Facebook Tracking declared unlawful under GDPR by the Austrian DPA

The Austrian data protection authority was the first mover to find Google Analytics in violation of the GDPR. Since then, multiple EU data protection authorities have followed suit.

Now, the Austrian DPA made a groundbreaking decision on Facebook’s tracking pixel.

Here are the main takeaways:

• Like Google Analytics, Facebook sends personal data from the EU to the US via its tracking technology that is implemented on millions of websites.
• Considering the CJEU’s Schrems II ruling on transatlantic data flows, these transfers are in violation of the GDPR, according to the DPA.
• The US protection level of personal data from the EU (EEA) is still insufficient. (The data could be the subject of surveillance by US intelligence agencies)
• The decision of the DPA follows a complaint issued by the data privacy activist NGO NOYB and Max Schrems who also published the full text.
• It is unclear as of today if the Austrian DPA plans to issue penalties based on this decision in the future.

The EU-US Data Privacy Framework is not mentioned in the decision. If implemented, it could help ease friction around transatlantic data flows. But court challenges loom large on the new framework, and legal uncertainty will likely remain high long after its implementation.

Full text of the decision by the Austrian DPA (German) | Case Summary on GDPRhub | Statement from NOYB