In light of this significant development, we have updated our coverage to reflect the latest information. To stay up-to-date on the new EU-US Data Privacy Framework agreement and its implications, we invite you to read our latest article on the topic.
🔍 Discover the latest: EU to USA Personal Data Transfers Now Approved
Thank you for your continued support and trust in our coverage of important global issues!
NOYB recently reported the outcome of one of its 101 complaints: an EU data protection authority has found Facebook’s tracking pixels and Facebook’s Login Tool to be in violation of the GDPR. You can find NOYB’s official press release here. We have also gathered feedback from the other party, Meta.
The ruling:
One of the EU’s data protection authorities, the Austrian Data Protection Authority, has ruled that Facebook’s tracking pixel violates the GDPR and the “Schrems II” decision on transatlantic data flows. The ruling came in response to one of the NOYB 101 complaints and refers to a news website’s usage of Meta’s tracking tools on August 12, 2020.
Implications:
Although the website in question stopped using Facebook’s tracking pixel and Facebook login tool soon after the complaint was filed, the violation had already occurred. This decision may have implications for dozens of other websites, and possibly for every website in Europe that uses Facebook’s tracking pixels. Due to the vast usage of Facebook’s services that process personal data (which is then transferred to the US), the decision is likely to have wider repercussions.
Fines:
Despite the Austrian DPA’s ruling that Facebook’s tracking pixel violates the GDPR, no fines have been imposed.
We had the chance to collect Facebook’s point of view on the matter. In their own words:
“Although we disagree with the conclusions reached by the Austrian DPA about the historic use of our tools, it is important to note that it relates to use by one website on one specific date (12 August 2020). There have been significant changes to US and EU law since then, and our Business Tools Terms have changed since the complaint was filed. No specific findings were made about Meta’s current practices or the current transfer mechanism employed by Meta. Advertisers are therefore free to continue to use Business Tools.”
New SCCs in place:
As part of the changes made to the Business Tools Terms, Facebook introduced new SCCs.
“We put in place new SCCs that are referred to in our European Data Transfer Addendum. For advertiser-controlled personal data that Meta Platforms Ireland Limited processes as a processor, Meta Platforms Ireland Limited uses the Processor-to-Processor SCCs, which are specifically designed for transfers by a processor to a subprocessor. SCCs are in place between Meta Platforms Ireland Limited (as exporting processor) and Meta Platforms, Inc. (as importing subprocessor) to cover the transfer of advertiser-controlled personal data. For more information about international transfers and the safeguards and measures in place to protect users’ personal information when using Meta’s advertising and measurement services, please take the time to review our “International data transfers: Safeguards for our advertising and measurement technologies” resource. Section 1.4 specifically concerns Government Requests for Data, and you can also find additional information in our Transparency Report and FAQs on this subject.”
The EU-US Data Privacy Framework (DPF):
Facebook also mentioned that this case is a result of a conflict between EU and US laws, which is currently in the process of being resolved and highlighted that the Draft Adequacy Decision published by the European Commission in December,
provides additional reassurance for the long-term stability of transatlantic trade, and is an important milestone for thousands of EU and US businesses that rely on international data transfers to keep people and communities connected. We look forward to further developments as we work towards the adoption of this adequacy decision.
Although the ruling comes from a specific European Data Protection Authority, this decision on Meta’s use of tracking technologies on Facebook is significant as it sets a precedent.
Therefore, at this time, it is up to each business to decide whether they want to continue using Facebook’s tracking pixels while we wait for the EU and the US to agree on the EU-US Data Privacy Framework.
