NAIH (Hungary) - NAIH-8303-2/2023: Difference between revisions
From GDPRhub
mNo edit summary |
(→Facts) |
||
| (One intermediate revision by one other user not shown) | |||
| Line 61: | Line 61: | ||
}} | }} | ||
The DPA found that personal data was transferred to the US without a legal basis | The DPA found that personal data was transferred to the US without a legal basis in 2020. However, it terminated the complaint because such data transfers to the US would now be lawful pursuant to the EU-US Data Privacy Framework. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In August 2020, a data subject visited a news website, 24.hu, while being logged into their Facebook. The data subject observed that the controller processed her personal data (IP address and cookie settings) using a Facebook Connect cookie and transferred at least some of it to Facebook, Inc. (the processor) – i.e., to the United States (US). Represented by noyb | In August 2020, a data subject visited a news website, 24.hu (the controller), while being logged into their Facebook. The data subject observed that the controller processed her personal data (IP address and cookie settings) using a Facebook Connect cookie and transferred at least some of it to Facebook, Inc. (the processor) – i.e., to the United States (US). Represented by ''noyb'', the European Centre for Digital Rights, the data subject filed a complaint with the Hungarian DPA (NAIH) claiming that the controller unlawfully transferred her data to a third country. | ||
The data subject argued that the transfer of personal data to the US was an unlawful breach of the GDPR given Schrems II, which invalidated adequacy between the EU-U.S. Privacy Shield. In addition, the transfer could not be based on the standard data protection clauses set out in Article 46(2)(c) and (d) GDPR pursuant to Schrems I. Because the | The data subject argued that the transfer of personal data to the US was an unlawful breach of the GDPR given ''[https://curia.europa.eu/juris/liste.jsf?num=C-311/18 Schrems II]'', which invalidated the adequacy decision for data transfers between the EU-U.S. (Privacy Shield). In addition, the transfer could not be based on the standard data protection clauses set out in [[Article 46 GDPR|Article 46(2)(c) and (d) GDPR]] pursuant to ''[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0362 Schrems I]''. Because the controller was thus unable to adequately guarantee the protection of the personal data transferred, the data subject argued, it should be legally obliged to stop the transfer of personal data to the United States. Nonetheless, almost 1 month after the ''[https://curia.europa.eu/juris/liste.jsf?num=C-311/18 Schrems II]'' judgment, the controller had not taken any action to stop the transfer. The data subject requested a full investigation by the DPA pursuant to [[Article 58 GDPR#1|Article 58(1) GDPR]], as well as a suspension of the transfer pursuant to [[Article 58 GDPR|Article 58(2)(d), (f) and (j) GDPR]]. | ||
The NAIH launched an inquiry. | The NAIH launched an inquiry. It determined that the data subject’s IP address, unique user cookie and context of visit (URL) were processed by the processor. It also noted that the controller’s data processing terms and Privacy Shield Terms continued to refer to the EU-US Privacy Shield despite its invalidation. In addition, the privacy policy did not mention recipients of personal data processed by the controller. | ||
In a reply brief submitted on 7 January 2021, the controller stated that it was not aware of personal data processed by external organizations like Facebook. The controller acknowledged that several cookies transferred data to the US, but that the Facebook Connect cookie in particular transferred data to Ireland rather than to a third country. It claimed that consent was its legal basis for processing. | In a reply brief submitted on 7 January 2021, the controller stated that it was not aware of personal data processed by external organizations like Facebook. The controller acknowledged that several cookies transferred data to the US, but that the Facebook Connect cookie in particular transferred data to Ireland rather than to a third country. It claimed that consent was its legal basis for processing. | ||
=== Holding === | === Holding === | ||
The NAIH concluded that the transfer of personal data had no legal basis given the controller's reliance on the invalidated EU-US Privacy Shield. It also | The NAIH concluded that the transfer of personal data had no legal basis given the controller's reliance on the invalidated EU-US Privacy Shield. It also noted that the controller had violated [[Article 28 GDPR#1|Article 28(1) GDPR]] by failing to use processors providing sufficient guarantees ensuring compliance with the GDPR. | ||
