Articles

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

12.11.2015 BE law

Facebook uses “datr-cookies” to collect personal data of non-members. These datr-cookies are automatically installed on the browsers of non-members when they visit a Facebook.com webpage. Facebook also makes use of so-called “social plugins” on third-party websites, which allows internet users to use some of the functionalities offered by Facebook, such as “like”, “share”, or commenting on a webpage.

This article was co-written by Valerie Vanryckeghem

Whenever non-members visit a website that integrates a Facebook social plugin, this social plugin will communicate the information contained in the datr-cookie with Facebook, including the IP address of the internet user and the URL of the website concerned. Through this, Facebook is able to collect a significant amount of personal data of non-members.

On 13 May 2015, the Belgian Privacy Commission had already issued a recommendation in which it identified Facebook’s data processing actions as a violation of the Belgian Data Protection Act (the “DPA”) and urged Facebook to cease these practices immediately.

After it became clear that Facebook would not comply with the recommendation, the Privacy Commission sued Facebook before the Brussels Court of First Instance, alleging that Facebook’s processing of personal data of non-members violates the DPA.

In its judgment, the Brussels Court of First Instance first determined that the DPA applies. It held that the processing of personal data is inextricably linked to the activities of Facebook Belgium BVBA, even though the Irish Facebook entity performs the actual data processing and Facebook Belgium BVBA only performs marketing- and lobbying-related activities.

Next, the Brussels Court ruled that Facebook’s data processing violates the DPA for the following reasons:

  • Non-members were not given prior, clear, and complete information on Facebook’s data processing;
  • Non-members did not express their informed and unambiguous consent to Facebook’s data processing;
  • The data processing was not necessarily done with a view to Facebook’s legitimate interests, given that the interests of the non-members outweighed the interests of Facebook, namely the security of Facebook’s services offered. The Brussels Court found there were better and less intrusive methods for ensuring security;
  • The data processing did not serve a legitimate purpose, given that it was inadequate, irrelevant, and disproportionate to the intended purpose as portrayed by Facebook.

As a result, the Brussels Court ordered Facebook to cease the following within 48 hours:

  • The installation of datr-cookies at non-members’ computers when they visit the facebook.com domain, without providing prior and adequate information on this installation and the use that Facebook makes of the datr-cookies via social plugins;
  • The collection of the datr-cookie (and thus the personal data it contains) via social plugins placed on third-party websites.

Finally, the judgment imposes a penalty of €250,000 per day that Facebook fails to comply with the ruling.

Facebook has already announced that it will appeal against the decision of the Brussels Court. Facebook has also said that if they are blocked from using the datr-cookie, they would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are accessing their accounts legitimately.

 

Click here to read the full text of the judgment (in Dutch)

 

Team

Related news

27.07.2020 NL law
Outsourcing laws and Regulation in the Netherlands – 2020

Articles - Are there any additional legal or regulatory requirements for outsourcing transactions undertaken by government or public sector bodies? What formalities are required to transfer, lease or license assets on an outsourcing transaction? Or, What are the most material legal or regulatory requirements and issues concerning data security and data protection that may arise on an outsourcing transaction?

Read more

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more