Case Summary and Outcome

In this case, the Court of First Instance in Brussels ordered Facebook Inc., Facebook Ireland Ltd., and Facebook Belgium SPRL to stop the registration of cookies and social plugins on the browsers of Belgian Internet users who do not have Facebook accounts. Facebook was given 48 hours within which to comply with the order after the Privacy Commission served Facebook, or it would face a fine of 250,000 EUR per day for non-compliance.

Facts

The University of Brussels, as part of some ongoing research projects, had carried out extensive research on Facebook. In March 2015, it released a report entitled “From social media service to an advertising network: A critical analysis of Facebook’s new policies and new terms of use” in which one of the findings was that, through social plugins and cookies, Facebook processed the personal data of internet users who did not have Facebook accounts. The report stated that whenever someone who was not a Facebook user visited a website through the “facebook.com” domain, including through the personal Facebook pages of individuals and companies or other organizations, Facebook automatically placed a cookie on the hard disk of the user. This Facebook “datr” cookie would then contain unique identifying information from the browser of the Internet user and remain on his or her hard drive for two years. Following this report, the Privacy Commission of Belgium corresponded with Facebook in Belgium. Facebook argued that it was Facebook Ireland that had jurisdiction over Facebook’s activities in the EU and that should be subject to any process.  Facebook was prepared to give oral explanations of its services but rejected the applicability of Belgian privacy law and the jurisdiction of the Belgian Privacy Commission.

In May 2015, the Belgian Privacy Commission made a finding that the Belgian legislation was applicable and recommended that Facebook immediately cease the processing of personal data of non-Facebook users. The commission found that the processing by Facebook of the personal data of users without Facebook Accounts through cookies and social plugins violated parts of the Belgian Privacy Act and Article 129 of the Electronic Communications Act. The Privacy Commission recommended that Facebook stop the automatic placement and use of long-lasting and unique identifying Cookies of non-Facebook users.

Believing that Facebook would not cease these activities voluntarily, the privacy commission brought these proceedings. Facebook argued that it at least had the implicit, if not the explicit consent of the users for their data processing, and that only the Irish Privacy Commission had jurisdiction over its activities in the EU. Accordingly, Facebook argued that only Facebook Ireland could be held responsible with regard to the browsers on devices or the equipment of Belgian Internet users because there would be significant differences between the services offered by Facebook in the United States and Canada, and those offered by Facebook Ireland in the EU and elsewhere.

Following Facebook’s indictment in this case, Facebook began placing a cookie banner across the browsers of unregistered Facebook users in the EU. The cookie banner was designed after discussions with the Irish Privacy Commission. According to Facebook Ireland, the banner was rolled out across the EU to strengthen the permission EU Internet users provided when they interacted with the Facebook service. On a user’s first visit to a facebook.com website, Facebook would display the banner informing the user that Facebook uses cookies even when a visitor is an unregistered user. Facebook Ireland also provided a link to additional information on how to use the Facebook platform cookies.  In addition, Facebook Ireland argued that the datr security cookie played an extremely important role in the protection of the Facebook service for the benefit of both registered and non-registered Facebook users. Furthermore, Facebook argued that the information stored on cookies was not personal data and did not enable individual identification but merely the identification of a computer.

Decision Overview

The Court agreed with the Belgian Privacy Commission’s finding that the Belgian data protection law applied and that Belgian courts had jurisdiction. The Court rejected the argument that only Irish data protection law applied and that only Irish courts had jurisdiction citing the Google Spain case, which held that the national data protection law of an EU Member State will apply when the activities of an establishment in that Member State are inextricably linked to the activities of the data controller. It was held that this applied in the present case, because Facebook founded Facebook Belgium SPRL in Belgium and it is a local company performing lobbying activities, was involved in marketing and selling advertisement in Belgium for the Facebook group.

This was a summary proceeding and it was held that the urgency requirement of summary proceedings was met because the claims related to fundamental rights and freedoms (here the protection of privacy), which are always urgent. Furthermore, the claim did not just relate to the fundamental rights of a single individual but to those of an enormous group of people. In addition, millions of websites use Facebook social plugins, rendering it essentially unavoidable. The Court also found that Facebook processed the IP address as well as a “unique identifier” contained in Facebook’s datr cookie. The Court found that this was “personal data” and therefore the collection of such data constituted a “processing” of personal data.

The Court also found the collection of data on the surfing behavior of millions of people from Belgium who had decided not to join Facebook’s social network was a “manifest” violation of Belgian privacy laws, regardless of what the purpose behind the collections of the data. The Court gave the following reasons: Facebook had not obtained their consent collect data, so Facebook could not invoke an agreement with people who do not have a Facebook accounts; Facebook could not invoke a legal obligation to collect data; and finally, any security interest of Facebook was overridden by the fundamental right to privacy of people without Facebook accounts. The Court considered the processing of personal data of those without accounts as neither fair nor lawful since their data was being processed before they could fully inform themselves about Facebook’s services and when they do not want to use those services.

With regard to Facebook’s security argument, the Court found that it was not credible that collecting the datr cookie each time a social plugin is loaded on a website would be necessary for the security of Facebook’s services. It was held that even someone “internet illiterate” could understand that systematically collecting the datr cookie in such a manner Facebook was insufficient because any criminal could easily prevent the cookie from being installed through software which blocks cookie installation. It was held there were less intrusive methods of realizing the intended security goals that did not involve the processing of the personal data of people who did not have a Facebook accounts.