16. March 2023

Facebook Tracking declared unlawful under GDPR by the Austrian DPA

In a recently published decision, the Austria DPA finds Facebook's tracking practices violate GDPR and Schrems II.

The Austrian data protection authority was the first mover to find Google Analytics in violation of the GDPR. Since then, multiple EU data protection authorities have followed suit.

Now, the Austrian DPA made a groundbreaking decision on Facebook’s tracking pixel.

Here are the main takeaways:

  • Like Google Analytics, Facebook sends personal data from the EU to the US via its tracking technology that is implemented on millions of websites.
  • Considering the CJEU’s Schrems II ruling on transatlantic data flows, these transfers are in violation of the GDPR, according to the DPA.
  • The US protection level of personal data from the EU (EEA) is still insufficient. (The data could be the subject of surveillance by US intelligence agencies)
  • The decision of the DPA follows a complaint issued by the data privacy activist NGO NOYB and Max Schrems who also published the full text.
  • It is unclear as of today if the Austrian DPA plans to issue penalties based on this decision in the future.

The EU-US Data Privacy Framework is not mentioned in the decision. If implemented, it could help ease friction around transatlantic data flows. But court challenges loom large on the new framework, and legal uncertainty will likely remain high long after its implementation.

Full text of the decision by the Austrian DPA (German) | Case Summary on GDPRhub | Statement from NOYB

Read more


Switzerland's new data protection law: How to become compliant

On September 1, Swiss companies must have switched to privacy-compliant tracking. JENTIS offers the most effective solution for maximum data protection and data quality.


Norway declares Google Analytics non-compliant with GDPR

The Norwegian data protection authority has come to the preliminary conclusion that the use of Google Analytics is non-compliant with the GDPR.


EU Parliament: Why MEPs rejected the Data Privacy Framework in committee

Our analysis of the opinions voiced on the Data Privacy Framework and what they mean for the implementation process.