Global Freedom of Expression

Belgian Privacy Commission v. Facebook Ireland Limited

On Appeal Contracts Expression

Key Details

  • Mode of Expression
    Electronic / Internet-based Communication
  • Date of Decision
    November 9, 2015
  • Outcome
    Monetary Damages / Fines
  • Case Number
    Recommendation no. 04/2015 of 13 May 2015
  • Region & Country
    Belgium, Europe and Central Asia
  • Judicial Body
    First Instance Court
  • Type of Law
    Civil Law
  • Themes
    Cyber Security / Cyber Crime, Privacy, Data Protection and Retention
  • Tags
    Facebook, Internet, Social Media

Content Attribution Policy

Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:

  • Attribute Columbia Global Freedom of Expression as the source.
  • Link to the original URL of the specific case analysis, publication, update, blog or landing page of the down loadable content you are referencing.

Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.

Case Analysis

Case Summary and Outcome

The President of the Belgian Court in Brussels adopted a Recommendation issued by the Belgian Privacy Commission finding that Facebook was violating Belgian law by tracking non-users on Facebook’s site. Following an appeal by Facebook, the Court of Appeal in Brussels dismissed the case on 8 May 2019 for lack of jurisdiction over the appellant because Facebook is headquartered in Dublin, Ireland and has no physical base of operations in Belgium. For that reason, the Court of Appeal referred the case to the European Court of Justice for preliminary rulings to determine if the Commission could pursue a case against Facebook Belgium BVBA (the appellant’s domestic counterpart) instead of the appellant, following the introduction of the GDPR and its ‘one-stop shop’ mechanisms.

Columbia Global Freedom of Expression notes that some of the information contained in this report was derived from secondary sources.


Facts

In November 2014, Facebook revised its Statement of Rights and Responsibilities, Data Policy and Cookie Policy. These new policies went into effect the following calendar year, and the Belgian Privacy Commission (the Commission) launched an investigation to determine their compliance with Belgian law.

On April 29, 2015, Facebook had a hearing before the Commission in which both sides presented evidence on the issues. Thereafter, the Commission issued a Recommendation, which found that Facebook was tracking non-users of Facebook’s and surfing history through social plugins even when the user was not accessing Facebook through the use of cookies, which violated Belgian law.  Under the Belgian Privacy Act, this processing of personal data is only permitted if Facebook can establish a “legitimate basis” upon which it collects data. This legitimate basis arises only through user consent or if it is necessary for the completion of a contract. Non-users of Facebook did never consented to this data collection, nor did the provisions of a contract apply to them. Therefore, there was not a “legitimate” basis for Facebook’s processing data of non-users and, further, Facebook’s systemic collection of data from its actual users was also “excessive” based on the development of its social plug-ins. However, the Belgian Privacy Commission does not have the authority to enforce orders and therefore sought an order from the judiciary to this effect under the Belgian Data Protection Act. At this stage, the EU’s General Data Protection Regulation (GDPR), which increased the powers of supervisory authorities such as the Commission, had not yet been introduced.

On 16 February 2018, the Court of First Instance of Brussels ruled that Facebook was non-compliant with Belgian cookie and privacy legislation, and ordered it to cease its current practices or face a maximum penalty of 100 million Euros. Facebook argued that it only needed to comply with Irish law, given its headquarters were in Ireland. The Court disagreed, finding that substantial activities were conducted in Belgium, therefore establishing sufficient contact to fall under Belgian jurisdiction. The Court did not issue a ruling on Facebook’s policies regarding users, and it is unclear if the Court adopted this portion of the recommendation.

Facebook then appealed to the Court of Appeal.


Decision Overview

The Court of Appeal dismissed the case on 8 May 2019 for lack of jurisdiction over Facebook. Crucially, no judgment on the merits was made available as the Court held that it only had jurisdiction with respect to Facebook Belgium BVBA for matters occurring after 25 May 2018 (the date of the GDPR’s entry into effect) – that is, the Court held it had no international jurisdiction to cover a case concerning Facebook Ireland Limited and Facebook Inc (its American counterpart), even if Facebook was tracking Belgian non-users through cookies.

For that reason, the Court of Appeal has now referred the case to the Court of Justice of the European Union (CJEU) to determine if the Commission can still pursue a case against Facebook Belgium BVBA following the introduction of the GDPR. This is important, as the GDPR has now increased the powers of supervisory authorities such as the Commission and introduced a ‘one-stop-shop’ mechanism for cross-border data processing (whereby one member state’s lead authority has the primary responsibility for dealing with a cross-border data processing activity).

The Court has requested a preliminary ruling from the CJEU on the following six questions:

  1. Does article 58.5 of the GDPR not apply in the case of cross-border processing, when the Member State wishing to commence legal proceedings is not the lead supervisory authority?
  2. What happens when the controller of this cross-border processing has an establishment in a Member State, but not its main establishment in that Member State?
  3. Can a national supervisory authority (i.e. the Commission) bring proceedings under the GDPR against the main establishment of this controller of data (i.e. Facebook Ireland Limited), or only the establishment in the Member State (i.e. Facebook’s Belgian counterpart)?
  4. Does it matter if the national supervisory authority has already initiated legal action prior to the entry into the effect of the GDPR (i.e. 25 May 2018)?
  5. Does article 58.5 have direct effect and can be relied upon by a national supervisory authority to initiate or continue proceedings against private parties even if the article has not yet been transposed into domestic law?
  6. If the national supervisory authority is allowed to bring claims under article 58.5, could  the outcome of the proceedings affect a contrary decision or finding of the lead supervisory authority in a different member state, if that lead supervisory authority investigates a similar or the same cross-border processing activity?

The hearings took place in October 2020, and the CJEU’s non-binding judgment is expected on 17 December, with the ruling to follow in July 2021.


Decision Direction

Quick Info

Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.

Contracts Expression

This decision of the Brussels lower Court expanded expression through the protection of the privacy rights of non-users who are accessing Facebook. The Belgian Court ruled Facebook’s practice of tracking these non-users utilizing “cookies” violated Belgian law.

However, on appeal the decision was overturned when the Brussels Appeals Court found that Belgium was without jurisdiction to decide the issue, even though Facebook is tracking non-users in Belgium. Now Facebook may continue tracking non-users through the use of “cookies” on their website in Belgium.

Global Perspective

Quick Info

Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.

Table of Authorities

Related International and/or regional laws

  • ECJ, Google Spain v. Agencia Española de Protección de Datos (AEPD), C-131/12 (2014)
  • EU, Directive 95/46/EC (1995)
  • ECJ, L'Oréal SA v. eBay International AG, Case C 324/09 (2011)
  • European Convention on Human Rights

    Article 13

National standards, law or jurisprudence

  • Belg., Belgian Privacy Act

Case Significance

Quick Info

Case significance refers to how influential the case is and how its significance changes over time.

The decision establishes a binding or persuasive precedent within its jurisdiction.

As a decision of the Appeals Court in Brussels, this decision will bind the trial court in Belgium.

Official Case Documents

Official Case Documents:


Reports, Analysis, and News Articles:


Have comments?

Let us know if you notice errors or if the case analysis needs revision.

Send Feedback