Use of Meta tracking tools found to breach EU rules

Austria’s data protection authority has found that use of Meta’s tracking technologies violated EU data protection law as personal data was transferred to the US where the information was at risk from government surveillance.

The finding flows from a swathe of complaints filed by European privacy rights group noyb, back in August 2020, which also targeted websites’ use of Google Analytics over the same data export issue. A number of EU DPAs have since found use of Google Analytics to be unlawful — and some (such as France’s CNIL) have issued warnings against use of the analytics tool without additional safeguards. But this is the first finding that Facebook tracking tech breached the EU’s General Data Protection Regulation (GDPR).

All the decisions follow a July 2020 ruling by the European Union’s top court that struck down the high level EU-US Privacy Shield data transfer agreement after judges once again identified a fatal clash between US surveillance laws and EU privacy rights. (A similar finding, back in 2015, invalidated Privacy Shield’s predecessor: Safe Harbor.)

noyb trumpets the latest data transfer breach finding by an EU DPA as “groundbreaking” — arguing that the Austrian authority’s decision should send a signal to other sites that it’s not advisable to use Meta trackers (the complaint concerns Facebook Login and the Meta pixel).

The decision relates to use of Meta’s tracking tools by a local news website (its name is redacted from the decision) as of August 2020 — which the site in question stopped using shortly after the complaint was filed. However the decision could have much broader implications for use of Meta’s tech, given how much personal data the adtech giant processes. So while the breach finding relates to just one of the sites noyb targeted in this batch of strategic complaints there are implications for scores more and — potentially — for any EU site that’s still using Meta’s tracking tools given the ongoing legal uncertainty around EU-US data transfers.

“Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal,” said Max Schrems, chair of noyb.eu, in a statement.

“Many websites use Facebook tracking technology to track users and show personalized advertisement. When websites include this technology they also forward all user data to the US multinational and onwards to the NSA [US National Security Agency]. While the European Commission is still aiming to publish the third EU-US data transfer deal, the fact that US law still allows bulk surveillance means that this matter will not be solved any time soon,” noyb further suggests in a press release.

For its part, Meta has responded to the news by seeking to play down the significance of the Austrian DPA’s decision. In a statement, a company spokesperson claimed the finding is “based on historical circumstances” — and suggested it “does not impact how businesses can use our products”. Here’s its statement in full:

This decision is based on historical circumstances and only relates to a single company in connection with its use of Facebook Pixel and Facebook Login on a single day in 2020. While we disagree with many aspects of the decision, it does not impact how businesses can use our products. This case stems from a conflict between EU and US law which is in the process of being resolved.

In the 46-page decision [NB: the link is to a machine translated (non-official) English version] the Austrian DPA sets out its reasoning for finding a local site’s use of Meta tracking tools breached the GDPR’s requirements on data transfers, noting that the regulation requires that data on EU users is adequately protected if it’s transferred out of the bloc, to so-called third countries (such as the US). Yet it found none of the possible protections for such data exports (such as an adequacy decision) applied in this instance — hence determining that the GDPR’s Article 44 (on data transfers) was violated.

Another key component of the decision is that data collected by Meta’s tracking technologies — which includes a large number of data-points, including IP address, user ID, mobile OS and browser data, screen resolution, Facebook cookie data and much more — constitutes personal data under EU law.

“As a result of the implementation of Facebook Business Tools, cookies were set on [the] end device of the complainant… which contain a unique, randomly generated value… This makes it possible to individualise the complainant’s terminal device and record the complainant’s surfing behaviour in order to display suitable personalised advertising,” the DPA explains. “Irrespective of this, at least Meta Ireland had the possibility to link the data it received due to the implementation of Facebook Business Tools on [the] complainant’s Facebook account. It is clear from the Facebook Business Tools Terms of Use… that Facebook Business Tools are used, inter alia, to exchange information with Facebook.”

Some changes Meta made to its data transfer T&Cs shortly after noyb’s complaints had been filed predated this action — so came too late to affect the outcome.

However noyb suggests any such terms tweaks and/or supplementary measures would be unlikely to make a difference given that personal data remains accessible to Meta (and can therefore be passed to U.S. security agencies) — so, for example, the option of implementing ‘zero knowledge’ encryption, i.e. as a supplementary measure to boost the level of protection for the data, is not available to an adtech giant whose business model hinges on tracking and profiling web users by processing their data.

“The DPA already found in the Google decision that such elements cannot overcome US law,” Schrems told TechCrunch when we asked about the changes Meta made to its data transfers terms after noyb’s complaints, adding: “I would assume this would not lead anywhere given the case law.”

