Articles

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

12.11.2015 BE law

Facebook uses “datr-cookies” to collect personal data of non-members. These datr-cookies are automatically installed on the browsers of non-members when they visit a Facebook.com webpage. Facebook also makes use of so-called “social plugins” on third-party websites, which allows internet users to use some of the functionalities offered by Facebook, such as “like”, “share”, or commenting on a webpage.

This article was co-written by Valerie Vanryckeghem

Whenever non-members visit a website that integrates a Facebook social plugin, this social plugin will communicate the information contained in the datr-cookie with Facebook, including the IP address of the internet user and the URL of the website concerned. Through this, Facebook is able to collect a significant amount of personal data of non-members.

On 13 May 2015, the Belgian Privacy Commission had already issued a recommendation in which it identified Facebook’s data processing actions as a violation of the Belgian Data Protection Act (the “DPA”) and urged Facebook to cease these practices immediately.

After it became clear that Facebook would not comply with the recommendation, the Privacy Commission sued Facebook before the Brussels Court of First Instance, alleging that Facebook’s processing of personal data of non-members violates the DPA.

In its judgment, the Brussels Court of First Instance first determined that the DPA applies. It held that the processing of personal data is inextricably linked to the activities of Facebook Belgium BVBA, even though the Irish Facebook entity performs the actual data processing and Facebook Belgium BVBA only performs marketing- and lobbying-related activities.

Next, the Brussels Court ruled that Facebook’s data processing violates the DPA for the following reasons:

  • Non-members were not given prior, clear, and complete information on Facebook’s data processing;
  • Non-members did not express their informed and unambiguous consent to Facebook’s data processing;
  • The data processing was not necessarily done with a view to Facebook’s legitimate interests, given that the interests of the non-members outweighed the interests of Facebook, namely the security of Facebook’s services offered. The Brussels Court found there were better and less intrusive methods for ensuring security;
  • The data processing did not serve a legitimate purpose, given that it was inadequate, irrelevant, and disproportionate to the intended purpose as portrayed by Facebook.

As a result, the Brussels Court ordered Facebook to cease the following within 48 hours:

  • The installation of datr-cookies at non-members’ computers when they visit the facebook.com domain, without providing prior and adequate information on this installation and the use that Facebook makes of the datr-cookies via social plugins;
  • The collection of the datr-cookie (and thus the personal data it contains) via social plugins placed on third-party websites.

Finally, the judgment imposes a penalty of €250,000 per day that Facebook fails to comply with the ruling.

Facebook has already announced that it will appeal against the decision of the Brussels Court. Facebook has also said that if they are blocked from using the datr-cookie, they would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are accessing their accounts legitimately.

 

Click here to read the full text of the judgment (in Dutch)

 

Team

Related news

20.05.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus [updated]

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

07.05.2020 NL law
E-book 'De huidige NOW en de verwachte wijzigingen in de nieuwe/verlengde NOW (NOW 2.0)'

Articles - Op 1 april 2020 werd de Tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid gepubliceerd (“NOW”). Sinds 6 april 2020 is het UWV-loket geopend en kunnen werkgevers een aanvraag doen voor loonkostensubsidie onder de NOW. Op 30 april 2020 waren er ongeveer 114.000 aanvragen ingediend bij het UWV.

Read more

08.04.2020 NL law
Schadevergoeding bij de bestuursrechter op grond van de AVG voor feitelijk handelen van een bestuursorgaan?

Short Reads - Op 1 april 2020 heeft de Afdeling bestuursrechtspraak van de Raad van State (“Afdeling”) een viertal uitspraken gewezen waarin zij oordeelt over het verzoek tot toekenning van schadevergoeding door een bestuursorgaan op grond van de (Europese) Algemene Verordening Gegevensbescherming (AVG).

Read more