The use of meta-tracking tools found to violate EU laws on data transfers

Image Credits: Chesnot/Getty Images

The Austrian data protection authority found that the use of meta-tracking technologies violated EU data protection law.

The findings came from a number of complaints filed by European privacy rights group Noib in August 2020, which targeted websites’ use of Google Analytics over the same data export issue. Several EU DPAs have found the use of Google Analytics illegal – and some (such as France’s CNIL) have warned against using the analytics tool without additional safeguards. But this is the first finding that Facebook’s tracking technology violated the EU’s General Data Protection Regulation (GDPR).

All the rulings follow a July 2020 ruling by the EU’s top court that overturned the EU’s high-profile data transfer agreement after judges found a fatal conflict between US surveillance laws and EU privacy rights. (Similar finding, in 2015, of flawed privacy protection predecessor: Safe Harbor.)

Noib described the latest data transfer breach finding by the EU DPA as “Infrastructure” — argued that the Austrian authority’s decision should send a signal to other sites that the use of meta trackers is inappropriate (the complaint concerns Facebook’s login and meta pixels).

The decision relates to the use of meta-tracking tools by a local news website (the name has been changed from the decision) from August 2020 – the site in question stopped using it shortly after the complaint was filed. However, the decision may have broader implications for the use of meta-technology, given how much personal data the advertising giant processes. So while the infringement finding concerns only one of the sites targeted in this set of strategic complaints, it will have further consequences and – perhaps – implications for any EU site still using meta-tracking tools in the face of ongoing legal uncertainty over EU-US data. It transmits.

“Facebook pretended that its business customers could continue to use the technology, despite two Supreme Court rulings to the contrary. Now the first regulator has told a customer that using Facebook’s tracking technology is illegal,” nob.eu chairman Max Schrems said in a statement.

“Many websites use Facebook’s tracking technology to track users and display personalized advertising. When websites include this technology, they transmit all user data to the US International and the NSA [US National Security Agency]. Although the European Commission is considering publishing a third EU-US data transfer agreement, the fact that US law still allows mass surveillance means that this issue will not be resolved in the near future. press release.

Meta, for its part, responded to the news by seeking to downplay the significance of the Austrian DPA’s decision. In a statement, a company spokesperson said the finding was “based on historical circumstances” — and “will not affect how businesses can use our products.” Here is the full statement:

This decision is based on historical circumstances and only relates to one company’s use of the Facebook Pixel and Facebook login on a single day in 2020. Our products. This case arises out of a conflict between EU and US law and is being resolved.

in the 46 page decision [NB: the link is to a machine translated (non-official) English version] Austria’s DPA has ruled that a local website with meta-tracking tools violates GDPR requirements for data transfers, which requires that data on EU users be adequately protected if it is transferred outside the EU. Third countries (such as the United States). However, none of the possible safeguards for such data export (e.g. adequate discretion) applied in this instance – thus determining a breach of the GDPR’s Article 44 (on data transfers).

Another key element of the decision is that information collected by meta-tracking technologies – which includes a large number of data points such as IP address, user ID, mobile operating system and browser data, screen resolution, Facebook cookie data and more – is personal. According to EU law.

“Cookies are set as a result of the implementation of Facebook’s business tools [the] The complainant’s terminal device… has a unique, randomly generated value… This allows the complainant’s terminal device to be personalized and to record the complainant’s cruise to display suitable personalized advertising,” explains the DPA. “Regardless of this, at least Meta Ireland had the opportunity to link the data it received as a result of the implementation of Facebook’s business tools. [the] Complainant’s Facebook account. Terms of Use from Facebook Business Tools… It is clear that Facebook Business Tools are used to exchange information with Facebook.

Some of Meta’s changes to its data transfer T&Cs were made shortly after Noib’s complaints were made, and this move was early – so it was too late to affect the outcome.

But as Noib points out, any wording adjustments and/or additional measures are unlikely to make a difference as the personal data is accessible to Meta (and therefore can be passed on to US security agencies) – so, for example, the option of implementing zero knowledge encryption, i.e. as a complementary measure to increase the level of protection of the data, the business model of their data It’s not available to an adtech giant that relies on tracking and profiling web users.