The DPA’s decision makes direct reference to Meta’s own transparency reports, where it records government requests for data — that it says show “the Meta Group regularly receives data access requests from US secret authorities”, further specifying “the data access requests also concern users from Austria”. As well as basic subscriber info, it says requests can ask for records related to account activity and stored contents — such as messages, photos, videos, time line entries and location information.

Zooming out, while EU and U.S. negotiators have provisionally agreed a replacement transatlantic data transfer pact — which they’re calling the EU-US Data Privacy Framework (DPF) — this third bite at fixing the data-transfer schism is not yet up and running as it still needs to be scrutinized by other EU institutions before the Commission can formally adopt it.

That means there’s still a gaping hole in the legal regime governing EU-U.S. data transfers — one which could remain unplugged for several months yet (back in December the Commission suggested the DPF wouldn’t be in place before July).

Additionally, even if (or when) the new EU-US data transfer framework is adopted by the EU it’s highly likely to face the same core challenge that struck down its predecessors, given U.S. mass surveillance programs have not been reformed. This raises doubts about the long term survival of the planned replacement framework — so legal uncertainty in this area is pretty much a given whatever happens in the short term.

noyb argues that the only long-term fix for this issue is either reform of U.S. surveillance law to provide “baseline protections for foreigners to support their tech industry”. Or data localization — meaning U.S. providers would be forced to host foreign data outside of the country. And we are seeing some moves in that direction (such as from TikTok, which faces even greater scrutiny than Facebook over matters connected to national security).

It’s not clear if data localization is much of a fix for Meta’s (or indeed TikTok’s) problems, though — given how data-mining users is central to their ad-targeting business model. (“It is well known that due to its US–based system, Meta is categorically unable to ensure that the data of European citizens is not intercepted by US Intelligence agencies,” noyb suggests.)

In the meanwhile, a final decision on whether to suspend Meta’s EU-US data transfers remains pending from its lead EU DPA, the Irish Data Protection Commission.

So it really is down to the wire on which will come first: A new EU-US data transfers sticking plaster — which would reset the legal challenges and buy Meta a new round of operational breathing space in Europe — or a final DPA order to stop transferring EU users’ data over the pond. Although, in the latter case, Meta would certainly appeal a suspension order — so the most likely outcome is that Meta will get to kick the can down the road yet again and European privacy advocates will have to gird themselves for a fresh round of legal challenges, hoping the CJEU will be even faster on pulling the trigger this time.

EU DPAs have shown extreme reluctance to enforce the law around data transfers, dragged their feet when it came to acting on the Court of Justice’s July 2020 decision striking down Privacy Shield, for example. So the same scenario could well repeat next time around, creating a cycle of law-breaking that’s almost never enforced — and a parody where EU users’ fundamental rights should be.

noyb’s 101 complaints were filed over two and half years ago — and this is only the first decision related to Facebook tracking tools. Asked what’s happened with the rest, Schrems told us: “We are still waiting on all others. We do not know why the Google [Analytics] cases went quicker but we assume the Irish DPA took more of a role in the Facebook cases.”

Ireland’s DPA remains the target of fierce criticism over its approach to GDPR enforcement on Big Tech — with cases piling up on its desk and eventual outcomes often slammed as underwhelming.

Another problem noyb highlights relates to the lack of a penalty being issued alongside the Austrian DPA’s breach finding. So even though there is a breach finding there’s still no tangible consequence for the site that broke the law by relying on Meta’s tech. “There is no information if a penalty was issued or if the [Austrian authority] is planning to also issue a penalty. The GDPR foresees penalties of up to €20 million or 4% of the global turnover in such cases but data protection authorities seem unwilling to issue fines, despite controllers ignoring two CJEU rulings for more than two years,” it writes.

“The Austrian DPA never issues fines in complaints procedures, as there is a separate unit in charge of fines,” Schrems explains. “This is a very problematic approach, leading to ‘double procedures’ and a very low number of fines.”

All these issues will add fuel to arguments the EU’s flagship data protection framework isn’t doing what it says on the tin — which will dial up pressure on Commission lawmakers for, if not hard reform of GDPR, then at least effective oversight, through proper monitoring of how the regulation is enforced at the Member State level.

That seems necessary if the bloc’s lawmakers are going to keep being able to sell an increasingly broad and deep (interconnected) regime of digital regulation that frequently claims data protection as the foundational underpinning for greater levels of data processing and sharing. Put another way, data protection can’t only exist on paper; people need to see their information is actually protected. TechCrunch