Facebook uses “datr-cookies” to collect personal data of non-members. These datr-cookies are automatically installed on the browsers of non-members when they visit a Facebook.com webpage. Facebook also makes use of so-called “social plugins” on third-party websites, which allows internet users to use some of the functionalities offered by Facebook, such as “like”, “share”, or commenting on a webpage.
Whenever non-members visit a website that integrates a Facebook social plugin, this social plugin will communicate the information contained in the datr-cookie with Facebook, including the IP address of the internet user and the URL of the website concerned. Through this, Facebook is able to collect a significant amount of personal data of non-members.
On 13 May 2015, the Belgian Privacy Commission had already issued a recommendation in which it identified Facebook’s data processing actions as a violation of the Belgian Data Protection Act (the “DPA”) and urged Facebook to cease these practices immediately.
After it became clear that Facebook would not comply with the recommendation, the Privacy Commission sued Facebook before the Brussels Court of First Instance, alleging that Facebook’s processing of personal data of non-members violates the DPA.
In its judgment, the Brussels Court of First Instance first determined that the DPA applies. It held that the processing of personal data is inextricably linked to the activities of Facebook Belgium BVBA, even though the Irish Facebook entity performs the actual data processing and Facebook Belgium BVBA only performs marketing- and lobbying-related activities.
Next, the Brussels Court ruled that Facebook’s data processing violates the DPA for the following reasons:
- Non-members were not given prior, clear, and complete information on Facebook’s data processing;
- Non-members did not express their informed and unambiguous consent to Facebook’s data processing;
- The data processing was not necessarily done with a view to Facebook’s legitimate interests, given that the interests of the non-members outweighed the interests of Facebook, namely the security of Facebook’s services offered. The Brussels Court found there were better and less intrusive methods for ensuring security;
- The data processing did not serve a legitimate purpose, given that it was inadequate, irrelevant, and disproportionate to the intended purpose as portrayed by Facebook.
As a result, the Brussels Court ordered Facebook to cease the following within 48 hours:
- The installation of datr-cookies at non-members’ computers when they visit the facebook.com domain, without providing prior and adequate information on this installation and the use that Facebook makes of the datr-cookies via social plugins;
- The collection of the datr-cookie (and thus the personal data it contains) via social plugins placed on third-party websites.
Finally, the judgment imposes a penalty of €250,000 per day that Facebook fails to comply with the ruling.
Facebook has already announced that it will appeal against the decision of the Brussels Court. Facebook has also said that if they are blocked from using the datr-cookie, they would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are accessing their accounts legitimately.