However, the NAIH | However, the NAIH considered that new circumstances had arisen since the harm had taken place. In particular, the new EU-US Data Privacy Framework had entered into force during the course of the proceedings. As a result, the NAIH found that the circumstances giving rise to the inquiry no longer existed and terminated the complaint. | ||
== Comment == | == Comment == | ||
| Line 85: | Line 85: | ||
== Further Resources == | == Further Resources == | ||
'' | This complaint was filed as part of ''noyb''<nowiki/>'s [https://noyb.eu/en/project/eu-us-transfers 101 complaints project], in which ''noyb'' filed filed 101 model complaints against companies that were still transferring data to the US after invalidation of the Privacy Shield in July 2020. | ||
== English Machine Translation of the Decision == | == English Machine Translation of the Decision == | ||
Latest revision as of 13:55, 11 June 2024
| NAIH - NAIH-8303-2/2023 | |
|---|---|
 | |
| Authority: | NAIH (Hungary) |
| Jurisdiction: | Hungary |
| Relevant Law: | Article 44 GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | 29.05.2024 |
| Fine: | n/a |
| Parties: | 24.hu |
| National Case Number/Name: | NAIH-8303-2/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Hungarian |
| Original Source: | NAIH (in HU) |
| Initial Contributor: | lm |
The DPA found that personal data was transferred to the US without a legal basis in 2020. However, it terminated the complaint because such data transfers to the US would now be lawful pursuant to the EU-US Data Privacy Framework.
English Summary
Facts
In August 2020, a data subject visited a news website, 24.hu (the controller), while being logged into their Facebook. The data subject observed that the controller processed her personal data (IP address and cookie settings) using a Facebook Connect cookie and transferred at least some of it to Facebook, Inc. (the processor) – i.e., to the United States (US). Represented by noyb, the European Centre for Digital Rights, the data subject filed a complaint with the Hungarian DPA (NAIH) claiming that the controller unlawfully transferred her data to a third country.
The data subject argued that the transfer of personal data to the US was an unlawful breach of the GDPR given Schrems II, which invalidated the adequacy decision for data transfers between the EU-U.S. (Privacy Shield). In addition, the transfer could not be based on the standard data protection clauses set out in Article 46(2)(c) and (d) GDPR pursuant to Schrems I. Because the controller was thus unable to adequately guarantee the protection of the personal data transferred, the data subject argued, it should be legally obliged to stop the transfer of personal data to the United States. Nonetheless, almost 1 month after the Schrems II judgment, the controller had not taken any action to stop the transfer. The data subject requested a full investigation by the DPA pursuant to Article 58(1) GDPR, as well as a suspension of the transfer pursuant to Article 58(2)(d), (f) and (j) GDPR.
The NAIH launched an inquiry. It determined that the data subject’s IP address, unique user cookie and context of visit (URL) were processed by the processor. It also noted that the controller’s data processing terms and Privacy Shield Terms continued to refer to the EU-US Privacy Shield despite its invalidation. In addition, the privacy policy did not mention recipients of personal data processed by the controller.
In a reply brief submitted on 7 January 2021, the controller stated that it was not aware of personal data processed by external organizations like Facebook. The controller acknowledged that several cookies transferred data to the US, but that the Facebook Connect cookie in particular transferred data to Ireland rather than to a third country. It claimed that consent was its legal basis for processing.
Holding
The NAIH concluded that the transfer of personal data had no legal basis given the controller's reliance on the invalidated EU-US Privacy Shield. It also noted that the controller had violated Article 28(1) GDPR by failing to use processors providing sufficient guarantees ensuring compliance with the GDPR.
However, the NAIH considered that new circumstances had arisen since the harm had taken place. In particular, the new EU-US Data Privacy Framework had entered into force during the course of the proceedings. As a result, the NAIH found that the circumstances giving rise to the inquiry no longer existed and terminated the complaint.
Comment
In this case, the NAIH acknowledged that the controller violated Articles 28 and 44 GDPR because it lacked a legal basis for the transfer of data. However, in the same breath, it terminated the complaint because the circumstances giving rise to the inquiry no longer existed.
