One day after Italy's antitrust regulators announced Facebook has been fined 3 million euros for putting an "excessive emphasis" on the need to agree with new data-sharing terms and conditions following its acquisition of WhatsApp, privacy regulators from the Netherlands, Belgium, France, Spain, and Germany have announced further enforcement actions and investigations. 

  • France announced a 150,000 euros fine for unlawful combination of information for targeted advertising and unlawful tracking.
  • Belgium announced new recommendations asking Facebook to curtail certain tracking via social plug-ins and what it considers "excessive" collection of personal data.
  • The Netherlands announced Facebook "violates data protection law" by "giving users insufficient information about the use of their personal data" and is assessing whether Facebook will now stop certain practices before issuing a sanction.
  • The Hamburg, Germany, DPA announced it had ordered Facebook to stop combining data from WhatsApp users without prior consent.
  • Spain announced it has opened "two infringement procedures," but did not provide more detail on what the alleged infringement entailed.

While, in the past, Facebook and other U.S. Internet firms have made the argument that only the local law of the country in which they are headquartered should apply in the EU, the collective DPAs responded to that argument directly in their statement. 

"The DPAs united in the Contact Group conclude that their respective national data protection law applies to the processing of personal data of users and non-users by the Facebook Group in their respective countries and that each DPA has competence." -DPA Contact Group statement

"The DPAs united in the Contact Group," they write, "conclude that their respective national data protection law applies to the processing of personal data of users and non-users by the Facebook Group in their respective countries and that each DPA has competence." They cite European Court of Justice cases such as Google Spain, Weltimmo, and Amazon in their reasoning. Further, they argue, "For its revenues, the Facebook Group almost completely depends on the sale of advertising space, and personal data must necessarily be processed for the type of targeted advertising services offered by the Facebook Group. Therefore, the activities of these offices are 'inextricably linked' to the data processing by the Facebook Group, and all the investigated national offices are relevant establishments under Article 4(1)a of the European Data Protection Directive 95/46/EC."

In a statement supplied to The Privacy Advisor, Facebook did not engage with the legal arguments in the DPAs' statement. “At Facebook, putting people in control of their privacy is at the heart of everything we do," said a spokesman. "We have invested a huge amount of time and resources to ensure that people understand which information we collect and the choices they have over how it is used. We’ve built teams of people who focus on the protection of privacy — from engineers to designers — and designed tools that give people choice and control. We’ll continue responding to officials’ questions, particularly as we prepare for Europe’s new data protection framework in 2018.”

There is no indication, however, that Facebook has changed its stance regarding applicable EU law. For instance, in 2015, Deputy CPO Stephen Deadman wrote for Privacy Perspectives that "a handful of authorities have recently opened competing investigations into Facebook’s practices rather than liaise with and draw upon the expertise of the IDPC and its audits. These efforts are contrary to both the Directive and the Article 29 Working Party’s own official guidance issued in 2010."

"We’ve built teams of people who focus on the protection of privacy — from engineers to designers — and designed tools that give people choice and control." -Facebook statement

The DPAs in the Contact Group appear to be concerned with two basic Facebook actions. First, the combination of data gathered via WhatsApp with the data gathered from Facebook users. At issue there is the definition of "prior consent." A German court has agreed with the Hamburg DPA that the consent gathered via Facebook's new terms of service does not meet German law, but it did not yet determine whether the Hamburg DPA has standing, given that it's unclear whether German law is applicable over Facebook.

Second is a larger issue where DPAs do not believe Facebook's tracking methods and targeting advertising methods are lawful. A Belgian court has already asked Facebook to cease using the datr cookie, for example, as has France's CNIL, but the Contact Group's statement brings up the datr cookie once again, alongside the CNIL's argument that Facebook's cookie notice does not adequately inform users that they will have personal information gathered when they visit a site using a so-called "social plug-in." Facebook has argued in the past that the datr cookie is necessary for security purposes and is not persistent. The Belgian DPA, specifically, says Facebook's use of cookies and pixels to track users across the web violates Belgian law surrounding "consent, fairness, transparency and proportionality" due to a "shortcoming" in communication with users.