NAIH (Hungary) - NAIH-8303-2/2023
NAIH - NAIH-8303-2/2023 | |
---|---|
Authority: | NAIH (Hungary) |
Jurisdiction: | Hungary |
Relevant Law: | Article 44 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 29.05.2024 |
Fine: | n/a |
Parties: | 24.hu |
National Case Number/Name: | NAIH-8303-2/2023 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Hungarian |
Original Source: | NAIH (in HU) |
Initial Contributor: | lm |
The DPA found that personal data was transferred to the US without a legal basis IN 2020, but that since such data transfers to the US would now be lawful pursuant to the EU-US Data Privacy Framework, the original circumstances of the complaint no longer exist.
English Summary
Facts
In August 2020, a data subject visited a news website, 24.hu, while being logged into their Facebook. The data subject observed that the controller processed her personal data (IP address and cookie settings) using a Facebook Connect cookie and transferred at least some of it to Facebook, Inc. (the processor) – i.e., to the United States (US). Represented by noyb (the European Centre for Digital Rights), the data subject filed a complaint with the Hungarian DPA (NAIH) claiming that the controller unlawfully transferred her data to a third country.
The data subject argued that the transfer of personal data to the US was an unlawful breach of the GDPR given Schrems II, which invalidated adequacy between the EU-U.S. Privacy Shield. In addition, the transfer could not be based on the standard data protection clauses set out in Article 46(2)(c) and (d) GDPR pursuant to Schrems I. Because the data controller was thus unable to adequately guarantee the protection of the personal data transferred, the data subject argued, it should be legally obliged to stop the transfer of personal data to the United States. Nonetheless, almost 1 month after the Schrems II judgment, the controller had not taken any action to stop the transfer. The data subject requested a full investigation by the DPA pursuant to Article 58(1) GDPR, as well as a suspension of the transfer pursuant to Article 58(2)(d), (f) and (j) GDPR.
The NAIH launched an inquiry. The NAIH determined that the data subject’s IP address, unique user cookie and context of visit (URL) were processed. It also noted that the controller’s data processing terms and Privacy Shield Terms continued to refer to the EU-US Privacy Shield despite its invalidation. In addition, the privacy policy did not mention recipients of personal data processed by the controller.
In a reply brief submitted on 7 January 2021, the controller stated that it was not aware of personal data processed by external organizations like Facebook. The controller acknowledged that several cookies transferred data to the US, but that the Facebook Connect cookie in particular transferred data to Ireland rather than to a third country. It claimed that consent was its legal basis for processing.
Holding
The NAIH concluded that the transfer of personal data had no legal basis given the controller's reliance on the invalidated EU-US Privacy Shield. It also considered that the controller had violated Article 28(1) GDPR by failing to use processors providing sufficient guarantees ensuring compliance with the GDPR.
However, the NAIH also considered that new circumstances had arisen since the harm had taken place. In particular, the EU-US Data Privacy Framework had entered into force during the course of the proceedings. As a result, the NAIH found that the circumstances giving rise to the inquiry no longer existed.
Comment
In this case, the NAIH acknowledged that the controller violated Articles 28 and 44 GDPR because it lacked a legal basis for the transfer of data. However, in the same breath, it terminated the complaint because the circumstances giving rise to the inquiry no longer existed.
It should be noted that, as a general matter, violations do not need to be ongoing to face repercussions under the GDPR. The correction of wrongdoing does not erase the harm.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Hungarian original. Please refer to the Hungarian original for more details.