It should be noted that, as a general matter, violations do not need to be ongoing to face repercussions under the GDPR. The correction of wrongdoing does not erase the harm.
Further Resources
This complaint was filed as part of noyb's 101 complaints project, in which noyb filed filed 101 model complaints against companies that were still transferring data to the US after invalidation of the Privacy Shield in July 2020.
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Courtesy translation
Precedent:r: NAIH-NAIH/2020/7604.
Central Media Group Ltd.
Montevideo u. 9
Subject: Termination of the inquiry
Dear Central Media Group Zrt.,
The National Authority for Data Protection and Freedom of Information (hereinafter: Authority)
XXX, represented by NOYB-European Center for Digital Rights (resident:
XXX; hereinafter referred to as: Notifier) filed a
notification that 24.hu (registered office: 1037 Budapest Montevideo u. 9.; hereinafter referred
United States of America. According to the notification, the Notifier visited the websitely to the
https://24.hu/ (hereinafter: Website) at 11:33:00 on 12 August 2020, while being logged in to
the Facebook profile assigned to the Notifier’s Gmail address. According to the Notifier, the
Data Controller has used the HTML code of Facebook Services, including Facebook Connect,
Controller processed the Notifier’s personal data (at least the IP address and cookie settings).
In the Notifier’s experience, at least some of his/her personal data were transferred to
Facebook Inc., i.e., to the United States of America.
According to the Notifier, the transfer of personal data to the United States of America is
unlawful, in breach of the rules set out in Chapter V of the GDPR 1, given that the Court of
Justice of the European Union, in its judgment in Case C-311/18 (hereinafter: the Schrems-II
judgement) of 16 July 2020, had declared the Commission Implementing Decision (EU)
Shield invalid. The Notifier argued that, on the basis of the reasoning set out in paragraph 95
of the judgment of the Court of Justice of the European Union in Case C-362/14 (Schrems-I
judgement), the transfer could not legitimately be based on the standard data protection
Controller was unable to adequately guarantee the protection of the personal data transferred
to Facebook Inc, and therefore it should be legally obliged to stop the transfer of personal data
to the United States of America. Almost 1 month after the Schrems-II judgment, the Data
Controller had not taken any action to stop the data transfer according to the Notifier.
The Notifier also referred to Facebook Data Processing Terms, Privacy Shields Terms, and
New Facebook Data Processing Terms. The Notifier drew the Authority’s attention to the fact
that those documents continue to refer to the EU-US Privacy Shield, even if they had been
competent under the General Data Protection Regulation to act against both the Dataity is
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General
Data Protection Regulation) 2
Controller and the sub-processor Facebook Inc., and therefore requested the Authority to act
against both of them.
The Notifier requested the Authority to investigate the notification in accordance with Article
58(1) GDPR and establish
(i) which personal data were transferred to the United States, to another third country
or to an international organisation;
(ii) which transfer mechanism under Article 44 GDPR et seqq.were the data transfers
based upon;
(iii) whether the applied Facebook Business Tools Terms and the Facebook Data
Processing Terms (versions in force at the time of the request and the version in
force from 31 August 2020) comply with the requirements of Article 28 of the GDPR
with regard to the transfer of personal data to a third country.
The Notifier also requested that the Authority immediately prohibit or order the suspension of
the transfer of data from the Data Controller and/or Facebook Ireland to Facebook Inc.
pursuant to Article 58(2)(d), (f) and (j) GDPR and to order the return of suchdata to the EU/EEA
or to a country that provides an adequate level of protection.
The notification also contains a request to impose an effective, proportionate and dissuasive
fine on the Data Controller, Facebook Ireland and Facebook Inc. on the basis of Article 83(5)(c)
GDPR, taking into account the fact that the Notifier is only one of thousands of users and no
steps had been taken to bring the data processing in line with the GDPR during the more than
one month elapsed between the notification and the Schrems-II judgment.
