News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Brussels court: Facebook must play by the Belgian privacy and cookie rules Related reading: Podcast: James Dempsey and John Carlin talk top trends in cybersecurity

rss_feed

""

In a judgement of Feb. 16, the Court of First Instance of Brussels has convicted Facebook for non-compliance with the Belgian privacy and cookie rules. The Court ordered Facebook to cease its current cookie use practices under forfeiture of an incremental penalty of 250.000 EUR per calendar day of non-compliance (with a maximum of 100 million EUR).

This is the provisional culmination of an intense legal battle between the Belgian Privacy Commission and Facebook, which started end of 2014 and which will likely continue before the Court of Appeal in the coming years.

What is this case about again?

Following a detailed examination of Facebook's use of cookies, the Privacy Commission published a recommendation on May 13, 2015, in which it urged Facebook to implement a number of corrective measures. Having been unable to reach an agreement with Facebook in subsequent weeks, the Privacy Commission took Facebook to court. It initiated both summary proceedings and a procedure on the merits.

In the summary proceedings case, the Court of First Instance of Brussels decided Nov. 9, 2015, that:

  • The Privacy Commission and courts have jurisdiction, despite Facebook's claim that it was only subject to the jurisdiction of the Irish Data Protection Commissioner. In deciding this, the court followed the reasoning adopted by the Privacy Commission in the aftermath of the Court of Justice of the EU's Google Spain and Weltimmo decisions (for a more detailed analysis, see our previous blog on this topic).
  • Facebook's processing of personal data violated both the Belgian Privacy Act and the Belgian Cookie Act, especially with regard to internet users in the Belgian territory who did not have a Facebook account.

The court sentenced Facebook under forfeiture of an incremental penalty for noncompliance, to cease:

  • The placing of a specific browser-identification and tracking cookie (the so-called "datr-cookie") without prior adequate information regarding the placing of this cookie and the use thereof through social plugins.
  • The collection of the datr-cookie through social plug-ins placed on third-party websites. The urgency for this preliminary ruling was found in the proclaimed massive violation of the fundamental right to privacy.

This preliminary ruling had been overturned by the Court of Appeal, which followed Facebook's argument that the Belgian courts had no international jurisdiction over Facebook Ireland and Facebook, Inc.

Although the Court of Appeal found that the Belgian courts did have jurisdiction over Facebook Belgium, it decided to dismiss the claim on the basis that the urgency requirement for this procedure had not been met. This was due to the fact that the Privacy Commission waited more than three years to initiate its proceedings after it found out about Facebook's disputed practices. 

The decision on the merits

Considering the different view of the courts in the summary proceedings, the big question was therefore what the Court of First Instance would decide in the proceedings on the merits of the case.

Belgian courts have jurisdiction
With reference to the ECJ's Google Spain judgment, the Court ruled that the activities of Facebook, Inc., and Facebook Ireland (together Facebook Group) on the one hand, and those of Facebook Belgium on the other hand, were inextricably linked on the following grounds:

  • The activities of Facebook Belgium (supporting advertisers in Belgium, sales and marketing activities and lobbying) were found to be focused on increasing and maintaining profits of the Facebook Group activities.
  • The Facebook Group activities, including the processing of personal data, were found to provide the means by which Facebook Belgium could perform its activities.

The activities of Facebook Belgium were consequently found to constitute trade activities for the data controller Facebook Ireland on the Belgian territory.

Applying the "establishment test," this allowed the court to conclude that the Belgian Privacy Act was applicable to the processing of personal data in the context of the activities of the establishment Facebook Belgium, and that Facebook Ireland was responsible to ensure its compliance.

Facebook violates the Cookie Act
Having dealt with the jurisdiction issue, the Court of First Instance then analyszat Facebook's use of cookies.

The court basically ruled that Facebook's processing of personal data of both Facebook users and non-Facebook users for tracking purposes by means of cookies, social plug-ins and pixels, violates the Privacy Act and Cookie Act.

