Meta tracking tools found to breach EU rules on data transfers Summary Our remarks An Austrian local news website used tracking tools • When using pixels, the collection and processing made by Meta in August 2020. This included the use of of personal data occurs. Therefore, the applicable cookies (for the use of ”Facebook Login”) and pixels (for rules regarding legal basis, erasure, transfer to third ”Facebook Pixel” for tracking purposes). countries etc. should be considered. Cookies are small files stored on the users device or in • It is crucial to ensure that the marketing tools their browser, whereas pixels are pictures the size of 1x1 purchased comply with the rules regarding the pixels which are also stored in the user’s browser and transfer of personal data to third countries, as these can thereby collect a various amount of data usable for services are often supplied by American vendors. marketing purposes. • One way to solve the issue of using services that In the case it was established that the news website constitutes illegal transfers to third countries is to was data controller for the processing and the data anonymize the data before it is transferred to the processed via the pixels and cookies were personal third country. For instance, this is possible to do with data. This information included IP-addresses, User a reverse proxy server when using Google Analytics. agent, User ID, etc. The French DPA has made a guide on how to set this up. The personal data processed by the tools was then transferred to the USA. • At the time of writing, the EU and US have reached a preliminary agreement on a new transatlantic data The Austrian DPA incorporated Meta’s transparency transfer agreement named the EU-US Data Privacy report in their assessment of the case. They used Framework (DPF). However, other EU institutions it among other things to show that personal data need to review and examine the agreement regarding Austrian citizens was subject to surveillance before it can be officially adopted. Assuming by American entities. the framework is approved, the USA would be considered a safe third country, eliminating the The decision of the Austrian DPA challenges described in this case. The Austrian DPA found that the use of Facebook Tools Please note that this decision was made prior to the in the specific situation was illegal as there was no EU Commission’s adoption of the EU-U.S. Data Privacy legal basis for transferring data to the USA (GDPR, Framework. The framework solves the challenges of the Article 44). SCHREMS II case and thereby ensures that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. Published: 16-03-2023, Journal number: GZ: D155.028 - 2022-0.726.643 Tags: 06 Transfers to third countries 139
Complycloud EU GDPR Report Page 138 Page 140