A Belgian court has decided that a Facebook practice of tracking and registering the internet usage of members and non-members is unlawful and in breach of Belgian privacy law. The decision gave Facebook forty eight hours from the moment they were served with the order to change their practice, or face fines of 250,000 euros a day.
Background
The case was brought by the Belgian Privacy Commission and revolves around the use by Facebook of a special "Datr" cookie which it places within an individual's web browser if they visit a Facebook page even if they were not a registered user of the social network site. This cookie stays on the device for up to two years and allows Facebook to consult it whenever the user pays visits to Facebook pages or any page where they could "like" or recommend a Facebook link. Facebook is able to track how long they stayed on the site, what they clicked and any preferences selected. The widespread use of social plug-ins, including Facebook's "like" function, on other websites meant that Facebook was able to track the surfing behaviour back to an individual's real identity.
Legal Issues
Facebook's original argument was that the Belgian court lacked jurisdiction as Facebook was only answerable to the Irish Data Protection Regulator as Ireland is where Facebook has its European Headquarters. The Belgian Court of First Instance found that they did have jurisdiction as the national data protection law of a Member State will apply if activities of a local establishment in that Member State are so closely tied to that of the data controller. In this case Facebook had set up a local company in Belgium for marketing purposes.
The court also rejected the argument that there is no tracking of the personal data because the data collected is anonymised or deleted after some time. The court found that this was irrelevant since the collection of cookies and website data through plug-ins is enough to constitute the processing of personal data by Facebook.
Facebook's principal argument for using the "Datr" cookie was security. By being able to track someone's internet usage to the extent that they become personally identifiable, Facebook claimed this prevents the creation of fake accounts, reduces the risk of accounts being hijacked and protects user content against theft. The Belgian Privacy Commission argued, and the court agreed, that there are ways to do this without infringing so heavily on an individual's right to privacy and, furthermore, that this position was flawed given how easily criminals seeking to do any of these things could circumvent it.
Conclusion
Facebook has stated an intention to appeal the decision. However if this fails then Facebook will have to change the way it works in Belgium. In particular, there will have to be the option for people to make an informed decision before allowing Facebook to monitor their internet usage.
With this decision coming shortly after the ruling by the CJEU that the Safe Harbor provisions are in breach of European data protection law, Facebook seems to be the current focus of attack for European data protection regulators and faces the prospect of having to change the way that it processes and handles data in Europe.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
