In late 2020, Datatilsynet received a complaint filed by complainants represented by the organization 'None of Your Business' concerning Boligportal, Denmark's largest online marketplace for rental properties. The complaint pertained to the company's handling of personal data, collected through the use of Facebook Business Tools on its website.
What are Facebook Business Tools?
Facebook Business Tools are offered by Meta and are tools that can be embedded on a website. When a person visits the website, these tools collect information such as the person's IP address, website visit history, visit timestamp, other details like browser and operating system information, and information about other online identifiers collected through cookies.
Injunction to Align Processing with GDPR
Datatilsynet has found grounds to issue serious criticism to Boligportal for failing to demonstrate that their processing of the complainants' personal data complied with the General Data Protection Regulation. Specifically, the authority found that Boligportal had not demonstrated that their current processing of personal information about website visitors aligns with the GDPR, as specified in GDPR's Article 26, Article 5(1)(a), Article 5(2), and Article 24(1).
Furthermore, since there was no arrangement under Article 26 of the GDPR that transparently defined the roles and responsibilities between the parties, Datatilsynet concluded that Boligportal had not demonstrated compliance with Article 26 concerning the processing of the complainants' personal data, as specified in Article 5(1)(a), Article 5(2), and Article 24(1) of the GDPR.
Datatilsynet also found that the existing arrangement between Boligportal and Meta Ireland as joint data controllers did not clarify whether personal data about website visitors was processed using tools located outside the EU/EEA, and if so, where such tools were located, including any involvement of data processors outside the EU/EEA, regarding the processing activities for which the parties were joint data controllers. Consequently, it remains unclear which party is responsible for ensuring compliance with Article 44.
Based on these findings, Datatilsynet has determined that Boligportal has not demonstrated that their current processing of personal data aligns with Article 26, Article 5(1)(a), Article 5(2), and Article 24(1) of the GDPR. Therefore, Datatilsynet has issued an injuction to Boligportal to bring their processing of personal data in line with Article 5(1)(a), Article 5(2), Article 24(1), and Article 26 of the GDPR and to be able to demonstrate compliance.
According to Makar Juhl Holst, Senior Consultant at Datatilsynet, this decision should be seen as a landmark ruling for companies using similar Facebook Business Tools under the same conditions as Boligportal.
Makar Juhl Holst states that companies should take note of Datatilsynet's decision if they solely rely on Facebook's standard terms and have not considered the division of responsibilities between them and Meta.
As it is widely known, the former Privacy Shield agreement between the United States and the European Union was deemed invalid by the EU Court of Justice in the Schrems II ruling in mid-2020, and no new agreement has been established since. Without a new agreement, it is illegal to transfer personal data between the EU and the USA.
From the business community's perspective, it has been argued that it is disproportionate to hold Boligportal accountable for their use of Facebook Business Tools when the root of the problem, according to the business community, lies with the long-awaited Privacy Shield agreement between the EU and the USA.
According to Makar Juhl Holst, Datatilsynet has the authority to report violations to the police, and companies can face fines.
"But that is typically reserved for the most severe violations," he says, adding, "When assessing the severity of a violation, we primarily consider the nature of the violation and the potential consequences for citizens, employees, or customers. We also take into account the duration of the violation, whether any harm has occurred, and whether any remedial actions have been taken."
Makar Juhl Holst explains that if the supervisory authority can see that companies have made efforts to examine their use of Facebook Business Tools, it would be considered a mitigating factor. He recommended that companies start questioning Meta in this regard.
"If companies generally work with these sets of rules and consider decisions like this, we take a milder approach to violations compared to when they passively disregard the existence of rules they must comply with," he says.
Article provided by INPLP member: Claas Thöle (advores Advokater & Rechtsanwälte, Denmark)
Dr. Tobias Höllwarth (Managing Director INPLP)