The Belgian Commission for the Protection of Privacy released this week what it's calling a "recommendation" (as opposed to a "decision") outlining its argument that it has competence to take action against Facebook, despite Facebook's arguments that the Irish Office of the Data Protection Commissioner should have sole competence in the EU.
After outlining its correspondence with Facebook going back to January 16, and recapping the contents of a meeting held with Facebook April 29, the commission then outlined its reasoning for its opinion that it "is undeniable that the Privacy Commission has the competence–granted to it by the Privacy Act and Directive 95/46/EC–to take measures against the processing of personal data by Facebook."
Essentially, that reasoning boils down to this: All subsidiaries of Facebook, Inc., including Facebook Ireland, are simply extensions of Facebook, Inc., which is therefore the only real data controller. The incorporated entity Facebook Belgium SPRL is based on Belgian soil. Therefore, Facebook, Inc. is a data controller under the commission's purview.
The commission spends a good portion of its recommendation establishing its reasoning for believing that Facebook, Inc., is the only relevant entity that could exist as a data controller. For example, the commission notes that the officers of Facebook Belgium SPRL are all top-ranking officials at Facebook, Inc., who live the U.S. And that Securities and Exchange Commission filings by Facebook, Inc., speak "of one single operational business unit, viz. Facebook, Inc., in the United States of America, and states that the power of decision-making for all transactions lies exclusively with the CEO, and not with another person. Facebook also confirmed that Facebook, Inc., is responsible for storing all user data collected."
The commission even cites an employment ad placed by Facebook for a public policy manager at Facebook Belgium, which "has the object of supporting, representing and advising the entire Facebook Group."
All of this leads the commission to conclude, "Facebook Ireland cannot be considered as the only controller, and only Facebook, Inc., can be qualified as such."
Then, the commission applies the EU Court of Justice (CJEU) ruling in the Costeja-Google Right To Be Forgotten case: "CJEU provided complete clarity with its interpretation in this context: The court was of the opinion that a member state's national data protection law is applicable if the activities of an establishment, incorporated in that member state, are inextricably connected to the activities of the controller, and this regardless of the question of whether the establishment performs data processing activities or not."
Therefore, the commission's reasoning runs, "there is no doubt that the Privacy Commission is competent and that Belgian privacy law applies, since Facebook processes data as described in this recommendation and has an establishment in Belgium, the activities of which are inextricably linked to its activities. Facebook consequently has to take all measures in order for Belgian data protection law to be applied and abided by on Belgian territory."
• Full transparency to users of cookie use;
• No collection of data via social plug-ins without explicit consent;
• Opt-in mechanism for all data collection and only for expressly requested services;
• Until all of that is done, "it must limit its range of integration possibilities for social plug-ins to privacy-friendly versions meeting data protection requirements," which the commission goes on to outline, and
• Facebook must adapt its interface to make any cookie use opt-in going forward.
The commission also provides recommendations to non-Facebook websites that use Facebook plug-ins. Essentially, the commission recommends against using direct Facebook plug-ins entirely, and suggests instead the use of tools such as Social Share Privacy as a way to get user consent for similar data-sharing.
Finally, the commission provides recommendations for users to avoid data collection. It offers up services such as Ghostery, Disconnet.me and Privacy Badger specifically, and also suggest the use of incognito browsing.
Clearly, there remains another shoe to drop, which is what happens should Facebook maintain its position that only Ireland has competence to regulate the company in the EU. The Belgian Commission, which notes it is working in coordination with Hamburg, The Netherlands, Spain and France, has staked its position. The next move would appear to be Facebook's.
Image Credit: PavelD
If you want to comment on this post, you need to login.