were set on [the] end device of the complainant… which contain a unique, randomly generated value… This makes it possible to individualise the complainant’s terminal device and record the complainant’s surfing behaviour in order to display suitable personalised advertising,' the DPA explains. 'Irrespective of this, at least Meta Ireland had the possibility to link the data it received due to the implementation of Facebook Business Tools on [the] complainant’s Facebook account. It is clear from the Facebook Business Tools Terms of Use… that Facebook Business Tools are used, inter alia, to exchange information with Facebook.’

Some of the modifications that Meta made to its data transfer terms and conditions shortly after noyb lodged its complaints were made too late to impact the outcome. Nonetheless, noyb implies that any changes to the terms or additional measures taken by Meta are unlikely to have a significant impact. This is because personal data is still accessible to Meta, which means it can be shared with US security agencies. For example, implementing 'zero knowledge' encryption as a supplementary measure to enhance data protection is not an option for an adtech giant like Meta, whose business model relies on tracking and profiling internet users by processing their data.

Max Schrems, speaking to another tech news outlet, stated that the DPA had already determined in the Google decision that such adjustments to data transfer terms are insufficient to overcome US law. He added, 'I would assume this would not lead anywhere given the case law.'

The DPA's decision cites Meta's transparency reports directly, where the company documents government data access requests. The report demonstrates that 'the Meta Group regularly receives data access requests from US secret authorities,' and that 'the data access requests also concern users from Austria.’ Requests can encompass subscriber information as well as records related to account activity and stored content, such as messages, photos, videos, timeline entries, and location data.

Related: Meta lays off another 10,000 employees

Meta remains unscrupulous

the Austrian DPA's finding that the use of Facebook tracking technologies by a local news website violates EU data protection law has significant implications for many other websites employing such technologies. The decision is a result of multiple complaints filed by the European privacy rights group noyb, which also targeted Google Analytics over the same data export issue. The ruling's significance extends beyond this particular website, as Meta, the adtech giant that processes a significant amount of personal data, employs similar tracking technologies. 

Despite the changes Meta made to its data transfer terms and conditions, the DPA's decision suggests that no such changes are likely to be effective since US law continues to permit bulk surveillance, making it impossible to ensure adequate data protection for EU users' personal data. Therefore, the ruling highlights the ongoing legal uncertainty surrounding data transfers between the EU and the US and raises questions about the future of Facebook's tracking technologies in the EU.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Ross Goodman said on March 6, 2015 at 1:51 pm

    I must admit I don’t mind the reminder.
    I use that as a trigger for an annual review.
    The week of their birthday I scan their contact details, LinkedIn, Facebook & Twitter to make sure I have all of their public contact information up to date.

    That and also send them a quick message.

    Pro Tip – I also have a script that on a daily basis will choose a contact at random for review.


  2. Karl said on March 6, 2015 at 5:33 pm

    You da man, Martin! Do you know how many people on Reddit shot me links and it wasn’t until your article here that I ever saw a page like “Contacts only?” Google really doesn’t want you to find this info! Lol!

    1. LegoActionFigure said on March 6, 2015 at 6:55 pm

      They didn’t hide it… if you’ve only accessed the calender through Gmail from it’s tiny reminder notice interface, then you wouldn’t know how much more you can do with it. If you click the 9 boxes icon to access Google services, you can go to the full Calendar at any time and edit, add, change stuff at whim. Changes I make to the full calender get updated to my Android’s calender and vice versa with the only difference is having a full keyboard to type when I’m on my desktop/laptop is better than Swyping or poking contact and event information into the tiny calender APP.

  3. PhoneyVirus said on March 6, 2015 at 9:42 pm

    Every comment has a point and absolutely right, Google tries really hard to hide their settings, it was last year were I stopped using Google services altogether but two gmail and photos. There was one point in time were I was going to change every account that was using gmail address, results it would’ve been more than just a headache and stuck with it.

    Thanks for the Preview Martin

  4. rae pollock said on January 7, 2017 at 10:15 pm

    I turned off FB on my android phone. When I turned it back on, all of the birthdates appeared along with holidays, etc. I do not like this feature as it does not allow me to notice the appointments that I place on my calendar. please tell me how to delete. When I go onto calendar on my android, it does not have settings, so unable to delete or change calender . I don’t want notifications to appear when the birthdays are approaching, but I don’t want them to be on the calendar 24/7. HELP

  5. Daniel Demetri said on December 18, 2018 at 3:16 am

    Google’s built-in calendar lets you turn off birthdays from your circles, but it does NOT let you turn off the import of Google+ birthdays into your contacts. So if you have a contact with an email address that matches a Google+ profile then their birthday is forced onto your Birthdays calendar.

