Are Facebook login and the Meta Pixel illegal under the GDPR?

The Austrian data protection authority (DPA) decided a case on 15 March about two tools that appear on thousands of websites: Facebook Login and the Meta Pixel. The DPA determined that a website using these tools was violating the GDPR.

Does this mean that Facebook Login and the Meta Pixel are now illegal across Europe? Here’s an overview of this case and what it means for European companies using these tools.

The case against Facebook Login the Meta Pixel

Facebook Login is a single sign-on (SSO) service that enables users to log into third-party services via their Facebook account. This saves users time but carries some privacy risks, as Meta can receive data about the user’s online activities.

The Meta Pixel is an analytics tool that measures how users interact with ads on a website. The Meta Pixel is a code added to a website’s backend. Using a tool such as the Meta Pixel requires consent.

In August 2020, the privacy group “noyb”, led by activist Max Schrems, accused an Austrian website of illegally transferring personal data to Meta’s US servers through its use of these tools.

Let’s look at what the DPA said.

What personal data do Facebook Login and the Meta Pixel collect?

In its decision, the Austrian DPA established that Facebook Login and the Meta Pixel collect a lot of information, including:

• IP address
• Web browser version
• Screen resolution
• User ID
• Mobile operating system
• Website visit date and time

This data is visible to Meta in plain text.

Some of the information collected by Meta’s tools might not be personal data in itself, such as information about a person’s browser, screen resolution, and device type.

But this information can be personal data when combined with unique IDs that can be linked to a Facebook account.

Meta’s US data transfers

Having established that Facebook Login and the Meta Pixel collect personal data, the Austrian DPA also determined that the website using these tools transferred that personal data to Meta’s US servers.

Furthermore, the DPA found that the website and Meta did not have any safeguards in place to make the transfer legal under the GDPR.

The GDPR requires EU organizations to implement safeguards before transferring personal data outside of the EU. These safeguards are designed to ensure that non-EU governments cannot access personal data for surveillance purposes.

At the time of the complaint, Meta said it was certified under “Privacy Shield”. Privacy Shield was a framework recognized by the EU as an adequate means of facilitating a legally compliant international data transfer.

However, Privacy Shield had been invalidated the month before the complaint. In a July 2020 case known as “Schrems II”, the Court of Justice of the European Union (CJEU) found that Privacy Shield did not effectively protect personal data from the US intelligence services.

As such, there were no safeguards in place to protect the transferred personal data. The website’s use of Facebook Login and the Meta Pixel was illegal.

Has Meta put safeguards in place since the complaint?

In September 2020, Meta implemented a new data processing addendum. This agreement covers both Facebook Login and the Meta Pixel.

Meta’s data processing addendum includes the European Commission’s “standard contractual clauses” (SCCs).

SCCs can be a valid means of making an international data transfer under the GDPR. Because Meta includes SCCs in its data processing addendum, the company is contractually obliged to protect EU personal data to EU-equivalent standards..

But in the Schrems II case, the CJEU stated that organizations can only proceed with an international transfer using SCCs if they can effectively protect personal data from by non-EU governments.

Meta is subject certain problematic US national security laws. Under these laws, the US government can order Meta to disregard its SCCs to provide access to EU-originating personal data.

Therefore, transferring personal data to Meta’s US servers would only be legal if there were other technical measures in place to ensure that Meta could not access the data (and pass it onto the US government).

Facebook Login and the Meta Pixel vs. Google Analytics

So are Facebook Login and the Meta Pixel legal to use now that Meta has put SCCs in place? Possibly not.

Since early 2022, eight EU regulators have decided complaints about another popular online tool—Google Analytics. In each case, these regulators found that websites using Google Analytics were engaged in illegal data transfers.

These decisions came despite the fact that Google has SCCs in place to cover transfers to its US servers.

The problem is that Google, like Meta, can still access personal data imported from the EU. The SCCs are effectively worthless, as they do not mitigate the risk of US government access.

It would appear that the same problem arises for Meta. Meta needs access to personal data transferred via Facebook Login and the Meta Pixel to deliver its services. Therefore, websites using these tools should consider whether they could be violating EU data transfer rules.