Cyber Security / Cyber Crime, Privacy, Data Protection and Retention, Surveillance
Schrems v. Data Protection Commissioner
On Appeal Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
In this case, the Court of First Instance in Brussels ordered Facebook Inc., Facebook Ireland Ltd., and Facebook Belgium SPRL to stop the registration of cookies and social plugins on the browsers of Belgian Internet users who do not have Facebook accounts. Facebook was given 48 hours within which to comply with the order after the Privacy Commission served Facebook, or it would face a fine of 250,000 EUR per day for non-compliance.
In May 2015, the Belgian Privacy Commission made a finding that the Belgian legislation was applicable and recommended that Facebook immediately cease the processing of personal data of non-Facebook users. The commission found that the processing by Facebook of the personal data of users without Facebook Accounts through cookies and social plugins violated parts of the Belgian Privacy Act and Article 129 of the Electronic Communications Act. The Privacy Commission recommended that Facebook stop the automatic placement and use of long-lasting and unique identifying Cookies of non-Facebook users.
Believing that Facebook would not cease these activities voluntarily, the privacy commission brought these proceedings. Facebook argued that it at least had the implicit, if not the explicit consent of the users for their data processing, and that only the Irish Privacy Commission had jurisdiction over its activities in the EU. Accordingly, Facebook argued that only Facebook Ireland could be held responsible with regard to the browsers on devices or the equipment of Belgian Internet users because there would be significant differences between the services offered by Facebook in the United States and Canada, and those offered by Facebook Ireland in the EU and elsewhere.
The Court agreed with the Belgian Privacy Commission’s finding that the Belgian data protection law applied and that Belgian courts had jurisdiction. The Court rejected the argument that only Irish data protection law applied and that only Irish courts had jurisdiction citing the Google Spain case, which held that the national data protection law of an EU Member State will apply when the activities of an establishment in that Member State are inextricably linked to the activities of the data controller. It was held that this applied in the present case, because Facebook founded Facebook Belgium SPRL in Belgium and it is a local company performing lobbying activities, was involved in marketing and selling advertisement in Belgium for the Facebook group.
This was a summary proceeding and it was held that the urgency requirement of summary proceedings was met because the claims related to fundamental rights and freedoms (here the protection of privacy), which are always urgent. Furthermore, the claim did not just relate to the fundamental rights of a single individual but to those of an enormous group of people. In addition, millions of websites use Facebook social plugins, rendering it essentially unavoidable. The Court also found that Facebook processed the IP address as well as a “unique identifier” contained in Facebook’s datr cookie. The Court found that this was “personal data” and therefore the collection of such data constituted a “processing” of personal data.
The Court also found the collection of data on the surfing behavior of millions of people from Belgium who had decided not to join Facebook’s social network was a “manifest” violation of Belgian privacy laws, regardless of what the purpose behind the collections of the data. The Court gave the following reasons: Facebook had not obtained their consent collect data, so Facebook could not invoke an agreement with people who do not have a Facebook accounts; Facebook could not invoke a legal obligation to collect data; and finally, any security interest of Facebook was overridden by the fundamental right to privacy of people without Facebook accounts. The Court considered the processing of personal data of those without accounts as neither fair nor lawful since their data was being processed before they could fully inform themselves about Facebook’s services and when they do not want to use those services.
With regard to Facebook’s security argument, the Court found that it was not credible that collecting the datr cookie each time a social plugin is loaded on a website would be necessary for the security of Facebook’s services. It was held that even someone “internet illiterate” could understand that systematically collecting the datr cookie in such a manner Facebook was insufficient because any criminal could easily prevent the cookie from being installed through software which blocks cookie installation. It was held there were less intrusive methods of realizing the intended security goals that did not involve the processing of the personal data of people who did not have a Facebook accounts.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The Court in this case held that Facebook could not collect the personal data of individuals without Facebook accounts through cookies and social plugins on the grounds that it was a violation of their fundamental right to the protection of privacy.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.