{"id":618475,"date":"2023-03-16T09:49:27","date_gmt":"2023-03-16T14:49:27","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/16\/use-of-meta-tracking-tools-found-to-breach-eu-rules-on-data-transfers\/"},"modified":"2023-03-16T09:49:27","modified_gmt":"2023-03-16T14:49:27","slug":"use-of-meta-tracking-tools-found-to-breach-eu-rules-on-data-transfers","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/16\/use-of-meta-tracking-tools-found-to-breach-eu-rules-on-data-transfers\/","title":{"rendered":"Use of Meta tracking tools found to breach EU rules on data transfers"},"content":{"rendered":"
\n

Austria\u2019s data protection authority has found that use of Meta\u2019s tracking technologies violated EU data protection law as personal data was transferred to the US where the information was at risk from government surveillance.<\/p>\n

The finding flows from a swathe of complaints filed by European privacy rights group noyb, back in August 2020<\/a>, which also targeted websites\u2019 use of Google Analytics over the same data export issue. A number of EU DPAs have since found use of Google Analytics to be unlawful \u2014 and some (such as France\u2019s CNIL) have issued warnings against use of the analytics tool without additional safeguards. But this is the first finding that Facebook tracking tech breached the EU\u2019s General Data Protection Regulation (GDPR).<\/p>\n

All the decisions follow a July 2020<\/a> ruling by the European Union\u2019s top court that struck down the high level EU-US Privacy Shield data transfer agreement after judges once again identified a fatal clash between US surveillance laws and EU privacy rights. (A similar finding, back in 2015<\/a>, invalidated Privacy Shield\u2019s predecessor: Safe Harbor.)<\/p>\n

noyb trumpets the latest data transfer breach finding by an EU DPA as \u201cgroundbreaking<\/a>\u201d \u2014 arguing that the Austrian authority\u2019s decision should send a signal to other sites that it\u2019s not advisable to use Meta trackers (the complaint concerns Facebook Login and the Meta pixel).<\/p>\n

The decision relates to use of Meta\u2019s tracking tools by a local news website (its name is redacted from the decision) as of August 2020 \u2014 which the site in question stopped using shortly after the complaint was filed. However the decision could have much broader implications for use of Meta\u2019s tech, given how much personal data the adtech giant processes. So while the breach finding relates to just one of the sites noyb targeted in this batch of strategic complaints there are implications for scores more and \u2014 potentially \u2014 for any EU site that\u2019s still using Meta\u2019s tracking tools given the ongoing legal uncertainty around EU-US data transfers.<\/p>\n

\u201cFacebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal,\u201d said Max Schrems, chair of noyb.eu, in a statement.<\/p>\n

\u201cMany websites use Facebook tracking technology to track users and show personalized advertisement. When websites include this technology they also forward all user data to the US multinational and onwards to the NSA [US National Security Agency]. While the European Commission is still aiming to publish the third EU-US data transfer deal, the fact that US law still allows bulk surveillance means that this matter will not be solved any time soon,\u201d noyb further suggests in a press release<\/a>.<\/p>\n

For its part, Meta has responded to the news by seeking to play down the significance of the Austrian DPA\u2019s decision. In a statement, a company spokesperson claimed the finding is \u201cbased on historical circumstances\u201d \u2014 and suggested it \u201cdoes not impact how businesses can use our products\u201d. Here\u2019s its statement in full:<\/p>\n

\n

This decision is based on historical circumstances and only relates to a single company in connection with its use of Facebook Pixel and Facebook Login on a single day in 2020. While we disagree with many aspects of the decision, it does not impact how businesses can use our products. This case stems from a conflict between EU and US law which is in the process of being resolved.<\/p>\n<\/blockquote>\n

In the 46-page decision<\/a> [NB: the link is to a machine translated (non-official) English version] the Austrian DPA sets out its reasoning for finding a local site\u2019s use of Meta tracking tools breached the GDPR\u2019s requirements on data transfers, noting that the regulation requires that data on EU users is adequately protected if it\u2019s transferred out of the bloc, to so-called third countries (such as the US). Yet it found none of the possible protections for such data exports (such as an adequacy decision) applied in this instance \u2014 hence determining that the GDPR\u2019s Article 44 (on data transfers) was violated.<\/p>\n

