In a groundbreaking decision in one of noybs 101 complaints, the Austrian Data Protection Authority (DSB) has decided that the use of Facebook’s tracking pixel directly violates the GDPR and the so-called “Schrems II” decision on transatlantic data flows. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US companies, like Facebook, to provide user’s personal information to US authorities.
2020 CJEU ruling hits the real world. In July 2020, the CJEU ruled that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal "Privacy Shield", after annulling the previous deal "Safe Harbor" in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Google or Amazon, Facebook has relied on so-called "Standard Contract Clauses" and “supplementary measures” to continue data transfers and calm its European business partners. Therefore, noyb filed 101 complaints in August 2020 against websites still using Google Analytics and Facebook Tracking tools despite clear court rulings.
“Facebook has pretended that its commercial customers can continue to use its technology, despite two Court of Justice judgments saying the opposite. Now the first regulator told a customer that the use of Facebook tracking technology is illegal.” – Max Schrems, Chair of noyb.eu