The decision of the DPA stems from one of the 101 complaints filed by the NGO noyb against websites still using Google Analytics and Facebook’s (now "Meta”) tracking tools despite the CJEU’s ruling that the Privacy Shield is invalid.
The controller in question was a website operator using Facebook Pixel and Facebook Login. The controller´s direct contractual partner was Facebook Ireland Limited (now: Meta Platforms Ireland Limited; “Meta Ireland”) who subsequently used Meta Platforms Inc. to process data.
The DPA found that the considerations made regarding Data transmitted through Google Analytics can be applied to the Facebook Business Tools and to the case at hand.
2. Legal Analysis
With repeated reference to the Google Analytics decision, the DPA held in the decision as follows:
2.1. Personal data:
Referring to recital 26 of the GDPR, the DPA considered in its GA decision that, with regard to “identifiability” within the meaning of Art 4 No 1 GDPR, it is not necessary that the data processed must enable to immediately associate such data with the identity of the data subject. Referring to the decision of 5th January 2022, Ref. No. 2020-1013 (EDPS against the European Parliament), the DPA pointed out that the mere “segregation” by marking of a terminal device is to be considered as personal data. In this decision, the EDPS referred to tracking cookies such as Stripe and the GA cookies.
However, according to the DPA, these considerations can also be applied to Meta’s business tools:
- The implementation results in cookies being set up on the end device of the data subject;
- these cookies contain a unique, randomly generated value making it possible to individualize the data subject’s terminal device and record the data subject’s surfing behavior;
- using the so processed data, the data subject was presented with suitable personalized advertising.
In line with the GA decision and referring to ECJ judgments C-434/16 and C-582/14, the DPA found that it is not required that all information necessary for identification is with the controller (= the website operator).
2.2. Data transfer
Referring to rulings of the Austrian Federal Administrative Court (BVwG) the DPA stated that the controller is obliged to only cooperate with processors that offer sufficient guarantees that the processing will be carried out in compliance with the provisions of the GDPR. In the case at hand the controller (established within the European Union) concluded a contract with Facebook Ireland as processor subject to the data processing terms and conditions for Facebook Business Tools. By accepting the Ts&Cs, the controller authorized Facebook Ireland to engage Facebook Inc. (and other Facebook companies) as its sub- processor(s). With regard to the aforementioned obligation of the controller, the DPA clarified that it makes no difference whether the personal data are transferred directly to the sub-processor (Facebook Inc. USA) or only after processing by Facebook Ireland. The fact that a data transfer to the USA has occurred is therefore attributable to the (Austrian) controller.
2.3. (Il)Legitimacy of the Data transfer to the US
With regard to the legitimacy of the data transfer, the website operator and Facebook Ireland invoked the Privacy Shield (the data transfer occurred on 12th August 2020, at which time Facebook’s Ts&Cs still referred to the Privacy Shield; information about Facebook no longer invoking the Privacy Shield was not published on the website at that time).
Since the ECJ already invalidated the Privacy Shield on 16th July 2020, and no adequate safeguards under Art 46 GDPR were in place at the time of the data transfer (Facebook's contract addendum including the conclusion of SCCs was only implemented after 12th August 2020; on the question of whether this would have led to a different decision by the DPA, see our conclusion), and neither the website operator nor Facebook relied on Art 49 GDPR at any point (the facts of which, in the opinion of the DPA, would not have been fulfilled anyway), the DPA came to the conclusion that the data transfer constituted a violation of the GDPR.
2.4. Violation of the GDPR by Meta Platforms Inc.?
The DPA needed to assess whether Meta Platforms Inc. (as a "data importer") could also be subject to the obligations set out in Chapter V of the General Data Protection Regulation.
However, the DPA concluded that there was no breach attributable to Meta Platforms Inc. In this regard, the DPA argued that a data transfer to a third country within the meaning of Art 44 GDPR only occurs when a controller or processor (“exporter”) makes personal data available to another controller, joint controller or processor (“importer”) located in a third country (see EDPA Guidelines 5/2021, adopted on 14 February 2023).
The DPA did not consider these requirements to be met in the present case. As the DPA saw it, Meta Platforms Inc. (as data importer) did not disclose personal data, but (only) receive it. In the opinion of the DPA, a differentiation must be made here: Every transfer of data necessarily involves a recipient. Meta Platforms Inc., as a (sub)processor, is necessarily part of the transfer at hand. However, the responsibility inherent in any transfer of data can be divided, since, in the DPA's view, there may be different degrees of responsibility depending on the stage of processing.
The DPA does not seem to consider the responsibility of the mere (sub)processor severe enough to justify its liability for a data transfer that violates Article 44 GDPR. This opinion is, of course, in line with the established case law of the BVwG, which sees the (sub)processor as the "extended arm" of the controller (the DPA also referred to the EDPA Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 07 July 2021, margin no. 63 et seqq; however, the cited section dealt with issues related to joint controllership).
Since the data processing that gave rise to this case, the Meta group has implemented an addendum for European data transfers that includes SCCs and a set of "safeguards and measures."
Would the DPA's decision be different today?
The DPA made no statement as to whether implementing the SCCs would have resulted in a different decision, but the DPA found that Meta Inc. qualifies as an electronic communications service provider within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S. intelligence agencies under 50 U.S.Code § 1881a ("FISA 702"). In the GA decision, the DPA clearly stated that the transfer of personal data to a recipient who is to be qualified as a provider of electronic communications services and as such is subject to surveillance by US intelligence services, data transfer cannot be based solely on the conclusion of SCCs.
As for Meta's safeguards (security program, encryption of data, policies and procedures, etc.), it is questionable whether they meet the DPA's requirement to be "effective." In the GA decision the DPA held that neither the technical measures nor the encryption technologies imposed were adequate means to prevent access and monitoring of US intelligence services. The same probably applies for Meta’s “safeguards and measures”.
Thus, the advice for European companies must still be to look for alternatives to US providers (at least as long as the EU-US DPF is not yet in place).
A machine translation into English of the DPA’s decision can be accessed here: noyb.eu/sites/default/files/2023-03/Bescheid%20redacted-EN.pdf
Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)