Articles

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

12.11.2015 BE law

Facebook uses “datr-cookies” to collect personal data of non-members. These datr-cookies are automatically installed on the browsers of non-members when they visit a Facebook.com webpage. Facebook also makes use of so-called “social plugins” on third-party websites, which allows internet users to use some of the functionalities offered by Facebook, such as “like”, “share”, or commenting on a webpage.

This article was co-written by Valerie Vanryckeghem

Whenever non-members visit a website that integrates a Facebook social plugin, this social plugin will communicate the information contained in the datr-cookie with Facebook, including the IP address of the internet user and the URL of the website concerned. Through this, Facebook is able to collect a significant amount of personal data of non-members.

On 13 May 2015, the Belgian Privacy Commission had already issued a recommendation in which it identified Facebook’s data processing actions as a violation of the Belgian Data Protection Act (the “DPA”) and urged Facebook to cease these practices immediately.

After it became clear that Facebook would not comply with the recommendation, the Privacy Commission sued Facebook before the Brussels Court of First Instance, alleging that Facebook’s processing of personal data of non-members violates the DPA.

In its judgment, the Brussels Court of First Instance first determined that the DPA applies. It held that the processing of personal data is inextricably linked to the activities of Facebook Belgium BVBA, even though the Irish Facebook entity performs the actual data processing and Facebook Belgium BVBA only performs marketing- and lobbying-related activities.

Next, the Brussels Court ruled that Facebook’s data processing violates the DPA for the following reasons:

  • Non-members were not given prior, clear, and complete information on Facebook’s data processing;
  • Non-members did not express their informed and unambiguous consent to Facebook’s data processing;
  • The data processing was not necessarily done with a view to Facebook’s legitimate interests, given that the interests of the non-members outweighed the interests of Facebook, namely the security of Facebook’s services offered. The Brussels Court found there were better and less intrusive methods for ensuring security;
  • The data processing did not serve a legitimate purpose, given that it was inadequate, irrelevant, and disproportionate to the intended purpose as portrayed by Facebook.

As a result, the Brussels Court ordered Facebook to cease the following within 48 hours:

  • The installation of datr-cookies at non-members’ computers when they visit the facebook.com domain, without providing prior and adequate information on this installation and the use that Facebook makes of the datr-cookies via social plugins;
  • The collection of the datr-cookie (and thus the personal data it contains) via social plugins placed on third-party websites.

Finally, the judgment imposes a penalty of €250,000 per day that Facebook fails to comply with the ruling.

Facebook has already announced that it will appeal against the decision of the Brussels Court. Facebook has also said that if they are blocked from using the datr-cookie, they would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are accessing their accounts legitimately.

 

Click here to read the full text of the judgment (in Dutch)

 

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more