Facebook Tracking declared unlawful under GDPR by the Austrian DPA
The Austrian data protection authority was the first mover to find Google Analytics in violation of the GDPR. Since then, multiple EU data protection authorities have followed suit.
Now, the Austrian DPA made a groundbreaking decision on Facebook’s tracking pixel.
Here are the main takeaways:
- Like Google Analytics, Facebook sends personal data from the EU to the US via its tracking technology that is implemented on millions of websites.
- Considering the CJEU’s Schrems II ruling on transatlantic data flows, these transfers are in violation of the GDPR, according to the DPA.
- The US protection level of personal data from the EU (EEA) is still insufficient. (The data could be the subject of surveillance by US intelligence agencies)
- The decision of the DPA follows a complaint issued by the data privacy activist NGO NOYB and Max Schrems who also published the full text.
- It is unclear as of today if the Austrian DPA plans to issue penalties based on this decision in the future.
The EU-US Data Privacy Framework is not mentioned in the decision. If implemented, it could help ease friction around transatlantic data flows. But court challenges loom large on the new framework, and legal uncertainty will likely remain high long after its implementation.
Full text of the decision by the Austrian DPA (German) | Case Summary on GDPRhub | Statement from NOYB
Read more
Retail Media: The Rise of First-Party Data
In a world where third-party data is losing its grip, retail media offers brands a powerful alternative—delivering hyper-targeted ads exactly where purchase decisions are made. As privacy rules tighten, knowing how to tap into first-party data could be the key to staying ahead.
How Server-Side Tracking helped Zühlke achieve Data Excellence
Advance Metrics implemented server-side tracking and also enabled seamless integration with Microsoft Dynamics and other platforms to improve the efficiency of marketing automation and data analysis.