    Obviously this is annoying as heck, so I built a replacement Birthdays calendar without this problem:

  6. Tracy Fletcher said on August 17, 2023 at 4:56 pm

    Hello, I am desperate for help please.
    I often list items for sale via facebook market place. One of my items out of 80 items on sale, was getting a strange amount of view. I had listed it before for about a year and it only ever reached a few hundred fews or so. This time it had reached about 19,000 views in one week, which was fake and abnormal. i was getting horrible pm’s from people on it, really nasty mocking my costume and myself.
    I had to take the time down, reported everything to facebook they did not thing!

    I then took it down for 3 weeks and have just put it back up and same thing is happening again. if I click the 3 little dots by the message it says leave group, but what group, it doesn’t tell me nor is there a link. I am n a few local buy sell groups or community groups, but how do I know which one it is?
    any help how to stop this would be appreciated as somenoe said they think i’m being tagged in a group, but what group i don’t know, i’ts not nice.

    1. Mystique said on August 26, 2023 at 10:08 am

      It has been a long time so I can’t say for sure but I think you can prevent people from tagging you and last I knew it asks you if someone has tagged you and then you can decline it.

      If Facebook doesn’t help you then its clear that they don’t care about you and you should maybe think at the very least about moving your sales elsewhere.

  7. John G. said on August 20, 2023 at 11:30 pm

    These short articles don’t worth the spent time of reading. I am very disappointed with them.

    1. owl said on August 21, 2023 at 4:55 am

      This article is
      Martin Brinkmann
      Mar 6, 2015
      Updated • Sep 29, 2018
      Facebook, Tutorials

      In short, it was a topic of its time and may not be useful in today’s world.
      Subscribers should pay attention to the “article creation and update dates”.

      1. John G. said on August 26, 2023 at 11:07 pm

        @owl, I beg your pardon, however I didn’t comment here this comment but in one of Emre Çitak. I see posts of mine in some other articles too with some old dates. I hope someone will fix this issue soon.

  8. yanta said on August 21, 2023 at 7:18 am

    What is this? A sales pitch for Facebook?
    Facebook is an untrustworthy organization and it’s apps are junk.
    Go out and do something real. Like meet your neighbors and have a BBQ
    Why anyone would want to share details of their private life on like is bewildering.
    Must be all those endorphins one receives when someone likes a post.

    1. owl said on August 21, 2023 at 8:29 am


      I really like your comment!

  9. Russ said on August 24, 2023 at 1:30 am

    Am I the only one seeing the ghacks article’s comment section mix-ups? Recent articles with commenting dated from years ago, on subjects having nothing to do with the article. This has been occurring now for a couple of weeks as far as I can tell.

  10. Michael Kiser said on August 24, 2023 at 12:38 pm

    Well I know what the word “META” means now in Hebrew. And it sure enough looks like it’s going down! Facebook is doing all it can to take away free speech. I can’t post anything that has got to do with the bible.

  11. Anonymous said on August 26, 2023 at 11:28 am

    I can’t wait until they pull out of Android and make Messenger iOS only too while they are at it. Why do they hate poor people?

  12. D.C. said on August 30, 2023 at 10:01 pm

    It’s odd how the “largest known covert digital influence operation” may not have been seen by any actual users.

    “The campaign, which lasted over a year, garnered few, if any, eyeballs from real social media users, based on Meta’s analysis.”

  13. John G. said on August 30, 2023 at 10:21 pm

    Chinese accounts… even the reality is harder than expected. By the way, comments are still broken. Is there any intention to fix them? :S

  14. Anonymous said on September 2, 2023 at 9:16 am

    Imagine paying for Facebook. If I were forced to pay for social media at gunpoint I’d easily pick Twitter despite its flaws.
    You know even if it’s full of landmines from across the spectrum there are way more people my age. Doesn’t really matter what politics they have, they’re all my sisters and even if someone is at the complete opposite of me politically I’d still feel closer to them over the 50 and 60 somethings.

    Even if we have different opinions are are all screwed the same and have more in common than we’d like to admit.

  15. g. said on September 2, 2023 at 1:37 pm

    If they didn’t make it prohibitively expensive, then I would 100% pay for ad-free facebook. I’ve been wanting this since forever, just give us the choice to not see the frickin’ ads.