In line with Article 77(1) of the GDPR and Section 52(1) of the Act CXII of 2011 on Informational
Self-Determination and Freedom of Information (hereinafter: Infotv.), the Authority launched
an inquiry.
1. Facts established by the Authority
1.1. The Authority concluded, on the basis of the imprint of the website https://24.hu, that the
publisher is Central Media Group Zrt. (registered office: 1037 Budapest Montevideo u. 9.;
registered No.: 01-10-048280), therefore, during the procedure, the Authority identified
this company as the Data Controller in the notification.
1.2. At the request of the Authority, by letter dated 7 January 2021, the Data Controller stated
that at the time of the initiation of the inquiry, Facebook Connect had not yet featured on
the Website. At the same time, the codes used on the Website did transfer personal data,
among others, to “Facebook” – however, the Data Controller did not indicate exactly
whether it understood the legal entity Facebook Ireland Ltd. or Facebook Inc. Based on
the Data Controller’s reply, the following personal data were processed: IP address,
unique user ID (cookie) per organisation and context of visit (URL). However, the Data
Controller was not aware of personal data processed by external organisations, such as
“Facebook”. The Data Controller declared that consent is the legal basis for their
processing of personal data.
1.3. According to the Data Controller’s statement, the relationship between external
organisations and the Data Controller is governed by the General Terms and Conditions
of the external organisations, while with “Facebook” they are not joint controllers, neither
joint processors nor do they have a controller-processor relationship. In its statement, the
Data Controller could identify where the data processing takes place only on the basis of 3
assumptions. According to that, “service providers use their regional data centres which
are geographically closest to their visitors for faster service”.
1.4. On the basis of the Specific Privacy Policy submitted by the Data Controller to the
Authority, Facebook Ireland Ltd. (registered office: Ireland, Dublin, 2, 4 Grand Canal
Square, Grand Canal Harbour) transfers personal data to the Data Controller and
“Facebook” and the Data Controller are independent controllers. The personal data
transmitted to the Data Controller from Facebook Ireland Ltd are as follows: name, e-mail
address, Facebook ID. According to the Specific Privacy Policy, the Facebook Connect
service assists with the StartLogin registration related to the Website, and if the data
subject breaks the connection after entering a password, the Data Controller deletes the
social ID (Facebook ID). However, the Notifier did not base the notification on the use of
Facebook Connect, but claimed that only because the Facebook Connect service was
embedded in the Website, certain personal data were transferred to the United States of
America as a result of prior logging into a Facebook’s profile.
1.5. Recipients of personal data processed by the Data Controller are not mentioned in the
Specific Privacy Policy. According to the General Data Processing Policy submitted by the
Data Controller, the Data Controller and the external service providers, including
“Facebook”, are independent data controllers. Section XIII of the General Data
Management Policy deals with data management related to the activities of external
service providers. This point mentions Facebook Inc., but not Facebook Ireland Ltd,
among the providers of applications facilitating registration and entry (as interpreted by
the Authority, the Facebook Connect feature included in the notification is also considered
as such). The Data Controller’s General Data Processing Policy and Specific Privacy
Policy, available on 21 September 2023, are consistent with the Policies attached to the
statement of the Data Controller to the Authority dated 7 January 2021 with regard to the
information on data processing related to Facebook Connect.
1.6. On the basis of a statement by the Data Controller, several cookies that it uses transfer
data to the United States of America. These cookies are linked to Google, AWS
CloudFront and AWS. However, according to the Data Controller’s statement, the cookie
related to the Facebook Connect service transfers data to Ireland rather than to a third
country. According to the statement, the purpose of the built-in Facebook services is to
integrate Facebook appearances (‘follow’, ‘like’).
1.7. In its notification, the Notifier objected to the data transfer related to the Facebook Connect
service and initiated the Authority’s proceedings against Facebook Inc. in addition to the
Data Controller. Based on the content of the notification, the Authority extended the inquiry
to Facebook Login, which replaced Facebook Connect 2, and Meta Platform Inc. as its
3
successor to Facebook Inc. In view of the fact that during Authority’s inquiry Facebook
Login featured on the Website, but it was not beyond reasonable doubt from which point
in time this has been the case, the Authority accepted the Notifier’s statement concerning
the transmission of data on 12 August 2023.
