Convicted on the merits: Facebook must play by the Belgian privacy and cookie rules | Fieldfisher
Skip to main content
Insight

Convicted on the merits: Facebook must play by the Belgian privacy and cookie rules

Locations

Belgium

On 16 February 2018 Facebook was convicted on the merits by the Court of First Instance of Brussels to comply with the Belgian privacy and cookie rules. This article elaborates on the history of the case and goes deeper into the content and implications of the decision on the merits.

Convicted on the merits: Facebook must play by the Belgian privacy and cookie rules

Tim Van Canneyt and Lisa De Smet, Fieldfisher

In a judgement of 16 February 2018, the Court of First Instance of Brussels has convicted Facebook for non-compliance with the Belgian privacy and cookie rules. The Court ordered Facebook to cease its current cookie use practices under forfeiture of an incremental penalty of 250.000 EUR per calendar day of non-compliance (with a maximum of 100 million EUR).

This is the provisional culmination of an intense legal battle between the Belgian Privacy Commission and Facebook, which started end of 2014 and which will likely continue before the Court of Appeal in the coming years.

1. What is this case about again?

Following a detailed examination of Facebook's use of cookies, the Privacy Commission published a recommendation on 13 May 2015 in which it urged Facebook to implement a number of corrective measures. Having been unable to reach an agreement with Facebook in subsequent weeks, the Privacy Commission took Facebook to court. It initiated both summary proceedings and a procedure on the merits.

In the summary proceedings case, the Court of First Instance of Brussels decided on 9 November 2015 that:

  • The Privacy Commission and courts have jurisdiction, despite Facebook's claim that it was only subject to the jurisdiction of the Irish data protection commissioner. In deciding this, the Court followed the reasoning adopted by the Privacy Commission in the aftermath of the ECJ's Google Spain and Weltimmo decisions (for a more detailed analysis, see our previous blog on this topic).

  • Facebook's processing of personal data violated both the Belgian Privacy Act and the Belgian Cookie Act, especially with regard to internet users on the Belgian territory who did not have a Facebook account.

    The Court sentenced Facebook under forfeiture of an incremental penalty for non-compliance, to cease:

    i) The placing of a specific browser-identification and tracking cookie (the so-called "datr-cookie") without prior adequate information regarding the placing of this cookie and the use thereof through social plugins, and

    ii) The collection of the datr-cookie through social plug-ins placed on third party websites. The urgency for this preliminary ruling was found in the proclaimed massive violation of the fundamental right to privacy.

This preliminary ruling had been overturned by the Court of Appeal, which followed Facebook's argument that the Belgian courts had no international jurisdiction over Facebook Ireland and Facebook Inc.

Although the Court of Appeal found that the Belgian Courts did have jurisdiction over Facebook Belgium, it decided to dismiss the claim on the basis that the urgency requirement for this procedure had not been met. This was due to the fact that the Privacy Commission waited more than 3 years to initiate its proceedings after it found out about Facebook's disputed practices.

2. The decision on the merits

Considering the different view of the courts in the summary proceedings, the big question was therefore what the Court of First Instance would decide in the proceedings on the merits of the case.

a. Belgian courts have jurisdiction

With reference to the ECJ's Google Spain judgment, the Court ruled that the activities of Facebook Inc. and Facebook Ireland (together Facebook Group) on the one hand, and those of Facebook Belgium on the other hand, were inextricably linked on the following grounds:

  • The activities of Facebook Belgium (supporting advertisers in Belgium, sales and marketing activities and lobbying) were found to be focused on increasing and maintaining profits of the Facebook Group activities.

  • The Facebook Group activities, including the processing of personal data, were found to provide the means by which Facebook Belgium could perform its activities.

The activities of Facebook Belgium were consequently found to constitute trade activities for the data controller Facebook Ireland on the Belgian territory.

Applying the "establishment test", this allowed the Court to conclude that the Belgian Privacy Act was applicable to the processing of personal data in the context of the activities of the establishment Facebook Belgium, and that Facebook Ireland was responsible to ensure its compliance.

b. Facebook violates the Cookie Act

Having dealt with the jurisdiction issue, the Court of First Instance then analysed at Facebook's use of cookies.

The Court basically ruled that Facebook's processing of personal data of both Facebook users and non-Facebook users for tracking purposes by means of cookies, social plug-ins and pixels, violates the Privacy Act and Cookie Act.

Firstly, the Court stated that Facebook has not obtained a valid consent for such processing of personal data and that no other legal basis for the processing can be relied upon. Furthermore, the Court found Facebook's processing to be unfair and disproportionate. Finally, it ruled that Facebook violates the rights of data subjects as a result of non-compliance with its fair notice obligations under the Privacy Act.

Consequently, the Court ordered Facebook, under forfeiture of an incremental penalty of 250 thousand EUR per calendar day of non-compliance, to cease:

1. The placement of non-functional cookies for tracking purposes through Facebook social plug-ins, Facebook-pixels or similar technologies on websites of the Facebook domain or on third party websites, unless:

  • The data subject has been fully informed in a clear, concise and intelligible manner (information obligation),

  • In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has consented in a free, specific and unambiguous manner to both the placing and the use of these cookies; or in case the data subject has signed out or deactivated from Facebook, he or she has consented to the continued use of these cookies (freely given, specific, informed and unambiguous consent),

  • In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has been given the possibility to refuse without the access to the Facebook.com-domain being limited or made difficult (freely given, specific, informed and unambiguous consent).

2. The collection and the use of non-functional cookies for tracking purposes, through Facebook social plug-ins, Facebook-pixels or similar technological means on third party websites in a way which is disproportionate regarding the purposes of the cookies concerned.

In this respect, the Court considered to be "disproportionate":

  • The systematic use of cookies with a security purpose when the data subject is not connected or trying to connect to Facebook (e.g. no log-in and no use of social plug-ins);

  • The systematic use of cookies with an advertising purpose on websites outside the Facebook.com domain when the data subject has indicated that he or she does not wish information on his or her browsing behaviour to be used for advertising purposes and

  • The systematic use of cookies to verify a Facebook user's identify or to register if he or she chose to stay signed in when visiting websites that do not belong to the Facebook.com domain or trying to use social plugins.

3. The use of misleading information regarding the scope of measures that Facebook uses to control the use of cookies.

This point is slightly surprising. Indeed, following the summary proceedings judgement of the Court of First Instance, Facebook had amended its cookie banner and cookie policy, providing more detailed information on the different types of cookies used, as well as information regarding the placement of cookies when visiting certain third party websites. The Court of Appeal initially ruled that the Belgian Privacy Commission did not demonstrate that the updated information (still) justified urgent measures, suggesting that the changes were sufficient.

However, on the merits, the Court of First Instance has now decided that the updated information is in fact still insufficient and misleading for data subjects.

Finally, the Court ordered Facebook to destroy any personal data of data subject on the Belgian territory, in so far as they have been obtained through cookies and social plug-ins in any manner covered by this cease and desist decision.

Considering its significant implications, Facebook is expected to appeal this decision.

 

Initially published in IAPP Privacy Tracker.

 

 

Related Work Areas

Technology