Convicted on the merits: Facebook must play by the Belgian privacy and cookie rules
Tim Van Canneyt and Lisa De Smet, Fieldfisher
In a judgement of 16 February 2018, the Court of First Instance of Brussels has convicted Facebook for non-compliance with the Belgian privacy and cookie rules. The Court ordered Facebook to cease its current cookie use practices under forfeiture of an incremental penalty of 250.000 EUR per calendar day of non-compliance (with a maximum of 100 million EUR).
This is the provisional culmination of an intense legal battle between the Belgian Privacy Commission and Facebook, which started end of 2014 and which will likely continue before the Court of Appeal in the coming years.
1. What is this case about again?
In the summary proceedings case, the Court of First Instance of Brussels decided on 9 November 2015 that:
The Privacy Commission and courts have jurisdiction, despite Facebook's claim that it was only subject to the jurisdiction of the Irish data protection commissioner. In deciding this, the Court followed the reasoning adopted by the Privacy Commission in the aftermath of the ECJ's Google Spain and Weltimmo decisions (for a more detailed analysis, see our previous blog on this topic).
Facebook's processing of personal data violated both the Belgian Privacy Act and the Belgian Cookie Act, especially with regard to internet users on the Belgian territory who did not have a Facebook account.
The Court sentenced Facebook under forfeiture of an incremental penalty for non-compliance, to cease:
i) The placing of a specific browser-identification and tracking cookie (the so-called "datr-cookie") without prior adequate information regarding the placing of this cookie and the use thereof through social plugins, and
ii) The collection of the datr-cookie through social plug-ins placed on third party websites. The urgency for this preliminary ruling was found in the proclaimed massive violation of the fundamental right to privacy.
This preliminary ruling had been overturned by the Court of Appeal, which followed Facebook's argument that the Belgian courts had no international jurisdiction over Facebook Ireland and Facebook Inc.
Although the Court of Appeal found that the Belgian Courts did have jurisdiction over Facebook Belgium, it decided to dismiss the claim on the basis that the urgency requirement for this procedure had not been met. This was due to the fact that the Privacy Commission waited more than 3 years to initiate its proceedings after it found out about Facebook's disputed practices.
2. The decision on the merits
Considering the different view of the courts in the summary proceedings, the big question was therefore what the Court of First Instance would decide in the proceedings on the merits of the case.
a. Belgian courts have jurisdiction
With reference to the ECJ's Google Spain judgment, the Court ruled that the activities of Facebook Inc. and Facebook Ireland (together Facebook Group) on the one hand, and those of Facebook Belgium on the other hand, were inextricably linked on the following grounds:
The activities of Facebook Belgium (supporting advertisers in Belgium, sales and marketing activities and lobbying) were found to be focused on increasing and maintaining profits of the Facebook Group activities.
The Facebook Group activities, including the processing of personal data, were found to provide the means by which Facebook Belgium could perform its activities.
The activities of Facebook Belgium were consequently found to constitute trade activities for the data controller Facebook Ireland on the Belgian territory.
Applying the "establishment test", this allowed the Court to conclude that the Belgian Privacy Act was applicable to the processing of personal data in the context of the activities of the establishment Facebook Belgium, and that Facebook Ireland was responsible to ensure its compliance.
b. Facebook violates the Cookie Act
The Court basically ruled that Facebook's processing of personal data of both Facebook users and non-Facebook users for tracking purposes by means of cookies, social plug-ins and pixels, violates the Privacy Act and Cookie Act.
Firstly, the Court stated that Facebook has not obtained a valid consent for such processing of personal data and that no other legal basis for the processing can be relied upon. Furthermore, the Court found Facebook's processing to be unfair and disproportionate. Finally, it ruled that Facebook violates the rights of data subjects as a result of non-compliance with its fair notice obligations under the Privacy Act.
Consequently, the Court ordered Facebook, under forfeiture of an incremental penalty of 250 thousand EUR per calendar day of non-compliance, to cease:
1. The placement of non-functional cookies for tracking purposes through Facebook social plug-ins, Facebook-pixels or similar technologies on websites of the Facebook domain or on third party websites, unless:
The data subject has been fully informed in a clear, concise and intelligible manner (information obligation),
In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has consented in a free, specific and unambiguous manner to both the placing and the use of these cookies; or in case the data subject has signed out or deactivated from Facebook, he or she has consented to the continued use of these cookies (freely given, specific, informed and unambiguous consent),
In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has been given the possibility to refuse without the access to the Facebook.com-domain being limited or made difficult (freely given, specific, informed and unambiguous consent).
2. The collection and the use of non-functional cookies for tracking purposes, through Facebook social plug-ins, Facebook-pixels or similar technological means on third party websites in a way which is disproportionate regarding the purposes of the cookies concerned.
In this respect, the Court considered to be "disproportionate":
However, on the merits, the Court of First Instance has now decided that the updated information is in fact still insufficient and misleading for data subjects.
Finally, the Court ordered Facebook to destroy any personal data of data subject on the Belgian territory, in so far as they have been obtained through cookies and social plug-ins in any manner covered by this cease and desist decision.
Considering its significant implications, Facebook is expected to appeal this decision.
Initially published in IAPP Privacy Tracker.