1.8. According to the documents submitted by the Notifier, the use of the Facebook Login
service was subject to the terms and conditions of Facebook Business Tools Terms and
Conditions, as well as the Data Processing Terms at the time of the event on which the
2https://developers.facebook.com/docs/facebook-login/overview
3https://www.nasdaq.com/market-activity/stocks/meta 4
notification was based. Based on the Authority’s inquiry, Facebook Login has been 4
subject to the terms of use of Meta Business tools since 25 April 2023.
2. Legal assessment of the data processing activity under inquiry
2.1. According to Article 4(1) GDPR, “personal data” means any information relating to an
identified or identifiable natural person (“data subject”); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person. According toArticle 2(1) of theGDPR, that Regulation
applies to the processing of personal data wholly or partly by automated means and to the
processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system.
2.2. As indicated in the notification, the Website also managed the IP address of the Notifier.
The latter is personal data according to established European Union legal practice, as
confirmed by the case law of the Court of Justice of the European Union. In the course of
the processing under inquiry, the Data Controller itself acknowledged that it collects
personal data from users visiting the Website using cookies.
2.3. According to Article 3(1) of the GDPR, that Regulation applies to the processing of
personal data in the context of the activities of an establishment of a controller or a
processor in the Union, regardless of whether the processing takes place in the Union or
not. In accordance with Article 55(1), each supervisory authority shall be competent on
the territory of its own Member State to carry out the tasks and exercise the powers
conferred on it in accordance with the GDPR. Pursuant to Article 56(1), without prejudice
to Article 55, the supervisory authority of the main establishment or of the single
establishment of the controller or processor shall be competent to act as lead supervisory
authority for the cross-border processing carried out by that controller or processor in
accordance with the procedure provided in Article 60. In view of the fact that the Data
Controller has its registered office and its head office in Hungary, in the present inquiry,
the Authority has established its competence in relation to the Data Controller’s processing
activities concerning personal data.
2.4. The Website publishes news available in Hungarian, most of which are of interest to
Hungarian readers. The English version of the Website 5is not covered by the notification.
Therefore, it can be concluded that cross-border processing within the meaning of Article
4(23) GDPR is not carried out or only to a negligible extent, so the Authority is the only
competent supervisory authority for the processing under consideration.
2.5. In the course of its proceedings, the Authority examined the processing of data related to
the data transfer to the United States of America included in the notification. It is
undisputed that, as a result of the posting of the Facebook Login service on the Website,
certain personal data of the users of the Website were collected by the Data Controller
and shared with Facebook Ireland Ltd. According to the judgment of the Court of Justice
of the European Union in Case C-40/17 (‘Fashion ID’), a website operator who places on
the website a social module enabling the browser of a website visitor to access the content
provided by the provider of the social module and forwarding the visitor’s personal data to
4https://www.facebook.com/legal/businesstech?paipv=0&eav=AfZH5nJ8tW8SmAOvZgtsv4pnCcn6v_c-
9gDHUcgvVbiWkOv4qFTDv2iwp6MAddpjwag&_rdr
5https://24.hu/same-in-english/ 5
that service provider may be regarded as a data controller. Therefore, the Data Controller
is considered to be a data controller for the processing under inquiry.
2.6. The Data Controller claims that the General Terms and Conditions of Facebook Ireland
Ltd. apply to the processing under consideration. According to the Data Controller, the
Controller and Facebook Ireland Ltd. are independent data controllers. However,
according to point 4 of the Facebook Business Tools Terms, which also applies to the use
of Facebook Login, provided by the Notifier to the Authority and applicable at the time of
the transfer of data, the Data Controller is considered to be the data controller for the
services listed in points 2.a.i and 2.a.ii and Facebook Ireland Ltd. is a data processor.
