Meta Platforms Inc. – Complaint Upheld (Austria, 2023)
Meta Platforms Inc. was found to have tracked users without proper consent through its tools on third-party websites. This ruling is crucial as it reinforces the need for companies to obtain clear consent before tracking users online.
What happened
Meta tracked a user's activities on a website through its Facebook tools without obtaining consent.
Who was affected
Website visitors who were tracked while using third-party sites that integrated Meta's tools.
What the authority found
The Austrian data protection authority ruled that Meta did not have a valid legal basis for processing personal data, violating GDPR requirements.
Why this matters
This ruling sets a strong precedent for the accountability of tech companies in data tracking practices, urging website operators to ensure they have proper consent mechanisms in place.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
== About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the US (see [https://noyb.eu/en/101-complaints-eu-us-transfers-filed here] and [https://noyb.eu/en/update-noybs-101-complaints-eu-us-data-transfers here]). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. This decision by the Austrian DPA stems from one of those complaints. == On 12.08.2020, the data subject visited a website hosted by an Austrian media company while logged into his personal Facebook account. At the time, such company made use of the Facebook Login tool, which facilitates users´ access to services not offered by Meta without the creation of additional accounts. The company also used the Facebook Pixel tool and it was thus able to track visitors´ activities on its website. According to the data subject (represented by noyb), the mere access to this website triggered an unlawful transfer of personal data to the US. In particular, the controller would have transferred data in violation of Chapter V GDPR. Therefore, on 18.08.2020 the data subject filed a complaint against the media outlet for the use of such tracking tools lamenting the violation of Articles 44 et seqq. GDPR. In addition, the data subject claimed that Meta infringed Articles 5(2), 28 and 29 GDPR. During the investigations of the Austrian DPA, which took several months, the controller claimed to have deactivated the Facebook tools after the complaint was filed. In addition, it argued that the only controller´s direct contractual party was Meta Platforms Ireland Limited. Consequently, subsequent transfers, including transfers outside the EU, were outside its area of competence. Finally, the company declared that transfers were justified in light of media privilege. Meta Platforms Inc. claimed to be a mere sub-processor on behalf of Meta Pla
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Meta Platforms Inc. in AT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Meta Platforms Inc. - Austria (2023). Retrieved from cookiefines.eu
Last updated: