On 13 May 2015, the Privacy Commission issued a formal recommendation, criticising Facebook’s tracking activities, and formally requesting Facebook to cease these activities. Compared to many other cases of so-called ‘third-party tracking’, Facebook’s tracking activities are – according to the Privacy Commission – more intrusive, as Facebook is able to track surfing behaviour over a large number of websites, and to link this surfing behaviour to users’ real identity, social network interactions and even their medical information and religious, sexual and political preferences.
To justify its collection of data through social plug-ins, Facebook relied upon individuals’ consent., The Privacy Commission, however, concluded that, in this case, the conditions for valid (free and informed) consent were not met, and that there was no legal ground for Facebook’s tracking activities, especially when it came to the tracking of non-users. Once it became clear that no amicable solution could be found, the Privacy Commission sued Facebook before the Brussels Court of First Instance, requesting an injunction prohibiting the use of the ‘datr’ cookie to track non-users.
- Judgment – (partial) victory for Belgian Privacy Commission
On 9 November 2015, the President of the Brussels Court of First Instance pronounced its long-awaited judgment in the so-called ‘Facebook case’.
The court sided with the Belgian Privacy Commission, and ordered Facebook to stop tracking non-users in Belgium within 48 hours as from the service of the judgment. Facebook was also made subject to penalty payments of EUR 250,000 for each day of continued infringement. As regards the tracking of Facebook users, the court conceded that adequate user consent had been obtained.
Facebook has already announced that it will appeal this judgment. The appeal will not, however, suspend any penalty payments, which are immediately enforceable once the judgment has been officially served on Facebook.
- Three things companies should take away from this case
Although this judgment does not directly affect other companies and their data processing activities, three important lessons can be drawn from this case:
- The Belgian Data Protection Act applies even if a company does not have its main European establishment in Belgium
A much debated issue in this case was the territorial application of the Belgian Data Protection Act (“BDPA”) and the international jurisdiction of the Belgian courts. As its European headquarters are in Ireland, Facebook held that only the Irish data protection legislation applied and that only the Irish courts have jurisdiction over non-compliance matters.
The court disagreed, and found that the BDPA did apply, given that the activities of Facebook Belgium SPRL/BVBA (the permanent establishment of Facebook Inc. in Belgium) serve and promote the commercial interests and activities of the entire Facebook Group relating to its social networking and advertising activities, and, therefore, inextricably linked to those of Facebook Inc.
For Facebook and other international companies with multiple establishments in the EU, this means that multiple national data protection laws may apply and have to be complied with, and not just the data protection laws of the company’s main European establishment. The same holds for companies without any EU establishments, but that make use of “equipment” situated on the territory of several EU member states. They will be subject to the regulatory powers of several national data protection authorities, each of which will apply its own national data protection rules.
- Care should be taken when using Facebook plug-ins on company websites
In its formal recommendation of 13 May 2015, the Privacy Commission warned website owners and webmasters who use the social plug-ins offered by Facebook (e.g. the “Like” and “Share” buttons).
Owners of external websites have a legal obligation to properly inform visitors to their websites, of the types of cookies and plug-ins they are using, the information they are collecting, the purposes for which this information is used, and the length of storage of the cookie/plug-in on the visitor’s computer. In addition, for most types of cookies and plug-ins (including Facebook plug-ins and the ‘datr’ cookie), website owners must obtain visitors’ prior express consent before activating them.
Many website owners do not realise that, as from the moment they collect visitors’ IP address, they are already subject to this requirement. In the case at hand, Facebook had argued that IP addresses could only be used to identify computers, and not individuals, and would, therefore, not constitute ‘personal data’. In its judgment of 9 November 2015, the court however confirmed that the collection of visitors’ IP address by using cookies or social plugins, already qualifies as the ‘processing of personal data’ within the meaning of the BPDA.
- The Belgian Privacy Commission starts taking its watching brief seriously
For the first time since the adoption of the BDPA in 1992, the Privacy Commission has displayed a remarkable level of pro-activism. It is not yet clear, however, if the Privacy Commission’s decision to actively pursue Facebook is a one-off showcase initiative, prompted by the specific nature of the alleged infringer and its activities, or the beginning of a new era of active enforcement. In any case, following this judgment, companies should be aware that data protection compliance should be taken seriously and that they would be well advised to avoid appearing on the Privacy Commission’s radar and risk becoming the next target.
Link to the judgment of the President of the Brussels Court of First Instance of 9 November 2015.