Articles

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

Brussels Court orders Facebook to stop collecting personal data of non-members

12.11.2015 BE law

Facebook uses “datr-cookies” to collect personal data of non-members. These datr-cookies are automatically installed on the browsers of non-members when they visit a Facebook.com webpage. Facebook also makes use of so-called “social plugins” on third-party websites, which allows internet users to use some of the functionalities offered by Facebook, such as “like”, “share”, or commenting on a webpage.

This article was co-written by Valerie Vanryckeghem

Whenever non-members visit a website that integrates a Facebook social plugin, this social plugin will communicate the information contained in the datr-cookie with Facebook, including the IP address of the internet user and the URL of the website concerned. Through this, Facebook is able to collect a significant amount of personal data of non-members.

On 13 May 2015, the Belgian Privacy Commission had already issued a recommendation in which it identified Facebook’s data processing actions as a violation of the Belgian Data Protection Act (the “DPA”) and urged Facebook to cease these practices immediately.

After it became clear that Facebook would not comply with the recommendation, the Privacy Commission sued Facebook before the Brussels Court of First Instance, alleging that Facebook’s processing of personal data of non-members violates the DPA.

In its judgment, the Brussels Court of First Instance first determined that the DPA applies. It held that the processing of personal data is inextricably linked to the activities of Facebook Belgium BVBA, even though the Irish Facebook entity performs the actual data processing and Facebook Belgium BVBA only performs marketing- and lobbying-related activities.

Next, the Brussels Court ruled that Facebook’s data processing violates the DPA for the following reasons:

  • Non-members were not given prior, clear, and complete information on Facebook’s data processing;
  • Non-members did not express their informed and unambiguous consent to Facebook’s data processing;
  • The data processing was not necessarily done with a view to Facebook’s legitimate interests, given that the interests of the non-members outweighed the interests of Facebook, namely the security of Facebook’s services offered. The Brussels Court found there were better and less intrusive methods for ensuring security;
  • The data processing did not serve a legitimate purpose, given that it was inadequate, irrelevant, and disproportionate to the intended purpose as portrayed by Facebook.

As a result, the Brussels Court ordered Facebook to cease the following within 48 hours:

  • The installation of datr-cookies at non-members’ computers when they visit the facebook.com domain, without providing prior and adequate information on this installation and the use that Facebook makes of the datr-cookies via social plugins;
  • The collection of the datr-cookie (and thus the personal data it contains) via social plugins placed on third-party websites.

Finally, the judgment imposes a penalty of €250,000 per day that Facebook fails to comply with the ruling.

Facebook has already announced that it will appeal against the decision of the Brussels Court. Facebook has also said that if they are blocked from using the datr-cookie, they would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are accessing their accounts legitimately.

 

Click here to read the full text of the judgment (in Dutch)

 

Team

Related news

22.02.2019 BE law
Sarah De Wulf on challenges of SAP contracts and indirect use during a Beltug seminar.

Speaking slot - Sarah De Wulf, junior TMT associate, discusses SAP licensing agreements during a Beltug seminar on 20 February 2019. Many of the Beltug members are customers of SAP and face daily questions and challenges regarding SAP's software licensing policies.  These questions include (among others): how the licence models will evolve (especially in terms of the growth of cloud services) and how to cope with indirect access.

Read more

21.03.2019 NL law
15 aspects of Brexit you did not know

Short Reads - A Brexit without a deal, or with a deal that does not cover all relevant aspects, is still a potential scenario. We have highlighted a number of unexpected legal consequences of Brexit in such a no deal or incomplete deal scenario.

Read more

18.02.2019 EU law
Erik Valgaeren moderates a panel on Data Governance and Compliance during IBA's Silicon Beach Conference

Speaking slot - The discussion topic will cover various legal aspects relating to data lifecycle management, both for personal and non personal data. These aspects will include rights in and obligations regarding data, such retention obligations and portability rights. Practical suggestions on holistic data management and the role of the chief data officer will be debated.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring