Share

5 min read

Writen by Ana Mishova

Posted on: May 23, 2023

Use of Facebook’s tracking pixels in the EU

In a decision made by the Austrian Data Protection Authority (DSB), using Facebook tracking pixels directly violates GDPR, and fortifies the reasoning behind the “Schrems II” decision on transatlantic data transfers. Other European data protection authorities also share this view as we can see in recent published decisions.

Background

The “Schrems II” decision stipulated that the current level of protection given to personal data under US law cannot be considered to be equivalent to that provided by the GDPR, and consequently declared the EU-US privacy shield no longer valid. This is due to US surveillance programs (e.g. FISA 702 and EO 12.333) and the lack of an adequate legal remedy for EU data subjects. As a result of this decision, US providers turned to implementing the Standard Contractual Clauses (SCC’s), however this proved to be also vulnerable to a legal challenge. The SCC’s create obligations between the contracting parties, and not the US government – meaning that EU data subjects are subject to the US legislation that is incompatible with the EU legal system.

As a result of the abovementioned decision, NYOB filed 101 complaints concerning companies still using Google Analytics and Facebook Tracking tools in 30 EU and EEA member states. The decision from the Austrian DSB is a result of one of those complaints.  

Case details

The complaint involved a news website that had integrated Meta Pixel (then “Facebook Pixel”) and Facebook Login into its website. The operator of that website was held liable for the GDPR compliance issues associated with Meta’s tools, not Meta.

The Austrian DPA upheld the complaint against the news website operator. In the first place, the mere fact that the company deactivated the Facebook tools after the complaint was not sufficient to exclude an infringement of Articles 44 et seqq. GDPR regarding data transfers, as the violation had already occurred.

Additionally, there was no legal basis for the transfer. On the one hand, the EU Commission adequacy decision for the transfer of data from the EU to the US was invalidated by “Schrems II”. Thus, the data importer and exporter couldn’t rely on Article 45 GDPR. On the other hand, Meta implemented SCC’s pursuant to Article 46 GDPR, only after the time of the facts at issue. Therefore, the controller unlawfully transferred the data subject´s personal data to the US and violated Chapter V GDPR.

Implications

The question posed is whether the outcome would be different if the complaint was lodged later, once Meta had implemented SCC’s. We doubt so – meaning the problem would likely have remained even with the SCC’s in place (as seen in the decisions for using Google Analytics).

A recent decision from the Irish DPA fortifies this stance when it comes to international data transfers of EU/EEA data to the US . While Meta Ireland effected those transfers on the basis of the updated SCC’s that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.

Although the ruling comes from a specific member state authority, as we can see, this decision on Meta’s use of tracking technologies on Facebook is significant, as it sets a precedent. This decision is relevant for almost all websites operating in the EU/EAA, since the vast majority of them use Facebook tracking technology to track users and show personalized advertisement.

Conclusion

No fines were imposed with the decision from the Austrian DSB, however the Irish DPA fined Meta $1.3 billion for violating European data privacy rules.

The opinion in the data protection community seems to be that either the US will have to adapt baseline protection for EU data subjects to support their economy, or US providers will have to host EU data outside of the United States, in countries where adequate data protection laws are implemented.

The fact remains that due to the legal system in the US, Meta and other US providers are unable to ensure that personal information of European data subjects is not intercepted by US intelligence agencies. Businesses will have to decide if they want to continue using Facebook tracking pixels and similar technologies, while the EU-US Data Privacy Framework is adopted and enforced.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy