Facebook Belgium v. Belgian Privacy Commission, (Belgian Court of Appeals, June 29, 2016)
The Belgian Court of Appeals reversed a Belgian Court of First Instance’s order from summary proceedings that Facebook cease tracking Belgian non-users. The Appeals Court held that the Belgian Privacy Commission (“BPC”) lacks regulatory jurisdiction over Facebook, whose European headquarters is located in Ireland. In so holding, the Appeals Court limited the authority of the BPC in regulating privacy practices. A previous JOLT Digest article provides background on the case. ArsTechnica provides some context on European privacy disputes.
The BPC sued Facebook following a report from the Centre of Interdisciplinary Law and ICT (ICRI), the Computer Security and Industrial Cryptography department at the University of Leuven, and the Media, Information, and Telecommunications department at Vrije Universiteit Brussels. The report demonstrated that Facebook tracked non-users by placing “datr” cookies whenever they visited a facebook.com page — including Facebook’s data use policy page. Facebook received the datr cookies whenever a browser loaded a Facebook social plugin, such as the “Like” button. This allowed Facebook to track non-users. According to Facebook, it was necessary to securely allow non-users to see Facebook content.
The BPC filed the original suit against Facebook, Inc., Facebook Ireland Ltd., and Facebook Belgium SPRL in 2015. The original suit alleged that Facebook’s non-user tracking mechanisms violated EU and Belgian Privacy Laws. The BPC requested the Court order Facebook to cease placing cookies on non-users’ browsers without “sufficient and adequate information” about Facebook’s practice and how they use the data, and to cease collecting the datr cookies through their social plug-ins. The BPC requested costs and a daily fine of € 250,000 for noncompliance.
Facebook claimed that the Belgian Court had no jurisdiction. If the court found jurisdiction, they requested that the Court declare the claim impermissible and at least inadmissible, or to dismiss the claim as unsubstantiated. Each entity requested costs. Facebook Belgium also requested that the Court forbear applying any prohibition on Facebook Belgium.
The Belgian Court of First Instance found jurisdiction over Facebook, finding the operations of Facebook Belgium as “inextricably linked” to Facebook Ireland. The Court found jurisdiction because the original case was “about the application of Belgian legislation on Belgian territory and Facebook Belgium [was] indeed a Belgian establishment of the controller of the processing of the data in the meaning of Article 4.1.a) of Directive 95/46/EC.” The Court ordered Facebook to cease placing cookies on non-users’ browsers without “sufficient and adequate information” about Facebook’s practice and how they use the data, and to cease collecting the datr cookies through their social plug-ins. The lower court imposed a daily fine of € 250,000 for noncompliance.
With the Belgian Court of Appeals reversing the lower court’s order, Facebook may now resume its controversial practice. The BCP may appeal to the Belgian Court of Cassation, Belgium’s court of last resort. Unless the Court of Cassation overturns the Court of Appeals’ decision, the BCP and similarly situated European Data Privacy Commissioners may find it difficult to exercise authority over Facebook’s practices under the Data Protection Directive of 1995.
The General Data Protection Regulation, a recently adopted data protection regime, will replace the DPD on May 25, 2018.
Note: This article relies in part on secondary sources.