Belgian Court Demands that Facebook Stop Tracking Non-Members

Privacy

Belgian Privacy Commission v. Facebook Belgium, Court of First Instance (Belgium), November 9th 2015. Judgment available here.

The Belgian Court of First Instance, acting in summary proceedings, ruled that Facebook’s practice of storing and processing personal data of Belgian internet users without a Facebook account violates the Belgian Privacy Act, and ordered Facebook to suspend the practice (effective November 11, 2015) pending a final judgment on the merits. The National Law Review provides an overview of the case, and the Wall Street Journal offers some context on the Belgian court’s ruling and Facebook’s European legal disputes.

Following a May 2015 report and recommendation by a Commission for the Protection of Privacy, The Belgian Privacy Commission (DPA) requested a cessation order against Facebook regarding their practice of placing “datr” cookies on the devices of non-Facebook users without their explicit consent when they accessed Facebook pages or any third-party page containing Facebook plug-ins. Datr cookies are used to track activity on other Facebook pages or pages containing the “like” or “share” button. Facebook claims that this practice has been used to protect the security of its customers by identifying non-human browsers that may be attempting to hack into Facebook accounts. The court ruled that this tracking violates the Belgian Privacy Act because it amounts to the collection and “processing of personal data” without the consent of the data subject, even though the data is collected and maintained in an anonymized form.

Significantly, and rather unexpectedly, the Belgian court held that it had jurisdiction over the case, although Facebook’s Belgian presence is limited (mainly to lobbying activities) and Facebook’s European headquarters are in Ireland, with Facebook Ireland acting as a “controller” of EU personal data.  The court held that Facebook’s activities in Belgium were sufficiently interrelated with those taking place in Ireland and elsewhere to consider Facebook Belgium also responsible for the processing of personal data and to subject Facebook to Belgian data protection law.

Facebook faces a fine of €250,000 per day for violation of the cessation order. More significantly for Facebook (whose privacy policy is also under review in France, Germany, the Netherlands and Spain), and other companies collecting anonymous user data, this case may influence the actions and decisions of data protection authorities and courts in other countries with respect to the regulation of collection and processing of data within their own borders.

Facebook announced that it is working to comply with the judgment and is planning to appeal. The Belgian Court of Appeal’s treatment of this decision and its views on the tracking of anonymized non-member data may have a huge impact on Facebook and similar companies.

The story has been covered widely including by the BBC, NYT and Reuters.