Based on its on-going investigation of Facebook’s new terms and conditions, the Belgian Privacy Commission has issued a public recommendation (which can be consulted here in English language).
The document focuses on the applicable law and competence of the Belgian Privacy Commission and on the use of social plug-ins.
- Applicable law and competence of the Belgian Privacy Commission
According to Facebook, Facebook Ireland should be considered as the sole controller for the processing of European users’ data and therefore Facebook only recognizes the Irish Privacy Commission’s competence and holds that Irish national data protection law applies to all European users of its social network.
The Belgian Privacy Commission, however, is of the opinion that the Belgian Privacy Act is applicable and that it has competence to take action against Facebook based on the following reasoning:
- Facebook Inc. – and not Facebook Ireland – is the controller
Since Facebook Inc. determines the essential elements of the data processing (e.g. which personal data are processed, for which purposes and how long they are kept), Facebook Inc. – and not Facebook Ireland – must be considered as the only controller.
- Facebook Belgium SPRL is a permanent establishment of Facebook Inc. …
The Privacy Commission qualifies Facebook Belgium SPRL as a permanent establishment of Facebook Inc. whose activities aim at serving and promoting the commercial interests and activities of Facebook and the entire Facebook Group regarding to their social network and advertising activities.
- … whose activities are inextricably linked to those of Facebook Inc.
By applying the reasoning of the European Court of Justice in the Google Spain-case (about this case, see our earlier blog post here), the Privacy Commission concludes that, taking into account the inextricably linked nature of the activities of Facebook SPRL and Facebook Inc., the Belgian Privacy Act is applicable and the Belgian Privacy Commission has competence to take action.
In the alternative, the Privacy Commission states that the same conclusion would be reached on the basis of another legal ground because Facebook Inc. – the only “real” controller – is not established in the European Union and makes use of automated means for the purposes of processing personal data on Belgian territory, using for example cookies.
- Tracking by social plug-ins
The Privacy Commission is concerned about the wide-spread use of social plug-ins by Facebook to track the surfing behavior of both users and non-users of Facebook.
Social plug-ins are website components designed to share contents from an external source with Facebook. Examples of social plug-ins are the “Like”-button and the “Share”-button. By adding a social plug-in owners of external websites integrate a part of Facebook into their website which enables Facebook to track the surfing behavior of its users (including users who have logged-out, deactivated their accounts and users who have opted-out of targeted Facebook advertisements) and even of non-users. In other words, the mere presence of a social plug-in on an external website leads to the transmission of data to Facebook.
The Privacy Commission notes that data subjects must always give their unambiguous and specific prior consent before Facebook can place or receive the cookie in the context of social plug-ins. Furthermore, the Privacy Commission stresses that the data processed must be adequate, relevant and not excessive.
Regarding non-users, it is stated that the collection of their personal data can under no circumstances be considered as relevant. As to Facebook users, even if they have subscribed to the terms of service, the Privacy Commission considers it excessive that Facebook systematically collects data about the consultation of external websites containing its social plug-ins, even if the user did not interact with these social plug-ins and simply visited the webpage.
The Privacy Commission addresses the following recommendations to Facebook:
- With respect to non-users of Facebook, Facebook must refrain from systematically placing long-lasting and unique identifier cookies with non-users and only collect their data by means of cookies and social plug-ins after having obtained the unambiguous and specific consent of non-users (both deactivated and logged-out users being considered non-users in this context);
- Regarding users of Facebook, Facebook must refrain from collecting and using the data of users by means of cookies and social plug-ins, except when (and only to the extent that) this is strictly necessary for a service explicitly requested by the user or unless it obtains the users’ unambiguous and specific consent;
- Until the recommendations above are implemented, the range of integration possibilities for social plug-ins must be limited to privacy-friendly versions that meet data protection requirements;
- Facebook should adapt its user interface to ensure that any collection or use of information obtained by means of cookies (particularly for advertising purposes) is based on the specific and unambiguous consent of its users.Finally, internet users are advised to protect themselves by using browser add-ons that block tracking or by using the incognito or “private navigation” mode of their browsers.
- Furthermore, the Privacy Commission recommends other website owners to use tools in order to make sure that third-party plug-ins do not connect to third-party servers until visitors have clicked on the social plug-in.