In January 2015, Facebook Inc. (Facebook) updated it policies and terms enabling it to track users across websites and devices, use profile pictures for both commercial and non-commercial purposes and collect information about its users’ whereabouts on an ongoing basis.
Public concern has prompted many of the European Data Protection Authorities, including the authorities of Netherlands, Belgium, France and Spain, to launch investigations into the legality of these new proposals.
Facebook has challenged the legitimacy of the recent investigations, arguing that the company should only be subject to the direct scrutiny of the Irish Data Protection Commissioner (based on a premise that Facebook Ireland, and not Facebook Inc., acts as the “controller” in relation to the processing of EU citizens' data).
As we have reported previously, the Belgian Privacy Commission rejected both the accuracy and pertinence of Facebook’s arguments on the following grounds:
- Facebook’s establishment in Belgium "provided a compelling basis to apply Belgian law because the activities of the establishment are “inextricably connected” to the activities of the (actual) controller, Facebook Inc."; and
- Facebook's tracking of the browsing activities of its users through “social plug-ins” (such as the “like” and “share” button) is an automatic opt-in mechanism that “is not an adequate mechanism to obtain average users’ informed consent”.
The Privacy Commission, in rejecting Facebook's arguments, have made the following recommendations to Facebook:
- design its "social plug-ins" in a manner that is compliant with privacy laws – i.e. the use of the "social plug-in" does not lead to the automatic transmission of information to Facebook;
- obtain separate opt-in consent before using information obtained by means of cookies and "social plug-ins" for advertising purposes; and
- refrain from systematically placing and receiving long-term uniquely identifying cookies in relation to non-users.
To read the recommendation click here.