In a Judgment on 9 November 2015, the Court of First Instance in Brussels, Belgium, ordered the parent company of Facebook and its Irish and Belgian affiliates to cease monitoring and processing of personal data via cookies and social plug-ins which track Belgian visitors to Facebook who do not necessarily have a Facebook account.
The common assumption is that the only law which can apply to a data controller in the EU is the law of the member state where the data controller has a legal entity. However, it has always been the case that a data controller can be subject to member state law if it is using equipment for processing personal data in that member state, irrespective of where it is situated by way of incorporation.
The Belgian Courts decided that data protection law applied because, amongst other things, the processing via cookies and similar devices of the IP address and unique identifiers of visitors to the Facebook website meant that personal data was being processed.
The Court found that the fact that Facebook collected data on the web-surfing activities of millions of Belgian citizens who had visited Facebook, but decided not to become Facebook members, was a “manifest” violation of Belgian data protection law. No lawful consent was obtained by Facebook to process personal data and any argument by Facebook that it was collecting data for legitimate purposes was overridden by the fundamental right to privacy of individuals who did not have a Facebook account.
The proposed penalty being imposed upon Facebook amounts to €250,000 per day for every day that Facebook fails to comply with the Belgian decision, and as Facebook has suggested that it is likely to appeal the decision, this will be costly.
There have been a number of decision in the EU over the past six months where member state jurisdiction has been applied to companies seeking to avoid such laws and this trend is likely to continue and to be reinforced by the Data Protection Regulation due to be published within the next six months.