In another setback for Facebook in Europe, a Belgian Court of First Instance issued an order enjoining the social media site from tracking the web activity of Belgian users who don’t have Facebook accounts. Facebook, which faces fines of € 250,000 per day if fails to comply, has issued a statement that it will abide by the court’s order, but will appeal the ruling. The order went into effect on November 11, 2015.
The latest salvo against Facebook began last June when Belgium’s data protection authority sued Facebook for violations of Belgian privacy laws based on the findings of a May 2015 report and recommendation by a Commission for the Protection of Privacy.
Significantly, the Belgian court held that it was competent to decide the case in accordance with Belgian law, even though Facebook is headquartered in Ireland and has only a limited presence in Belgium, generally limited to lobbying activities. Facebook, on the other hand, insists that Ireland‘s data protection authorities have exclusive jurisdiction over Facebook’s processing of data within the European Union as a whole, since only the Irish entity is actually acting as a “controller” of EU personal data. The court held that Facebook’s activities in Belgium were sufficient, and sufficiently interrelated with, those taking place in Ireland and elsewhere so as to subject Facebook to Belgian data protection laws. Thus, the case further reflects the efforts by individual member state data protection authorities to act on their own in respect of the processing of data within their own borders.
What kind of tracking was enjoined?
Let’s say you’re not a member of Facebook. You Google your favorite rock band and click on a search result that links you to the band’s Facebook fan page (i.e., a page hosted by Facebook). Or you navigate to a third-party page that contains the ubiquitous Facebook “like” or “share” button. In each of those instances, even though you haven’t signed up with Facebook, Facebook places on your device (e.g., your computer, mobile phone) an identifier, called a “datr” cookie, which contains a unique browser ID that Facebook can thereafter use to track your activity on other Facebook pages or pages containing the “like” or “share” button.
According to the court, this tracking violates the Belgian data protection laws because it amounts to the collection and “processing of personal data” without the consent of the data subject.
For its part, Facebook claims that it drops the datr cookies (and has been doing so for more than five years) to protect the security of its customers by weeding out robotic or other non-human browsers who may be attempting to hack into their Facebook accounts.
Implications for the future
Facebook has stated that it “will appeal this decision and [is] working to minimise any disruption to people's access to Facebook in Belgium” In the meantime, there are few things to keep in mind:
- The browser data collected may be considered personal information even if collected and maintained in anonymized form.
- The rationale of the case may form the basis for further fragmentation of the European market since other individual member states may take the view that their local data protection authorities have the power to regulate the collection and processing of data within their own borders. No doubt this, accompanied by other recent decisions conferring more power on local data protection authorities (e.g., Schrems) will increase the call for harmonization of EU data protection and privacy standards and jurisdiction rules. Perhaps the GDPR will answer the call.
For assistance in understanding how this decision may affect your company, or help auditing privacy and data security compliance programs, please contact the author or a Polsinelli Privacy and Data Security team member.