Use of Facebook’s tracking pixels in the EU

In a decision made by the Austrian Data Protection Authority (DSB), using Facebook tracking pixels directly violates GDPR, and fortifies the reasoning behind the “Schrems II” decision on transatlantic data transfers. Other European data protection authorities also share this view as we can see in recent published decisions.

Background

The “Schrems II” decision stipulated that the current level of protection given to personal data under US law cannot be considered to be equivalent to that provided by the GDPR, and consequently declared the EU-US privacy shield no longer valid. This is due to US surveillance programs (e.g. FISA 702 and EO 12.333) and the lack of an adequate legal remedy for EU data subjects. As a result of this decision, US providers turned to implementing the Standard Contractual Clauses (SCC’s), however this proved to be also vulnerable to a legal challenge. The SCC’s create obligations between the contracting parties, and not the US government – meaning that EU data subjects are subject to the US legislation that is incompatible with the EU legal system.

As a result of the abovementioned decision, NYOB filed 101 complaints concerning companies still using Google Analytics and Facebook Tracking tools in 30 EU and EEA member states. The decision from the Austrian DSB is a result of one of those complaints.  

Case details

The complaint involved a news website that had integrated Meta Pixel (then “Facebook Pixel”) and Facebook Login into its website. The operator of that website was held liable for the GDPR compliance issues associated with Meta’s tools, not Meta.

The Austrian DPA upheld the complaint against the news website operator. In the first place, the mere fact that the company deactivated the Facebook tools after the complaint was not sufficient to exclude an infringement of Articles 44 et seqq. GDPR regarding data transfers, as the violation had already occurred.

Additionally, there was no legal basis for the transfer. On the one hand, the EU Commission adequacy decision for the transfer of data from the EU to the US was invalidated by “Schrems II”. Thus, the data importer and exporter couldn’t rely on Article 45 GDPR. On the other hand, Meta implemented SCC’s pursuant to Article 46 GDPR, only after the time of the facts at issue. Therefore, the controller unlawfully transferred the data subject´s personal data to the US and violated Chapter V GDPR.

Implications

The question posed is whether the outcome would be different if the complaint was lodged later, once Meta had implemented SCC’s. We doubt so – meaning the problem would likely have remained even with the SCC’s in place (as seen in the decisions for using Google Analytics).

A recent decision from the Irish DPA fortifies this stance when it comes to international data transfers of EU/EEA data to the US . While Meta Ireland effected those transfers on the basis of the updated SCC’s that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.

Although the ruling comes from a specific member state authority, as we can see, this decision on Meta’s use of tracking technologies on Facebook is significant, as it sets a precedent. This decision is relevant for almost all websites operating in the EU/EAA, since the vast majority of them use Facebook tracking technology to track users and show personalized advertisement.

Conclusion

No fines were imposed with the decision from the Austrian DSB, however the Irish DPA fined Meta $1.3 billion for violating European data privacy rules.

The opinion in the data protection community seems to be that either the US will have to adapt baseline protection for EU data subjects to support their economy, or US providers will have to host EU data outside of the United States, in countries where adequate data protection laws are implemented.

The fact remains that due to the legal system in the US, Meta and other US providers are unable to ensure that personal information of European data subjects is not intercepted by US intelligence agencies. Businesses will have to decide if they want to continue using Facebook tracking pixels and similar technologies, while the EU-US Data Privacy Framework is adopted and enforced.