Courtesy translation Precedent:r: NAIH-NAIH/2020/7604. Central Media Group Ltd. Montevideo u. 9 Subject: Termination of the inquiry Dear Central Media Group Zrt., The National Authority for Data Protection and Freedom of Information (hereinafter: Authority) XXX, represented by NOYB-European Center for Digital Rights (resident: - Kl-stenb-rger Straße 60/33, 1200 Vienna, Austria; hereinafter referred to as: Notifier) filed a notification that 24.hu (registered office: 1037 Budapest Montevideo u. 9.; hereinafter referred United States of America. According to the notification, the Notifier visited the websitely to the https://24.hu/ (hereinafter: Website) at 11:33:00 on 12 August 2020, while being logged in to the Facebook profile assigned to the Notifier’s Gmail address. According to the Notifier, the Data Controller has used the HTML code of Facebook Services, including Facebook Connect, Controller processed the Notifier’s personal data (at least the IP address and cookie settings). In the Notifier’s experience, at least some of his/her personal data were transferred to Facebook Inc., i.e., to the United States of America. According to the Notifier, the transfer of personal data to the United States of America is unlawful, in breach of the rules set out in Chapter V of the GDPR 1, given that the Court of Justice of the European Union, in its judgment in Case C-311/18 (hereinafter: the Schrems-II judgement) of 16 July 2020, had declared the Commission Implementing Decision (EU) Shield invalid. The Notifier argued that, on the basis of the reasoning set out in paragraph 95 of the judgment of the Court of Justice of the European Union in Case C-362/14 (Schrems-I judgement), the transfer could not legitimately be based on the standard data protection Controller was unable to adequately guarantee the protection of the personal data transferred to Facebook Inc, and therefore it should be legally obliged to stop the transfer of personal data to the United States of America. Almost 1 month after the Schrems-II judgment, the Data Controller had not taken any action to stop the data transfer according to the Notifier. The Notifier also referred to Facebook Data Processing Terms, Privacy Shields Terms, and New Facebook Data Processing Terms. The Notifier drew the Authority’s attention to the fact that those documents continue to refer to the EU-US Privacy Shield, even if they had been competent under the General Data Protection Regulation to act against both the Dataity is 1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 2 Controller and the sub-processor Facebook Inc., and therefore requested the Authority to act against both of them. The Notifier requested the Authority to investigate the notification in accordance with Article 58(1) GDPR and establish (i) which personal data were transferred to the United States, to another third country or to an international organisation; (ii) which transfer mechanism under Article 44 GDPR et seqq.were the data transfers based upon; (iii) whether the applied Facebook Business Tools Terms and the Facebook Data Processing Terms (versions in force at the time of the request and the version in force from 31 August 2020) comply with the requirements of Article 28 of the GDPR with regard to the transfer of personal data to a third country. The Notifier also requested that the Authority immediately prohibit or order the suspension of the transfer of data from the Data Controller and/or Facebook Ireland to Facebook Inc. pursuant to Article 58(2)(d), (f) and (j) GDPR and to order the return of suchdata to the EU/EEA or to a country that provides an adequate level of protection. The notification also contains a request to impose an effective, proportionate and dissuasive fine on the Data Controller, Facebook Ireland and Facebook Inc. on the basis of Article 83(5)(c) GDPR, taking into account the fact that the Notifier is only one of thousands of users and no steps had been taken to bring the data processing in line with the GDPR during the more than one month elapsed between the notification and the Schrems-II judgment. In line with Article 77(1) of the GDPR and Section 52(1) of the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Infotv.), the Authority launched an inquiry. 1. Facts established by the Authority 1.1. The Authority concluded, on the basis of the imprint of the website https://24.hu, that the publisher is Central Media Group Zrt. (registered office: 1037 Budapest Montevideo u. 9.; registered No.: 01-10-048280), therefore, during the procedure, the Authority identified this company as the Data Controller in the notification. 1.2. At the request of the Authority, by letter dated 7 January 2021, the Data Controller stated that at the time of the initiation of the inquiry, Facebook Connect had not yet featured on the Website. At the same time, the codes used on the Website did transfer personal data, among others, to “Facebook” – however, the Data Controller did not indicate exactly whether it understood the legal entity Facebook Ireland Ltd. or Facebook Inc. Based on the Data Controller’s reply, the following personal data were processed: IP address, unique user ID (cookie) per organisation and context of visit (URL). However, the Data Controller was not aware of personal data processed by external organisations, such as “Facebook”. The Data Controller declared that consent is the legal basis for their processing of personal data. 1.3. According to the Data Controller’s statement, the relationship between external organisations and the Data Controller is governed by the General Terms and Conditions of the external organisations, while with “Facebook” they are not joint controllers, neither joint processors nor do they have a controller-processor relationship. In its statement, the Data Controller could identify where the data processing takes place only on the basis of 3 assumptions. According to that, “service providers use their regional data centres which are geographically closest to their visitors for faster service”. 