![[Translate to English:]](/fileadmin/user_upload/a-notice-g9c910c5fb_1920.jpg "[Translate to English:]")
In the context of a complaint filed against the operator of an online news portal and the US corporation "Meta", the Austrian Data Protection Authority (DPA) recently had to assess whether the use of Facebook Login and Meta Pixel was legally compliant in August 2020 and decided that this was not the case. The operator of the website had implemented the tools on its website, and this had resulted in an unlawful third-country transfer of personal data to the USA.
The authority said that, as a consequence, the operator would be liable as a data controller within the meaning of the General Data Protection Regulation (GDPR); the decision is not yet final and unappealable.
Data transfer to the USA and tracking
In its ruling of 16 July 2020, the ECJ declared "Privacy Shield", i.e. the adequacy decision for the transfer of personal data to the USA, invalid as it does not ensure an adequate level of protection for natural persons due to relevant US legislation and the implementation of governmental surveillance programmes. The transfer of personal data to the US can thus no longer be based on Privacy Shield.
Apart from the adequacy decisions of the EU Commission, the GDPR also provides for other possibilities regarding data transfer to a third country:
Firstly, such data transfer can be based on Standard Contractual Clauses (SCC); these were newly issued by the European Commission on 07 July 2021 (EU/2021/914). According to the new SCCs, data exporters are obliged to examine the level of protection in the recipient state in a so-called Transfer Impact Assessment (TIA) before the related SCCs are concluded and data transfers are made. This case-by-case assessment should make it possible to determine and implement the required "complementary measures" for data transfers to third countries.
Secondly, Art. 49 (1) (a) of the GDPR stipulates that it is possible to base the transfer of data on the explicit consent of the data subject. However, the European Data Protection Board has so far taken the view that repeated data transfer cannot be based on this exception.
The use of Facebook Login and Meta Pixel enable a simplified login to websites using the user's Facebook data, or track website users and analyse their behaviour. The process is similar to Google Analytics, i.e. cookies are set on the hard drives on the users' end devices and personal data such as IP addresses etc. are transmitted to Meta Ireland. Meta Ireland in turn transmits the data to Meta Platforms Inc. in the USA.
Findings of the Austrian Data Protection Authority
In the proceedings in question, the DPA now identified a breach of the general data transfer principles under Art. 44 et seq. of the GDPR: Although the ECJ had already declared "Privacy Shield", i.e. the adequacy decision for the transfer of personal data to the USA, invalid on 16 July 2020, the operator of the website and Meta continued to rely on it for third-country transfer in August 2020.
At the time in question, the standard contractual clauses, which were introduced after August 2020 only, could not provide a legally effective basis for data transfer to the USA.
Exceptions within the meaning of Art. 49 of the GDPR did not apply, either; in particular, the website operator had not obtained explicit consent for the third-country transfer.
Website operator’s data controller responsibility
The decision also contains important findings with regard to the allocation of roles: By deciding to implement Meta Tools, the website operator took on the role of data controller and was thus liable for the selection of processors. By accepting Meta Ireland's data processing terms and conditions, the website operator consented to the transfer of the website users’ personal data to Meta Platforms Inc. According to the DPA decision, Meta Ireland is considered a data processor and Meta Platforms Inc. is a sub-processor of the website operator.
Liability of the website operator
If the decision becomes final and unappealable, the implementation of these "Meta Business Tools" by website operators must be subjected to critical scrutiny, even if the new SSC are used. As a US provider, Meta Platforms Inc. is subject to the rights of access to personal data which the US authorities have in accordance with 50 U.S. Code (FISA 702), and they can be obliged to disclose the personal data of its users to US authorities. According to Meta's transparency report, US intelligence agencies also make such requests on a regular basis. It is questionable whether the requirements for the TIA, which is now necessary and must take these risks into account, can be met at all from this point of view.
It has still not been decided whether the transfer of personal data on the basis of explicit consent is permissible under Art. 49(1)(a) of the GDPR.
If the latter approach is also found to be impermissible, the unlawful use of "Meta Business Tools" will in any case result in fines of up to EUR 20 million or 4% of the worldwide annual turnover.
Recommendation
In the event that the decision becomes final and unappealable, the abovementioned tools should therefore be quickly removed from websites - to be on the safe side, legally speaking - and data protection-compliant products should be used instead. A new wave of warning letters, like those concerning Google Fonts, cannot be entirely ruled out.
If you have any questions, please contact the KWR data protection team.