Belgian Court Beats “Big Brother” Facebook Inc. in Privacy Case

By Ally Stafford

A court in Belgium ruled that Facebook violated privacy laws by deploying technology such as cookies and social plug-ins to track internet users across the web. The court threatened Facebook with a fine of 250,000 Euros (USD 310,000) a day and could reach up to 100 million Euros (USD 125 million) if it continued to breach privacy laws. [1]

 

Where did Facebook go wrong?

 

Facebook uses tracking codes, commonly referred to as “cookies,” on third-party websites. They use the “like” or “share” buttons and invisible pixels to collect data on people’s behavior during their visits to other websites.[2] The purpose of this surveillance is for digital ad targeting.[3] For example, say you are shopping for a new pair of shoes so you browse a few different websites. Then you open up Facebook in a new browser and in between your friend’s posts are ads for the same shoes you were just admiring. This is digital targeted advertising and it has been around since the 1990s.[4]

 

Belgium, and other countries within the EU, have questioned whether Facebook has obtained adequate consent from their users to be watched in this way when they are not actually using Facebook.

 

Facebook claims that the cookies and pixels are “industry standard technologies” that enable thousands of businesses to grow across the EU.[5] Further, Facebook says they require people the right to opt-out of having data collected on sites and apps off its platform being used for advertisements.[6]

 

Facebook’s Challenges in the EU

 

This is not the first time that Facebook has been accused of violating privacy rules in the EU.

 

About two years ago, the Belgium Privacy Commission filed a suit against Facebook for violations of EU privacy laws. The Commission accused Facebook of illegally tracking users and non-users through their “datr” cookie.[7] Facebook said that it used the datr cookie to prevent the creation of fake accounts, lower the risk of users’ accounts being hacked, protect users’ content against theft, and prevent distributed denial of service (DDoS) attacks that could make Facebook inaccessible to some users.[8] Facebook consistently has said that the datr cookie was not meant to track users. However, there were two occasions when Facebook was found to be tracking users via the datr cookie. Initially, the court ordered Facebook to stop tracking non-members or else face significant fines.[9] However, Facebook won on technical grounds in their appeal. The court held that the Belgium Privacy Commission did not have jurisdiction to sue Facebook because the company had its headquarters in Ireland.[10]

 

Another battle Facebook has faced in Europe was against Germany. Since March 2016, Facebook has been investigated by Germany over allegations of breaches in data protection law. The federation of German consumer organizations (VZBV) claimed that Facebook’s default privacy settings and use of personal data did not meet the requirement for informed consent under German consumer and data protection law. [11] Facebook was using the WhatsApp messenger app to share data from its WhatsApp users (including phone numbers) with Facebook for digital targeted ads.[12] Users were opted into this upon signing up for the app.[13] The Berlin court held that the five default settings were “invalid declarations of consent.”[14] Further, the court rules that eight clauses in Facebook’s terms of service to be invalid.[15]

 

France, Ireland, and Spain have also investigated Facebook’s privacy practices.

 

The New Belgium Ruling

 

In a judgment on February 16, 2018, the Court of First Instance in Brussels held that Facebook violated Belgian privacy and cookie laws. The court followed the Privacy Commission’s recommendation published on May 13, 2015 that urged Facebook to implement a number of corrective measures.[16] The Privacy Commission is an independent European task force that deals with issues relating to the protection of personal data and privacy.

 

The Belgium Court held that first, the Privacy Commission and court have jurisdiction and second, that Facebook violated Belgian Privacy Act and the Belgian Cookie Act.[17]

 

As for the first issue, the court held that it maintained jurisdiction because the activities of Facebook, Inc. and Facebook Ireland and those of Facebook Belgium were inextricably linked.[18] Applying the establishment test, the court concluded that the Belgian Privacy Act was applicable in the context and activities of the establishment Facebook Belgium, and Facebook Ireland was responsible to ensure compliance.[19]

 

Second, the court analyzed Facebook’s use of cookies. The court held that the company is not doing enough to teach users how it is tracking them in order to be able to give valid consent to that tracking under the Privacy Act.[20] Further, the court said that there is too much uncertainty about the type of data Facebook is acquiring and how they store it.[21]

 

Facebook was ordered to stop tracking users in Belgium until its privacy polices are within Belgium and EU privacy law standards.[22] Further, the company must destroy all personal data that was unlawfully collected by these users.[23] If Facebook does not follow this, then they face daily fines or until it reaches a maximum of one hundred million euro.[24] The court also went a step further and required Facebook to public the 84-page ruling on its website.[25] Facebook plans to comply with this ruling, but will likely appeal.[26]

 

Facebook in the Future: The GDPR

 

The General Data Protection Regulation (GDPR) will come into force in the EU on May 25, 2018.[27] The GDPR will be a stronger, more unified version of data protection laws. GDPR will govern the processing and storage of EU citizens' data, whether or not the company has operations in the EU.[28]  Facebook claims that it will radically overhaul its privacy settings in preparation for the GDPR, but it will be interesting to see how the new regulation will affect users’ use of Facebook and data privacy protection in the EU.

 

[1] Lucian Armasu, DeMorgen (translated by tom’shardware), Facebook Loses Belgium Privacy Lawsuit (Feb. 16, 2018), http://www.tomshardware.com/news/facebook-loses-belgium-privacy-lawsuit,36540.html.

[2] Natasha Lomas, Facebook’s Tracking of Non-Users Ruled Illegal Again, Techcrunch (Feb. 19, 2018), https://techcrunch.com/2018/02/19/facebooks-tracking-of-non-users-ruled-illegal-again/.

[3] Id.

[4] Clint Pumphrey, How Do Advertisers Shoe me Custom Ads?, Howstuffworks, https://computer.howstuffworks.com/advertiser-custom-ads.htm,

[5] Lomas, supra note 2.

[6] Id.

[7] Id.

[8] David Cohen, What Is Facebook’s Datr Cookie, and Why Does Belgium Want it Gone?, AdWeek (Oct. 15, 2015), http://www.adweek.com/digital/datr-cookie-belgium/.

[9] Samuel Gibbs, Facebook Ordered by Belgium Court to Stop Collecting User Data, IrishTimes (Feb. 16, 2018), https://www.irishtimes.com/business/technology/facebook-ordered-by-belgian-court-to-stop-collecting-user-data-1.3395022.

[10] Armasu, supra note 1.

[11] Alex Hern, Facebook Personal Data Use and Privacy Settings Ruled Illegal by German Court, The Guardian (Feb. 12, 2018), https://www.theguardian.com/technology/2018/feb/12/facebook-personal-data-privacy-settings-ruled-illegal-german-court.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] The Commission for the Protection of Privacy, Recommendation no. 04/2015 (May 13, 2015), https://www.privacycommission.be/sites/privacycommission/files/documents/recommendation_04_2015_0.pdf.

[17] Tim Van Canneyt & Lisa De Smet, Convicted on the Merits: Facebook Must Play by the Belgian Privacy and Cookie Rules, iapp (March 6, 2018), https://iapp.org/news/a/convicted-on-the-merits-facebook-must-play-by-the-belgian-privacy-and-cookie-rules/.

[18] Id.

[19] Id.

[20] Armasu, supra note 1

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Id.

[26] Id.

[27] Armasu, supra note 1.

[28] Id.