The Belgian Courts have ruled against Facebook, in a decision that addresses the scope of user consent to place cookies and the use of profiling software, in particular for any users who are not registered as Facebook members.

One of the findings of the Belgian Courts was that Facebook also processes personal data of internet users who do not have a Facebook account, through social plug-ins and cookies. Whenever someone who is not a Facebook member visits a website of the facebook.com domain, including personal or company Facebook pages, Facebook would automatically place a cookie (called "datr" cookie) on that visitor's hard disk. The datr cookie contains information uniquely identifying an internet user's browser and remains on his/her hard disk for two years. Because of the combination of the datr cookies, the IP address and the website visited by the internet user, Facebook is able to monitor the surfing behaviour of the individual internet user. Facebook argued that the information it collects would only enable the identification of a computer and that this data is not personal data. The Belgian Courts disagreed and found these to be personal data.

The Belgian Courts have found that, despite the fact that Facebook provided an information banner regarding its use of cookies linking to a more detailed policy, Facebook did not provide enough information to these non registered users regarding the fact that it collects personal data about them, how the data is used, and how long the data is kept. In addition, Facebook did not have any legitimate grounds to collect and process this information. The Belgian Courts have ordered Facebook Inc., Facebook Ireland Limited and Facebook Belgium sprl, in respect of every internet user on Belgian territory who has not registered as a member of the social network, to cease registering via cookies and social plug-ins information regarding which internet websites they visit.

Facebook also questioned the competence of the Belgian Commission for the protection of privacy (“CPVP”) and of the Belgian Courts. Facebook argued that it has to comply with Irish data protection law only (since Facebook Ireland is said to be the sole controller for the processing of data received through the Facebook platform, including data received through cookies and plug-ins on devices in other EU Member States) and that only Irish courts have jurisdiction to decide on this issue. The Belgian Courts found that Belgian data protection law was applicable and that Belgian courts have jurisdiction.

Facebook has stated that it will further appeal this decision.

It is worth noting that the whole case has been decided under current Belgian law, but the decision may have been different after the entry into force of the General Data Protection Regulation (“GDPR”), which includes new rules on the scope of the jurisdiction of national Data Protection Authorities (“DPAs”), and mechanisms in case of conflict. Under the GDPR new “one stop shop” mechanism, Facebook will be able to interact primarily with one Lead Supervisory Authority (“LSA”) acting as the principal EU regulator responsible for enforcement of the GDPR in relation to cross border processing. In their case, they will be subject to the LSA in Ireland instead of having to deal with 27 different Member State DPAs. Facebook has recently announced they will be rolling out a new privacy centre globally that will make it much easier for people to manage their data, in order to comply with the upcoming GDPR requirements (it is not clear however how this would apply to any users who are not registered as Facebook members).