Another key component of the decision is that data collected by Meta\u2019s tracking technologies \u2014 which includes a large number of data-points, including IP address, user ID, mobile OS and browser data, screen resolution, Facebook cookie data and much more \u2014 constitutes personal data under EU law.<\/p>\n

\u201cAs a result of the implementation of Facebook Business Tools, cookies were set on [the] end device of the complainant\u2026 which contain a unique, randomly generated value\u2026 This makes it possible to individualise the complainant\u2019s terminal device and record the complainant\u2019s surfing behaviour in order to display suitable personalised advertising,\u201d the DPA explains. \u201cIrrespective of this, at least Meta Ireland had the possibility to link the data it received due to the implementation of Facebook Business Tools on [the] complainant\u2019s Facebook account. It is clear from the Facebook Business Tools Terms of Use\u2026 that Facebook Business Tools are used, inter alia, to exchange information with Facebook.\u201d<\/p>\n

Some changes Meta made to its data transfer T&Cs shortly after noyb\u2019s complaints had been filed predated this action \u2014 so came too late to affect the outcome.<\/p>\n

However noyb suggests any such terms tweaks and\/or supplementary measures would be unlikely to make a difference given that personal data remains accessible to Meta (and can therefore be passed to US security agencies) \u2014 so, for example, the option of implementing \u2018zero knowledge\u2019 encryption, i.e. as a supplementary measure to boost the level of protection for the data, is not available to an adtech giant whose business model hinges on tracking and profiling web users by processing their data.<\/p>\n

\u201cThe DPA already found in the Google decision that such elements cannot overcome US law,\u201d Schrems told TechCrunch when we asked about the changes Meta made to its data transfers terms after noyb\u2019s complaints, adding: \u201cI would assume this would not lead anywhere given the case law.\u201d<\/p>\n

The DPA\u2019s decision makes direct reference to Meta\u2019s own transparency reports<\/a>, where it records government requests for data \u2014 that it says show \u201cthe Meta Group regularly receives data access requests from US secret authorities\u201d, further specifying \u201cthe data access requests also concern users from Austria\u201d. As well as basic subscriber info, it says requests can ask for records related to account activity and stored contents \u2014 such as messages, photos, videos, time line entries and location information.<\/p>\n

Zooming out, while EU and US negotiators have provisionally agreed a replacement transatlantic data transfer pact \u2014 which they\u2019re calling <\/span>the EU-US Data Privacy Framework<\/a> (DPF) \u2014 this third bite at fixing the data-transfer schism is not yet up and running as it still needs to be scrutinized by other EU institutions before the Commission can formally adopt it. <\/span><\/p>\n

That means there\u2019s still a gaping hole in the legal regime governing EU-US data transfers \u2014 one which could remain unplugged for several months yet (back in December the Commission suggested the DPF wouldn\u2019t be in place before July).\u00a0<\/span><\/p>\n

Additionally, even if (or when) the new EU-US data transfer framework is adopted by the EU it\u2019s highly likely to face the same core challenge that struck down its predecessors, given US mass surveillance programs have not been reformed. This raises doubts about the long term survival of the planned replacement framework \u2014 so legal uncertainty in this area is pretty much a given whatever happens in the short term.<\/p>\n

noyb argues that the only long-term fix for this issue is either reform of US surveillance law to provide \u201cbaseline protections for foreigners to support their tech industry\u201d. Or data localization \u2014 meaning US providers would be forced to host foreign data outside of the country. And we are seeing some moves in that direction (such as from TikTok<\/a>, which faces even greater scrutiny than Facebook over matters connected to national security).<\/p>\n

It\u2019s not clear if data localization is much of a fix for Meta\u2019s (or indeed TikTok\u2019s) problems, though \u2014 given how data-mining users is central to their ad-targeting business model. (\u201cIt is well known that due to its US\u2013based system, Meta is categorically unable to ensure that the data of European citizens is not intercepted by US Intelligence agencies,\u201d noyb suggests.)<\/p>\n