These services include linking the data provided by website visitors to Facebook
(matching of user IDs), which, according to the Authority’s interpretation, may arise
precisely in the case of the use of the Facebook login service. The Data Processing Terms
document in force at the same time expressly provides that data controllers established in
the European Union authorise Facebook Ireland Ltd to use Facebook Inc. as a sub-
processor. The Authority therefore concluded that, at the time of the processing on which
the notification was based, Facebook Ireland Ltd. was a data processor and Facebook
Inc. was a sub-processor of the Data Controller.
2.7. Pursuant to Article 44 GDPR, any transfer of personal data which are undergoing
processing or are intended for processing after transfer to a third country or to an
international organisation, shall take place only if, subject to with the other provisions of
the GDPR, the conditions laid down in Chapter V of the GDPR are complied with by the
controller and the processor.
2.8. Given that the documents referred to in point 2.6 referred to the EU-US Privacy Shield as
the legal basis for the transfer of personal data to a third country, which, however, was
invalid at the time under consideration (12 August 2020), the Authority concluded that the
transfer of personal data to a third country had no legal basis.
2.9. Pursuant to Article 28(1) GDPR, the controller shall only use processors that provide
sufficient guarantees to implement appropriate technical and organisational measures in
such a manner that processing will meet ht requirements of the GDPR and ensure the
protection of the rights of data subjects. Therefore, the Data Controller could not lawfully
use Facebook Login, as it involved the transfer of personal data to the United States.
2.10. The activities of Facebook Inc., which is a sub-processor for the processing under
consideration, were not investigated by the Authority, given that pursuant to Article 5(2)
GDPR, the controller is responsible for compliance with the principles governing the
processing of personal data, and pursuant to Articles 28(1) and 29, (sub-)processors
exercise the processing on behalf of the controller and in accordance with the instructions
of the controller. During the proceedings, there was no indication that Article 28(10) would
have been applicable.
2.11. The Authority also examined the new circumstances that arose during the procedure,
in so far as they were applicable to the personal data processing operations related to the
posting of Facebook Login on the Website. In this context, the Authority took into account
the terms of use of Meta Business Tools Terms in force since 25 April 2023, the Meta
Data Processing Terms in force since 25 April 2023, the Meta European Data Transfer
Addendum in force since 7 September 2023, and Commission Implementing Decision
2023/1795 pursuant to regulation (EU) 2016/679 of the European Parliament and of the
Council on the adequate level of protection of personal data under the EU-US Data Privacy 6
Framework, which entered into force on 10 July 2023 (‘the EU-US Data Privacy
Framework’).
2.12. In accordance with point 5a of the Meta Business Tools Terms effective from 25 April
2023, the Data Controller shall continue to be the Data Controller and Meta Platform
Ireland Limited shall continue to be a data processor for the purposes of matching user
IDs. Pursuant to Article 10 of the Meta Data Processing Terms, effective from 25 April
2023, the processor may use sub-processors, which may also be established in the United
States. The Meta European Data Transfer Addendum, effective from 7 September 2023,
identifies this sub-processor: Meta Platforms, Inc., paragraph 2 of the same document,
states that Meta Platforms, Inc. has “certified its participation in the EU-US data protection
framework”.
2.13. Pursuant to Article 1 of the EU-US Data Privacy Framework, the United States ensures
an adequate level of protection for personal data transferred to organisations included in
the list of organisations participating in the data protection framework, which are
maintained and made publicly available by the U.S. Department of Commerce. The
Authority’s query confirmed that Meta Platforms Inc. is included in this list. Therefore, the
Authority concluded that following a visit to the Website, personal data are lawfully
transferred by the Controller and its processors to the United States of America.
2.14. The right to lodge a complaint under Article 77(1) of the GDPR does not imply the right
of the Notifier to request an administrative fine, and as a result of an inquiry pursuant to
Article 52 of the Infotv., imposing a fine is not possible.
2.15. On the basis of the facts established in the course of the inquiry, the Authority
terminated the inquiry in accordance with Section 53(5)(b) of the Infotv. as the
circumstances the circumstances giving rise to the inquiry no longer exist.
Budapest, according to electronic signature and time stamp
Dr. habil. Attila Péterfalvi
President
6OJ L 231 of 20 September 2023. P. 118.