  16. Anonymous said on September 2, 2023 at 8:08 pm

    Glad I never got into social media.

  17. John G. said on September 5, 2023 at 10:06 pm

    Interesting article, however the unresolved issues here with the comments is very discouraging for us the readers. I haven’t found any explanation for this kind of problems by any responsible of this site, so I think this problem will last for some undefined time. Anyway, I will start soon my first job as forestal engineer so it’s probably that I will have not too much time to comment as before. Please keep on the good job with some interesting articles and fix the comments as soon as possible! :]

  18. ECJ said on September 6, 2023 at 3:09 am

    It would be more helpful if Facebook could just remove their entire website.

  19. Anonymous said on September 17, 2023 at 4:50 pm

    “Considering that only a minority of users is willing to pay for an ad-free experience, Meta would have to keep the regular versions for the rest of users.”

    Just like the Be-spied-on “business model”, Pay-or-be-spied-on is still illegal under GDPR (*), even if it’s something that is encountered more and more often those times from many companies on the internet that do not respect the privacy laws and think they can comply instead with an unofficial version of those that they have written themselves. Which in practice is true because those laws are hardly applied, every judge and regulatory agency in Europe that has something to do with privacy laws crumbling under the bribes of Facebook and the like, and not even trying to do that quietly (see noyb dot eu). But there has to be a limit on how long they can delay justice against them.

    “it is likely reduced, but it is unclear, if it is disabled entirely for paying users.”

    What would be funny is if users end paying *and* being spied on, which would not be surprising from Facebook. After all how would one know what Facebook does ? They are already spying while it is illegal to do so, how would paying them deter them more from breaching our rights ? And it’s not like they are not known for being pathological liars as a company, too.

    ” (42) […] Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

  20. Anonymous said on September 18, 2023 at 9:12 pm

    @Martin. In your first paragraph, ‘edge’, not ‘Edge’.

  21. plusminus_ said on September 18, 2023 at 11:58 pm

    lmao, half of the captcha that shows up after submitting is hidden, so… I can’t submit. Classic.

  22. Steve S. said on September 19, 2023 at 3:23 am

    Re: Sept 18, 2023 article, Ask Meta to delete or block your personal data from third-party sources for AI training

    I tried the page a few days ago. I’m in the US and selected the option two. I input my personal info – the same used for my FB account – which I haven’t signed into for a year or more. I got the following response from Facebook, basically brushing me off:

    Thank you for contacting us.
    Based on the information provided, we were unable to process your request. To help us process your request, please provide examples or screenshots that show evidence of your personal information (for example, your name, address or phone number) in responses from Meta’s generative AI models. Once you provide this evidence, we would be happy to investigate further.
    If you have any questions about how Meta uses information from our products and services, please see our Privacy Policy:
    To learn more about generative AI, and our privacy work in this new space, you can review the information we have in Privacy Center:
    Privacy Operations”

    The page didn’t ask for any “information”. Maybe because I’m in the US, Facebook won’t do anything? Maybe the page coding is messed up? Maybe this only works if you provide proof of AI use of your PII? Maybe it’s all just sound and fury signifying nothing?

    Today I tried again, but the captcha challenge is formatted so you can’t see all the photos and can’t scroll or enlarge the pop-up.

    Not even half-baked, I’d say..

  23. Story Snooper said on September 19, 2023 at 10:25 pm

    I must say, this development from Meta is intriguing! The idea of ad-free versions of Facebook and Instagram is a breath of fresh air, especially for users like me who have been increasingly bothered by the overwhelming ads on these platforms.

    Living in the EU, I appreciate the GDPR regulations and the push for more privacy-focused options. However, I’ll be curious to see how Meta plans to monetize these ad-free versions. Will they be subscription-based? If so, what will the pricing model look like? Will there be additional features or benefits for subscribers?

    While the prospect of a less cluttered and more private social media experience is enticing, it’s important that Meta maintains a balance between user privacy and revenue generation. Striking that balance will be key to the success of these ad-free versions.

    I hope Meta also considers extending this option to users outside the EU in the future. It would be great to see such privacy-centric alternatives available globally.

    Additionally, I recently came across an interesting tool called “Instagram Story Anonymous” at, which allows users to view Instagram Stories anonymously. It’s another example of how privacy-conscious individuals are seeking alternatives to maintain their online privacy. It will be interesting to see if Meta’s ad-free versions address similar concerns.

    Overall, I’m cautiously optimistic about this development and will be keeping a close eye on how it unfolds. What are your thoughts on this, fellow readers?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.