Facebook Faces Privacy Lawsuit From Belgian Watchdog

Facebook is being taken to court in Belgium by the national data protection watchdog over the tracking of non-users via social plugins. Last month the Belgian data protection authority (DPA) issued a recommendation on this point. It’s now stepped up action by filing a civil suit, due to get an initial hearing this Thursday, according to DeMorgen.

The action follows a detailed and highly critical report, commissioned by the Belgian DPA earlier this year, which slammed Facebook for a lack of transparency around its data collection practices and for, in the authors’ view, a raft of privacy violations of European law — including failure to secure valid consent from users for processing their data and building online profiles, and for “problematic” opt-outs for behavioral marketing, among other issues.

Since then the Belgian DPA has focused its follow up on issues raised in the eighth chapter of the report — which focuses on the tracking of users and non-Facebook users via cookies and social plug-ins distributed around the Internet on other websites and apps.

The DPA says months of discussions with Facebook have failed to yield the answers it has sought. This in part appears to be down to Facebook refusing to recognize the jurisdiction of the Belgian DPA to act on these matters. It’s arguing that it’s the role of the Irish DPA to rule on data protection issues pertaining to its business, given that’s where Facebook’s European headquarters is located.

Bringing a judicial case against Facebook in Belgium is the DPA’s attempt to get clarity on this jurisdiction point — as well as seek answers to its questions on Facebook’s tracking of non-users. DeMorgen notes it is the first time a European DPA has taken Facebook to court for failing to respect privacy laws, although a European class action privacy lawsuit against Facebook, led by privacy campaigner Max Schrems, is ongoing in Austria.

“First of all we want that Facebook recognizes the Belgian applicable law. That’s the first point. But we also want that the non-users of Facebook cannot be tracked anymore,” a spokeswoman for the Belgian DPA told TechCrunch.

If the Belgian courts grant jurisdiction in this case it could open Facebook up to additional lawsuits from other European data protection regulators with similar concerns.

In a statement provided to TechCrunch, a Facebook spokesman said: “We were surprised and disappointed that, after the CBPL had already agreed to meet with us on the 19th June to discuss their recommendations, they took the theatrical action of bringing Facebook Belgium to court on the day beforehand.

“Although we are confident that there is no merit to the CBPL’s case, we remain happy to work with them in an effort to resolve their concerns, through a dialogue with us at Facebook Ireland and with our regulator, the Irish Data Protection Commissioner.”

Facebook is still due to meet with the Belgian DPA on Friday for further discussions, but the DPA spokeswoman said the issue of the tracking of non-users was of such urgency it felt it had no choice but to take legal action.

“The tracking of non-users it’s so urgent that we could not wait for this so that’s why we said to Facebook ‘okay you don’t want to answer our questions about why you track non-users then we will have to take legal steps’,” she added. “They gave replies to us but not on our questions about why do you track non-Facebook users. How do you do this, why and what do you do with the collected data?”

The earlier report commissioned by the DPA includes the following explainer on how Facebook tracks users and non-users via social plugins and cookies:

Facebook places cookies whenever someone visits a webpage belonging to the facebook.com domain, even if the visitor is not a Facebook user. For non-users, one of the cookies placed by Facebook (called “datr”) contains a unique identifier and has an expiration date of two years. For users, Facebook uses a range of additional cookies which uniquely identify the user. Once these cookies have been set, Facebook will in principle receive the cookies during every subsequent visit to a website containing a Facebook social plug-in. Facebook will also receive additional information, including the URL of the webpage visited as well as information about the browser and operating system. This means that:
● Facebook tracks its users across websites even if they do not make use of social plug-ins,
and even if they are not logged in; and
● Facebook tracking is not limited to Facebook users.
Facebook’s “Like Button”, the most popular Facebook social plug-in, is currently present on more than 13 million sites, covering almost all website categories including health and government websites.

Addressing this specific concern in a previous statement, Facebook pointed out that use of cookies for ad targeting purposes is a widespread (and, as it stands, legal) practice across “virtually all websites” — noting also that it complies with opt-out requests via the European Interactive Digital Advertising Alliance.

“Cookies have been an industry standard for more than 15 years. If people want to opt out of seeing advertising based on the websites they visit and apps they use, they opt out through the EDAA, whose principles and opt out we and more than 100 other companies comply with. Facebook takes this commitment one step further: when you use the EDAA opt out, we opt you out on all devices you use and you won’t see ads based on the websites and apps you use,” Facebook noted.