Facebook’s tracking of non-users ruled illegal again

Another blow for Facebook in Europe: Judges in Belgium have once again ruled the company broke privacy laws by deploying technology such as cookies and social plug-ins to track internet users across the web.

Facebook uses data it collects in this way to sell targeted advertising.

The social media giant failed to make it sufficiently clear how people’s digital activity was being used, the court ruled.

Facebook faces fines of up to €100 million (~$124 million), at a rate of €250,000 per day, if it fails to comply with the court ruling to stop tracking Belgians’ web browsing habits. It must also destroy any illegally obtained data, the court said.

Facebook expressed disappointment at the judgement and said it will appeal.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” said Facebook’s VP of public policy for EMEA, Richard Allan, in a statement. “We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for its near invisible tracking of non-users via social plug-ins and the like. This followed an investigation by the agency that culminated in a highly critical report touching on many areas of Facebook’s data handling practices.

The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to take Facebook to court over one of them: How it deploys tracking cookies and social plug-ins on third-party websites to track the internet activity of users and non-users.

Following its usual playbook for European privacy challenges, Facebook first tried to argue the Belgian DPA had no jurisdiction over its European business, which is headquartered in Ireland. But local judges disagreed.

Subsequently, Belgian courts have twice ruled that Facebook’s use of cookies violates European privacy laws. If Facebook keeps appealing, the case could end up going all the way to Europe’s supreme court, the CJEU.

The crux of the issue here is the pervasive background surveillance of internet activity for digital ad targeting purposes which is enabled by a vast network of embedded and at times entirely invisible tracking technologies — and, specifically in this lawsuit, whether Facebook and the network of partner companies feeding data into its ad targeting systems have obtained adequate consent from their users to be so surveilled when they’re not actually using Facebook.

“Facebook collects information about us all when we surf the Internet,” explains the Belgian privacy watchdog, referring to findings from its earlier investigation of Facebook’s use of tracking technologies. “To this end, Facebook uses various technologies, such as the famous ‘cookies’ or the ‘social plug-ins’ (for example, the ‘Like’ or ‘Share’ buttons) or the ‘pixels’ that are invisible to the naked eye. It uses them on its website but also and especially on the websites of third parties. Thus, the survey reveals that even if you have never entered the Facebook domain, Facebook is still able to follow your browsing behavior without you knowing it, let alone, without you wanting it, thanks to these invisible pixels that Facebook has placed on more than 10,000 other sites.”

Facebook claims its use of cookie tracking is transparent and argues the technology benefits Facebook users by letting it show them more relevant content. (Presumably, it would argue non-Facebook users “benefit” from being shown ads targeted at their interests.) “Over recent years we have worked hard to help people understand how we use cookies to keep Facebook secure and show them relevant content. We’ve built teams of people who focus on the protection of privacy — from engineers to designers — and tools that give people choice and control,” said Allan in his response statement to the court ruling.

But given that some of these trackers are literally invisible, coupled with the at times dubious quality of “consents” being gathered — say, for example, if there’s only a pre-ticked opt-in at the bottom of a lengthy and opaque set of T&Cs that actively discourage the user from reading and understanding what data of theirs is being gathered and why — there are some serious questions over the sustainability of this type of “pervasive background surveillance” adtech in the face of successful legal challenges and growing consumer dislike of ads that stalk them around the internet (which has in turn fueled growth of ad-blocking technologies).

Facebook will face a similar complaint in a lawsuit in Austria, filed by privacy campaigner and lawyer Max Schrems, for example. In January Schrems prevailed against Facebook’s attempts to stall the lawsuit after Europe’s top court threw out the company’s claim that his campaigning activities cancelled out his individual consumer rights. (Though the CJEU’s decision did not allow Schrems to pursue a class action style lawsuit against Facebook as he had originally hoped.)

Europe also has a major update to its data protection laws coming in May, called the GDPR, which beefs up the enforcement of privacy rights by introducing a new system of penalties for data protection violations that can scale as high as 4 percent of a company’s global turnover.

Essentially, GDPR means that ignoring the European Union’s fundamental right to privacy — by relying on the fact that few consumers have historically bothered to take companies to court over legal violations they may not even realize are happening — is going to get a lot more risky in just a few months’ time. (On that front, Schrems has crowdfunded a not-for-profit to pursue strategic privacy litigation once GDPR is in place — so start stockpiling the popcorn.)

It’s also worth noting that GDPR strengthens the EU’s consent requirements for processing personal data — so it’s certainly not going to be easier for Facebook to obtain consents for this type of background tracking under the new framework. (The still being formulated ePrivacy Regulation is also relevant to cookie consent, and aims to streamline the rules across the EU.)

And indeed, such tracking will necessarily become far more visible to web users, who may then be a lot less inclined to agree to being ad-stalked almost everywhere they go online primarily for Facebook’s financial benefit.

The rise of tools offering tracker blocking offers another route for irate consumers to thwart online mass surveillance by ad targeting giants.

“We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe,” added Facebook’s Allan.

It’s still not fully clear how Facebook will comply with GDPR — though it’s announced a new global privacy settings hub is coming. It’s also running a series of data protection workshops in Europe this year, aimed at small and medium businesses — presumably to try to ensure its advertisers don’t find themselves shut out of GDPR Compliance City and on the hook for major privacy legal liabilities themselves, come May 25.

Of course Facebook’s ad business not only relies on people’s web browsing habits to fuel its targeting systems, it relies on advertisers liberally pumping dollars in. Which is another reason consumer trust is so vital. Yet Facebook is facing myriad challenges on that front these days.

In a statement on its website, the Belgium Privacy Commission said it was pleased with the ruling.

“We are of course very satisfied that the court has fully followed our position. For the moment, Facebook is conducting a major advertising campaign where it shares its attachment to privacy. We hope he will put this commitment into practice,” it said.