Firstly, the court stated that Facebook has not obtained a valid consent for such processing of personal data and that no other legal basis for the processing can be relied upon. Furthermore, the court found Facebook's processing to be unfair and disproportionate. Finally, it ruled that Facebook violates the rights of data subjects as a result of non-compliance with its fair notice obligations under the Privacy Act.

Consequently, the court ordered Facebook, under forfeiture of an incremental penalty of 250 thousand EUR per calendar day of non-compliance, to cease:

  • The placement of non-functional cookies for tracking purposes through Facebook social plug-ins, Facebook-pixels or similar technologies on websites of the Facebook domain or on third party websites, unless:
    • The data subject has been fully informed in a clear, concise and intelligible manner (information obligation).
    • In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has consented in a free, specific and unambiguous manner to both the placing and the use of these cookies; or in case the data subject has signed out or deactivated from Facebook, he or she has consented to the continued use of these cookies (freely given, specific, informed and unambiguous consent).
    • In so far as these cookies are not strictly necessary for the service expressly requested, the data subject has been given the possibility to refuse without the access to the Facebook.com-domain being limited or made difficult (freely given, specific, informed and unambiguous consent).
  • The collection and the use of non-functional cookies for tracking purposes, through Facebook social plug-ins, Facebook-pixels or similar technological means on third party websites in a way which is disproportionate regarding the purposes of the cookies concerned

    In this respect, the court considered to be "disproportionate":

    • The systematic use of cookies with a security purpose when the data subject is not connected or trying to connect to Facebook (e.g., no login and no use of social plug-ins).
    • The systematic use of cookies with an advertising purpose on websites outside the Facebook.com domain when the data subject has indicated that he or she does not wish information on his or her browsing behavior to be used for advertising purposes.
    • The systematic use of cookies to verify a Facebook user's identify or to register if he or she chose to stay signed in when visiting websites that do not belong to the Facebook.com domain or trying to use social plug-ins.
  • The use of misleading information regarding the scope of measures that Facebook uses to control the use of cookies.

    This point is slightly surprising. Indeed, following the summary proceedings judgement of the Court of First Instance, Facebook had amended its cookie banner and cookie policy, providing more detailed information on the different types of cookies used, as well as information regarding the placement of cookies when visiting certain third party websites. The Court of Appeal initially ruled that the Belgian Privacy Commission did not demonstrate that the updated information (still) justified urgent measures, suggesting that the changes were sufficient.

    However, on the merits, the Court of First Instance has now decided that the updated information is in fact still insufficient and misleading for data subjects.

Finally, the court ordered Facebook to destroy any personal data of data subject on the Belgian territory, in so far as they have been obtained through cookies and social plug-ins in any manner covered by this cease and desist decision.

Considering its significant implications, Facebook is expected to appeal this decision. However, it is important to note that the judgment is provisionally enforceable. Therefore, pending the outcome of an appeal, Facebook will need to consider how to address the concerns raised if it wants to avoid having to pay the incremental penalties.

photo credit: Visual Content Legal Gavel & Open Law Book via photopin (license)

Authors
Headshot Tim Van Canneyt, CIPP/E IAPP Member Contributor
Headshot Lisa De Smet Nonmember Contributor
Tags
Europe
Privacy Law
Social Networking
Comments

If you want to comment on this post, you need to login.

Related Stories
EDPB to address pay or consent at next plenary
The European Data Protection Board published its 16 April plenary agenda, which includes discussion of an opinion regarding Meta's pay or consent advertising subscription model. Members will also review a letter to the European Consumer Organisation regarding coordinated enforcement of the EU Genera...
Read More queue Save This
Examining prior US Senate privacy law efforts
The Washington Post reports on the past work of the U.S. Senate Committee on Commerce, Science and Transportation and Sen. Maria Cantwell, D-Wash., the current committee chair, to pass comprehensive federal privacy legislation. The reporting details issues with hardline policy proposals, and an alle...
Read More queue Save This
ICO releases guidance on health data transparency
The U.K. Information Commissioner's Office released guidance for health care organizations to ensure patients are aware of how their personal data is collected and stored. The guidance aims to promote and improve "practical steps to developing effective transparency information."Full story...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Law
Social Networking
Recent Comments