The Austrian Data Protection Authority (DSB), with decision of March 6, 2023, stated that the use of Facebook Login and Meta Pixel tracking tools, provided by the American company Meta, involves the transfer of personal data to the USA infringing thus the prescriptions imposed by the GDPR for the transfer of data outside the EU.
The case
The issue submitted to the DSB dates back to August 12, 2020 when a person visited a website of an Austrian media company by accessing with their own Facebook account.
Two tracking tools offered by Meta – Facebook Login and Meta Pixel – were implemented on the website at issue but this, according to the applicant, would have implied an illicit transfer of personal data to the US.
Meta Pixel and Facebook Login
Through these two technologies it is possible to track the activities of the users visiting a specific website, also to display them ads personalized and selected based on their registered activities.
In particular, Meta Pixel allows the owner of the website to track the actions carried out by users during their stay on the website, such as all the buttons they clicked or the pages they visited.
Facebook Login, instead, allows the user to access third parties’ services using their own Facebook account, without the necessity of creating a new account. This tool collects different information falling under the definition of personal data, such as the IP address, the user ID, the date and time of access to the website, the country from where the user accesses, the operating system and the browser used by the device, the language of the contents or the display resolution applied on the device.
United States and GDPR
Meta is a corporate group made up by different companies controlled by the American parent company Meta Platforms Inc.
Therefore, the privacy policy applied also to the visitors of the Austrian website, specified that Meta Platforms Ireland Limited would have acted as data controller, with the possibility to appoint other sub-controllers located outside the EU for the data processing, including the parent company Meta Platforms Inc. This extra-EU transfer was justified in force of the so-called “Privacy Shield”, the USA-EU agreement ruling the transfer of data to the United States and that, following the decision of the Court of Justice of the European Union of July 16, 2020 (the so-called Schrems II) was invalidated.
The EU Court has since highlighted how American intelligence agencies can easily access to data of European citizens, whereas European citizens are not allowed to appeal to any privacy protection authority to ask for protection in case of infringement of their rights.
To this day, therefore, data transfer outside the European Union, in particular in the USA, occurs without an adequacy decision of the EU.
The DSB decision
At the conclusion of an investigation, which lasted several months, the Austrian Data Protection Authority confirmed that the use of Meta tracking tools involves the transfer of personal data to the US, made in absence of suitable guarantees for the protection of rights of the European interested parties, above all due to the American legislation on privacy and surveillance programs.
In the case at issue, a penalty does not appear to have been applied to the website owner (who had already disabled the two tracking tools during the investigation) but it cannot be excluded that this decision could have a relevant impact on European website managers.
Ilaria Feriti