In the meanwhile, a final decision on whether to suspend Meta\u2019s EU-US data transfers<\/a> remains pending from its lead EU DPA, the Irish Data Protection Commission.<\/p>\n

So it really is down to the wire on which will come first: A new EU-US data transfers sticking plaster \u2014 which would reset the legal challenges and buy Meta a new round of operational breathing space in Europe \u2014 or a final DPA order to stop transferring EU users\u2019 data over the pond. Although, in\u00a0the latter case, Meta would certainly appeal a suspension order \u2014 so the most likely outcome is that Meta will get to kick the can down the road yet again and European privacy advocates will have to gird themselves for a fresh round of legal challenges, hoping the CJEU will be even faster on pulling the trigger this time.<\/p>\n

EU DPAs have shown extreme reluctance to enforce the law around data transfers, dragged their feet when it came to acting on the Court of Justice\u2019s July 2020 decision striking down Privacy Shield, for example. So the same scenario could well repeat next time around, creating a cycle of law-breaking that\u2019s almost never enforced \u2014 and a parody where EU users\u2019 fundamental rights should be.<\/p>\n

noyb\u2019s 101 complaints were filed over two and half years ago \u2014 and this is only the first decision related to Facebook tracking tools. Asked what\u2019s happened with the rest, Schrems told us: \u201cWe are still waiting on all others. We do not know why the Google [Analytics] cases went quicker but we assume the Irish DPA took more of a role in the Facebook cases.\u201d<\/p>\n

Ireland\u2019s DPA remains the target of fierce criticism over its approach to GDPR enforcement on Big Tech \u2014 with cases piling up on its desk and eventual outcomes often slammed as underwhelming<\/a>.<\/p>\n

Another problem noyb highlights relates to the lack of a penalty being issued alongside the Austrian DPA\u2019s breach finding. So even though there is a breach finding there\u2019s still no tangible consequence for the site that broke the law by relying on Meta\u2019s tech. \u201cThere is no information if a penalty was issued or if the [Austrian authority] is planning to also issue a penalty. The GDPR foresees penalties of up to \u20ac20 million or 4% of the global turnover in such cases but data protection authorities seem unwilling to issue fines, despite controllers ignoring two CJEU rulings for more than two years,\u201d it writes.<\/p>\n

\u201cThe Austrian DPA never issues fines in complaints procedures, as there is a separate unit in charge of fines,\u201d Schrems explains. \u201cThis is a very problematic approach, leading to \u2018double procedures\u2019 and a very low number of fines.\u201d<\/p>\n

All these issues will add fuel to arguments the EU\u2019s flagship data protection framework isn\u2019t doing what it says on the tin \u2014 which will dial up pressure on Commission lawmakers for, if not hard reform of GDPR, then at least effective oversight, through proper monitoring of how the regulation is enforced at the Member State level.<\/p>\n

That seems necessary if the bloc\u2019s lawmakers are going to keep being able to sell an increasingly broad and deep (interconnected) regime of digital regulation that frequently claims data protection as the foundational underpinning for\u00a0greater levels of data processing and sharing<\/a>. Put another way, data protection can\u2019t only exist on paper; people need to see their information is actually protected.<\/p>\n<\/p><\/div>\n

Read More<\/a>
\n Natasha Lomas<\/p>\n","protected":false},"excerpt":{"rendered":"

Austria\u2019s data protection authority has found that use of Meta\u2019s tracking technologies violated EU data protection law as personal data was transferred to the US where the information was at risk from government surveillance. The finding flows from a swathe of complaints filed by European privacy rights group noyb, back in August 2020, which also<\/p>\n","protected":false},"author":1,"featured_media":618476,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46,682,2034],"tags":[],"class_list":{"0":"post-618475","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"category-tools","9":"category-tracking"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/618475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=618475"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/618475\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/618476"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=618475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=618475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=618475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}