1.4. On the basis of the Specific Privacy Policy submitted by the Data Controller to the Authority, Facebook Ireland Ltd. (registered office: Ireland, Dublin, 2, 4 Grand Canal Square, Grand Canal Harbour) transfers personal data to the Data Controller and “Facebook” and the Data Controller are independent controllers. The personal data transmitted to the Data Controller from Facebook Ireland Ltd are as follows: name, e-mail address, Facebook ID. According to the Specific Privacy Policy, the Facebook Connect service assists with the StartLogin registration related to the Website, and if the data subject breaks the connection after entering a password, the Data Controller deletes the social ID (Facebook ID). However, the Notifier did not base the notification on the use of Facebook Connect, but claimed that only because the Facebook Connect service was embedded in the Website, certain personal data were transferred to the United States of America as a result of prior logging into a Facebook’s profile. 1.5. Recipients of personal data processed by the Data Controller are not mentioned in the Specific Privacy Policy. According to the General Data Processing Policy submitted by the Data Controller, the Data Controller and the external service providers, including “Facebook”, are independent data controllers. Section XIII of the General Data Management Policy deals with data management related to the activities of external service providers. This point mentions Facebook Inc., but not Facebook Ireland Ltd, among the providers of applications facilitating registration and entry (as interpreted by the Authority, the Facebook Connect feature included in the notification is also considered as such). The Data Controller’s General Data Processing Policy and Specific Privacy Policy, available on 21 September 2023, are consistent with the Policies attached to the statement of the Data Controller to the Authority dated 7 January 2021 with regard to the information on data processing related to Facebook Connect. 1.6. On the basis of a statement by the Data Controller, several cookies that it uses transfer data to the United States of America. These cookies are linked to Google, AWS CloudFront and AWS. However, according to the Data Controller’s statement, the cookie related to the Facebook Connect service transfers data to Ireland rather than to a third country. According to the statement, the purpose of the built-in Facebook services is to integrate Facebook appearances (‘follow’, ‘like’). 1.7. In its notification, the Notifier objected to the data transfer related to the Facebook Connect service and initiated the Authority’s proceedings against Facebook Inc. in addition to the Data Controller. Based on the content of the notification, the Authority extended the inquiry to Facebook Login, which replaced Facebook Connect 2, and Meta Platform Inc. as its 3 successor to Facebook Inc. In view of the fact that during Authority’s inquiry Facebook Login featured on the Website, but it was not beyond reasonable doubt from which point in time this has been the case, the Authority accepted the Notifier’s statement concerning the transmission of data on 12 August 2023. 1.8. According to the documents submitted by the Notifier, the use of the Facebook Login service was subject to the terms and conditions of Facebook Business Tools Terms and Conditions, as well as the Data Processing Terms at the time of the event on which the 2https://developers.facebook.com/docs/facebook-login/overview 3https://www.nasdaq.com/market-activity/stocks/meta 4 notification was based. Based on the Authority’s inquiry, Facebook Login has been 4 subject to the terms of use of Meta Business tools since 25 April 2023. 2. Legal assessment of the data processing activity under inquiry 2.1. According to Article 4(1) GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. According toArticle 2(1) of theGDPR, that Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. 2.2. As indicated in the notification, the Website also managed the IP address of the Notifier. The latter is personal data according to established European Union legal practice, as confirmed by the case law of the Court of Justice of the European Union. In the course of the processing under inquiry, the Data Controller itself acknowledged that it collects personal data from users visiting the Website using cookies. 2.3. According to Article 3(1) of the GDPR, that Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. In accordance with Article 55(1), each supervisory authority shall be competent on the territory of its own Member State to carry out the tasks and exercise the powers conferred on it in accordance with the GDPR. Pursuant to Article 56(1), without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. In view of the fact that the Data Controller has its registered office and its head office in Hungary, in the present inquiry, the Authority has established its competence in relation to the Data Controller’s processing activities concerning personal data. 2.4. The Website publishes news available in Hungarian, most of which are of interest to Hungarian readers. The English version of the Website 5is not covered by the notification. Therefore, it can be concluded that cross-border processing within the meaning of Article 4(23) GDPR is not carried out or only to a negligible extent, so the Authority is the only competent supervisory authority for the processing under consideration. 