Austria: DSB finds company unlawfully transferred personal data through use of Facebook's business tools
None of your business ('NOYB') announced, on 16 March 2023, that the Austrian data protection authority ('DSB') issued a decision highlighting that a company transferred personal data through use of use of Meta Platforms, Inc's (formerly Facebook Inc.) Business Tools, namely Facebook's Pixel Tracker and Login in violation Article 44 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In particular, the NOYB explained that the decision results from the 101 complaints it had previously filed. More specifically, the decision details that the complaint related to the transfer of the complainant's personal data to the US in relation to the company's use of Facebook's Business Tools. To this end, the decision clarifies that the DSB would decide upon the following legal violations:
- whether the respondents, due to the implementation of Facebook Business Tools on their website, at least on 12 August 2020 transferred data to the US without ensuring an adequate level of protection pursuant to Article 44 of the GDPR; and
- whether Facebook, in the course of the contested data transfers, violated Article 5 in conjunction with Article 28 and Article 29 of the GDPR?
Findings of the DSB
In relation to the Privacy Shield, the decision explains that the respondents relied on the Privacy Shield Framework as the lawful basis for the data transfer, on 12 August 2020, although the same had been invalidated by the Court of Justice of the European Union in the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) on 16 July 2020. Further to the above, the decision highlights that Facebook has an obligation to notify US authorities under §1881 of Title 50 of the U.S. Code (i.e. §702 of the Foreign Intelligence Surveillance Act), noting that the US secret authorities regularly make such requests. In addition, the decision clarifies that the Facebook contract addendum (including the conclusion of standard data protection clauses) was only implemented after 12 August 2020.
Notably, the decision confirms that Meta was not subject to Article 44 of the GDPR as in the present case it was a data importer only receiving the complainant's personal data. On this point, the decision highlights that a transfer to a third country or an international organisation within the meaning of Article 44 of the GDPR only exists if, inter alia, the controller or processor (data exporter), by transfer or otherwise, transfers personal data to another controller, a joint controller or a processor (data importer).
In light of the above, the decision determines that the transfer was not covered by any of the instruments of Article 45 of the GDPR, and therefore violated Article 44 of the GDPR. Furthermore, the decision concludes that, since Meta was not subject to Article 44 of the GDPR, there was no violation of the same by Meta. Interestingly, the decision notes that the mere possibility that Meta maybe the addressee of enquiries by the US security authorities does not automatically lead to its responsibility under Article 28 (10) of the GDPR, noting that such a broad interpretation of Article 28 (10) of the GDPR would be too expansive.
Finally, the decision clarifies that there is no need to rule on the complainant's request to impose a fine on the respondents, as this request was withdrawn in the opinion of 25 July 2022, and is now to be understood as a suggestion.