Austrian DSB ruling on international data transfers via tracking tools

Data transfers to the US via tracking tools were found to be in violation of the GDPR by the Austrian DSB, although there were no specific penalties or fines mentioned at this time

Linda Thielova
Head of Privacy Center of Excellence, DPO, OneTrust
March 22, 2023

On March 16, 2023, the Austrian Data Protection Authority (DSB) found the use of the tracking pixel from a prominent global technology and social media company to be illegal – in violation of the Schrems II decision on transatlantic data transfers. 

These violations came to light from 101 complaints filed by noyb, a European non-profit focused on fighting for the digital privacy rights of citizens. These complaints were filed back in August 2020 in all 30 EU and European Economic Area (EEA) member states against European companies that share data with Google and Meta. 

What are the highlights of the decision?

The complaints from noyb called out organizations for violating Article 28 and Article 44 of the GDPR, stating data was being transferred without adequate protection and possibly shared with US security authorities. The DSB found the tracking tools by the multinational technology conglomerate used the Privacy Shield framework, which was deemed invalid by the Schrems II decision on July 16, 2020. 

The decision stated that although the organization in question did introduce standard contractual clauses to protect data adequately under the Schrems II decision, it only did so after August 12, 2020 – meaning the company was in breach of the GDPR for the window post-Schrems II and pre-SCC introduction into their data processes. 

However, regarding the other complaints around violations of specific articles of the GDPR, the DSB found that as the organization was just a data importer and not a controller, it was not violating Article 44. In the case of Article 28, it ruled that Meta was legally obligated to share information with US security agencies, and the possibility of sharing this data did not constitute a violation of the GDPR. 

Regarding enforcement, fines, or penalties, the DSB ruled that there would be no such action in place for organizations involved at this time – although standard GDPR enforcement would be up to a 20 million euro fine, or 4% of global turnover, whichever is more. 

What does this mean for organizations?

Organizations with websites that operate in the EU and use tools for tracking and targeted advertising need to keep an eye on further actions and decisions on these tools in their online properties. The EU-US transatlantic data flows are yet to be finalized and movement around this will be crucial in defining what the final action around the use of these tools in the EU will be. 

As the primary issue around the tools is their relationship with US surveillance agencies and the sharing of personal information that takes place in that context, the only resolution in sight will be for the EU to explicitly address this issue in the upcoming EU-US Privacy Shield 2.0. 

In the meantime, scanning your website to understand which trackers are in place and ensuring you’re being transparent with your website users when collecting consent is something your organization needs to prioritize. This not only helps from a compliance perspective but also helps build trust with your users – giving them visibility into your data practices, as well as control over how their data is used.

How can OneTrust help your business stay compliant?

OneTrust Consent and Preferences ensures your business honors user privacy from the very first touchpoint, with regulation-aligned consent banners, while giving you the opportunity to use first-party data strategies to provide valuable personalized experiences to your users as well. 

Scan your website to understand what trackers are in place and use customized consent collection banners to provide the best privacy-first user experience for your customers. To learn more about how OneTrust can help your organization build trust with users on your website, request a demo today

You may also like


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more


Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Learn more


Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more