2.5. In the course of its proceedings, the Authority examined the processing of data related to the data transfer to the United States of America included in the notification. It is undisputed that, as a result of the posting of the Facebook Login service on the Website, certain personal data of the users of the Website were collected by the Data Controller and shared with Facebook Ireland Ltd. According to the judgment of the Court of Justice of the European Union in Case C-40/17 (‘Fashion ID’), a website operator who places on the website a social module enabling the browser of a website visitor to access the content provided by the provider of the social module and forwarding the visitor’s personal data to 4https://www.facebook.com/legal/businesstech?paipv=0&eav=AfZH5nJ8tW8SmAOvZgtsv4pnCcn6v_c- 9gDHUcgvVbiWkOv4qFTDv2iwp6MAddpjwag&_rdr 5https://24.hu/same-in-english/ 5 that service provider may be regarded as a data controller. Therefore, the Data Controller is considered to be a data controller for the processing under inquiry. 2.6. The Data Controller claims that the General Terms and Conditions of Facebook Ireland Ltd. apply to the processing under consideration. According to the Data Controller, the Controller and Facebook Ireland Ltd. are independent data controllers. However, according to point 4 of the Facebook Business Tools Terms, which also applies to the use of Facebook Login, provided by the Notifier to the Authority and applicable at the time of the transfer of data, the Data Controller is considered to be the data controller for the services listed in points 2.a.i and 2.a.ii and Facebook Ireland Ltd. is a data processor. These services include linking the data provided by website visitors to Facebook (matching of user IDs), which, according to the Authority’s interpretation, may arise precisely in the case of the use of the Facebook login service. The Data Processing Terms document in force at the same time expressly provides that data controllers established in the European Union authorise Facebook Ireland Ltd to use Facebook Inc. as a sub- processor. The Authority therefore concluded that, at the time of the processing on which the notification was based, Facebook Ireland Ltd. was a data processor and Facebook Inc. was a sub-processor of the Data Controller. 2.7. Pursuant to Article 44 GDPR, any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation, shall take place only if, subject to with the other provisions of the GDPR, the conditions laid down in Chapter V of the GDPR are complied with by the controller and the processor. 2.8. Given that the documents referred to in point 2.6 referred to the EU-US Privacy Shield as the legal basis for the transfer of personal data to a third country, which, however, was invalid at the time under consideration (12 August 2020), the Authority concluded that the transfer of personal data to a third country had no legal basis. 2.9. Pursuant to Article 28(1) GDPR, the controller shall only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet ht requirements of the GDPR and ensure the protection of the rights of data subjects. Therefore, the Data Controller could not lawfully use Facebook Login, as it involved the transfer of personal data to the United States. 2.10. The activities of Facebook Inc., which is a sub-processor for the processing under consideration, were not investigated by the Authority, given that pursuant to Article 5(2) GDPR, the controller is responsible for compliance with the principles governing the processing of personal data, and pursuant to Articles 28(1) and 29, (sub-)processors exercise the processing on behalf of the controller and in accordance with the instructions of the controller. During the proceedings, there was no indication that Article 28(10) would have been applicable. 2.11. The Authority also examined the new circumstances that arose during the procedure, in so far as they were applicable to the personal data processing operations related to the posting of Facebook Login on the Website. In this context, the Authority took into account the terms of use of Meta Business Tools Terms in force since 25 April 2023, the Meta Data Processing Terms in force since 25 April 2023, the Meta European Data Transfer Addendum in force since 7 September 2023, and Commission Implementing Decision 2023/1795 pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy 6 Framework, which entered into force on 10 July 2023 (‘the EU-US Data Privacy Framework’). 2.12. In accordance with point 5a of the Meta Business Tools Terms effective from 25 April 2023, the Data Controller shall continue to be the Data Controller and Meta Platform Ireland Limited shall continue to be a data processor for the purposes of matching user IDs. Pursuant to Article 10 of the Meta Data Processing Terms, effective from 25 April 2023, the processor may use sub-processors, which may also be established in the United States. The Meta European Data Transfer Addendum, effective from 7 September 2023, identifies this sub-processor: Meta Platforms, Inc., paragraph 2 of the same document, states that Meta Platforms, Inc. has “certified its participation in the EU-US data protection framework”. 2.13. Pursuant to Article 1 of the EU-US Data Privacy Framework, the United States ensures an adequate level of protection for personal data transferred to organisations included in the list of organisations participating in the data protection framework, which are maintained and made publicly available by the U.S. Department of Commerce. The Authority’s query confirmed that Meta Platforms Inc. is included in this list. Therefore, the Authority concluded that following a visit to the Website, personal data are lawfully transferred by the Controller and its processors to the United States of America. 2.14. The right to lodge a complaint under Article 77(1) of the GDPR does not imply the right of the Notifier to request an administrative fine, and as a result of an inquiry pursuant to Article 52 of the Infotv., imposing a fine is not possible. 2.15. On the basis of the facts established in the course of the inquiry, the Authority terminated the inquiry in accordance with Section 53(5)(b) of the Infotv. as the circumstances the circumstances giving rise to the inquiry no longer exist. Budapest, according to electronic signature and time stamp Dr. habil. Attila Péterfalvi President 6OJ L 231 of 20 September 2023. P. 118.