“The DPA has already found in Google’s decision that such entities cannot defeat US law,” Schrems told TechCrunch when asked about Meta’s changes to the data after Noib’s complaint, adding, “I don’t think this is going anywhere. The case law.”

The decision of the DPA directly mentions Meta’s own transparency reportsIn its record of government data requests – it states that “MetaGroup routinely receives data access requests from US intelligence officials,” adding that “data access requests also apply to Austrian users.” In addition to basic subscriber information, requests may request records related to account activity and stored content — such as messages, photos, videos, timeline entries, and location information.

Highlighting that, EU and US negotiators have tentatively agreed to a replacement transatlantic data transfer agreement – they’re calling it. AU-US Data Privacy Framework (DPF) – This third bite to fix the data-transmission gap has not yet started, as it still needs to be examined by other EU institutions before being officially accepted by the Commission.

This means there is still a gap in the legal system governing EU-US data transfers – which could remain unplugged for several months (in December the Commission said the DPF would not be operational before July).

Furthermore, whether (or when) the new EU-US data transfer framework is adopted by the EU, it is highly likely that US mass surveillance programs will face the same major challenges that destroyed its predecessors unless they are reformed. This casts doubt on the long-term viability of the proposed replacement framework – so legal uncertainty in this area bodes well for anything short-term.

Knoib argues that the long-term solution to this issue is to reform the US spying laws to give “foreign nationals protection to support their technology industry”. or data localization – meaning that US providers are forced to host foreign data outside the country. And we’re seeing some movement in that direction (for example, TikTok faces more national security scrutiny than Facebook).

It’s not clear, though, if data localization is a solution to Meta’s (or TikiTok’s) problems, given how central data-mining users are to their ad-targeting business model. (“Obviously, because of its US-based system, Meta cannot verify that European citizens’ data has been captured by US intelligence agencies,” Noib points out.)

Meanwhile, a final decision on Meta’s ban on EU-US data transfers is pending from Ireland’s data protection commissioner, the EU DPA.

So it’s down to the wire: which comes first: a new EU-US data protection patch – which would reset the legal challenges and buy Meta a new operational breathing space in Europe – or stop the final DPA order from transferring EU users’ data across the pond. Although in the latest case, Meta will appeal the ban order – so the result is probably that Meta will kick the can down the road again and European privacy advocates will have to brace themselves for a new round of legal challenges. Hoping the CJEU will be quicker to pull the trigger this time.

EU DPAs have shown great reluctance to enforce the law around data transfers, such as dragging their feet in acting on the Court of Justice’s July 2020 decision to strike down the Privacy Shield. Therefore, the same situation can be repeated next time, creating a cycle of violations of the law that will never be enforced – and should be the fundamental rights of EU users.

The nob’s 101 complaints were filed two and a half years ago — and this is only the first decision related to Facebook’s tracking tools. Asked what happened to the others, Schrems told us: “We are still waiting for everyone else.” We don’t know why Google. [Analytics] Matters moved quickly but we assume that the Irish DPA took a greater role in Facebook matters.

Ireland’s DPA continues to be the target of heavy criticism for its approach to GDPR enforcement against Big Tech – cases are piled on the table and the results are often poor.

Another problem Noib highlights relates to the lack of penalties provided for alongside a finding of infringement by the Austrian DPA. Therefore, even if there is a finding of infringement, there is still no real consequence for a site that violates the law by relying on meta-technology. “There is no information on whether a penalty has been issued or not. [Austrian authority] He also plans to give a punishment. The GDPR foresees fines of up to 20 million euros or 4% of global turnover in such cases, but data protection authorities seem reluctant to issue fines despite two CJEU rulings by regulators over two years.

“The Austrian DPA does not issue fines in complaint procedures because there is a separate section for fines,” explains Schrems. “This is a very problematic approach, leading to ‘dual processes’ and very low fines.

All of these issues mean that the EU’s main data protection framework is not doing what it says it should – which will put pressure on the Commission’s legislators, if not a strong reform of the GDPR, then at least an effective control, adding fuel to the debate. Monitoring how the Regulation is implemented at Member State level.

That seems necessary if EU lawmakers are to continue to be able to sell an increasingly broad and deep (connected) digital regulation regime that articulates data protection as a basis for greater data processing and sharing. In other words, data protection cannot exist only on paper; People need to see that their information is protected.