DSB (Austria) - 2022-0.726.643

From GDPRhub
DSB - 2022-0.726.643
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(2) GDPR
Article 28 GDPR
Article 29 GDPR
Article 44 GDPR
Type: Complaint
Outcome: Upheld
Started: 18.08.2020
Decided: 06.03.2023
Published:
Fine: n/a
Parties: Meta Platforms Inc.
National Case Number/Name: 2022-0.726.643
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: mg

An Austrian website using Facebook tracking tools was found in breach of Article 44 GDPR for the transfer of data to the US without any legal basis. The fact that the tools were deactivated after the complaint was considered irrelevant.

English Summary

Facts

Background

About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the US (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. This decision by the Austrian DPA stems from one of those complaints.

Website visit and transfer to Meta Platforms Inc.

On 12.08.2020, the data subject visited a website hosted by an Austrian media company while logged into his personal Facebook account. At the time, such company made use of the Facebook Login tool, which facilitates users´ access to services not offered by Meta without the creation of additional accounts. The company also used the Facebook Pixel tool and it was thus able to track visitors´ activities on its website.

According to the data subject (represented by noyb), the mere access to this website triggered an unlawful transfer of personal data to the US. In particular, the controller would have transferred data in violation of Chapter V GDPR. Therefore, on 18.08.2020 the data subject filed a complaint against the media outlet for the use of such tracking tools lamenting the violation of Articles 44 et seqq. GDPR. In addition, the data subject claimed that Meta infringed Articles 5(2), 28 and 29 GDPR.

During the investigations of the Austrian DPA, which took several months, the controller claimed to have deactivated the Facebook tools after the complaint was filed. In addition, it argued that the only controller´s direct contractual party was Meta Platforms Ireland Limited. Consequently, subsequent transfers, including transfers outside the EU, were outside its area of competence. Finally, the company declared that transfers were justified in light of media privilege. Meta Platforms Inc. claimed to be a mere sub-processor on behalf of Meta Platforms Ireland Limited, to whom the GDPR does not apply.

The data subject objected that the deactivation of the tools was not relevant, as the violation had already occurred. The data subject also stressed that the controller could not rely on journalistic exceptions, given the nature and the circumstances of the data transfer. Finally, the data subject argued that Chapter V GDPR applies to all data transfers, regardless of the subjective qualification of the actors involved.

Holding

On Meta Platforms Inc.

According the Austrian DPA, Meta Platforms Inc. did not violate Articles 44 et seq. GDPR, as it was just a data importer falling outside the scope of Chapter V GDPR. In the context of the transfer, Meta did not disclose data but only received them. Meta was also not responsible under Article 5(2) GDPR, as this is an obligation of the controller. The Austrian DPA did not extensively elaborate on the subjective qualification of Meta under the GDPR but it considered not to have enough evidence in the present case to qualify it as a controller. As far as Articles 28 and 29 GDPR are concerned, they regulate only controller-processor relationships and do not provide a subjective right to data subjects.

On the Austrian company

On the other hand, the Austrian DPA upheld the complaint against the controller. In the first place, the mere fact that the company deactivated the Facebook tools after the complaint was not sufficient to exclude an infringement of Articles 44 et seqq. GDPR, as the violation had already occurred.

The Austrian DPA also clarified the scope of the journalistic exception provided by Austrian law in accordance with Article 85 GDPR. According to the CJEU judgement C-73/07, “personal data is processed for journalistic purposes if the processing has the sole purpose of disseminating information, opinions or ideas to the public”. By contrast, Facebook tools available on the controller’s website were implemented for tracking purposes and to facilitate the login procedure. Moreover, once data were transferred to Meta Ireland, they could be used for further purposes. Therefore, the media privilege clearly did not apply to the case at issue.

Then the Austrian DPA examined whether there was international data transfer pursuant to Chapter V GDPR and whether it was lawful. In light of the “Schrems II” judgement, Article 44 GDPR grants a subjective right that can be enforced through a complaint pursuant to Article 77(1) GDPR. Data transferred to the US through the Facebook tools were personal data. Indeed, Meta Platforms Ireland Limited – the processor – could link data transferred from the website to data relating to the data subject´s Facebook account. The CJEU case law shows that it was not necessary that the website had all the information required for the identification of the data subject (see C-434/16 and C-582/14). The Austrian DPA also dismissed as irrelevant the argument that after the transfer to Meta the controller would no longer have control over further processing. As a matter of fact, the controller accepted pursuant to Article 28(2) that the processor (Meta Platforms Ireland Limited) could use a sub-processor based outside the EU (Meta Platforms Inc.) to process data. Therefore, an international data transfer effectively occurred.

Concerning the lawfulness of the transfer, the Austrian DPA could not find any legal basis. On the one hand, the EU Commission adequacy decision for the transfer of data from the EU to the US was invalidated by “Schrems II”. Thus, data importer and exporter could not rely on Article 45 GDPR. On the other hand, Meta implemented standard contractual clauses pursuant to Article 46 GDPR only after the time of the facts at issue. Therefore, the controller unlawfully transferred the data subject´s personal data to the US and violated Chapter V GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.