Greetings from Brussels!
This week’s key privacy news comes from Belgium, where an injunction was issued by the Belgian court of First Instance against Facebook on Monday. The court gave Facebook 48 hours to stop tracking Belgian Internet users who do not have accounts with the social network or risk fines of up to €250,000 a day.
Facebook said it would abide by the ruling and also appeal against the order, which followed a case brought by Belgium’s privacy regulator in June saying that Facebook indiscriminately tracks Internet users when they visit pages on the site or click “like” or “share,” even if they are not Facebook members. The Tribunal said that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons. The judge ruled that this is personal data, which Facebook can only use "if the Internet user expressly gives their consent, as Belgian privacy law dictates.”
Of equal importance, the Tribunal agreed with the Belgian data protection authority (DPA) and ruled that Facebook is subject to Belgian data protection law for all its activities in Belgium. Facebook argued that it organises its European activities entirely from its International HQ in Dublin, Ireland – as do many other multinational companies. Roughly 80 percent of Facebook’s 1.4 billion users outside North America are managed through its Irish base. Their argument followed that it only needs to take into account the Irish data protection legislation under the supervision of Ireland’s DPA. But the judge rejected this argument and referred to the decision of the European Court of Justice (EJC) in the Google-Spain case as a precedent.
Precedence will certainly have the potential to create instability across Europe for businesses, not just Facebook. If the decision of the Brussels court is followed by other member states, other vocal DPAs could also claim to have legitimate authority and competence to supervise Internet-user activity in their jurisdictions. Let us not forget that the DPAs of the Netherlands, Hamburg (Germany) and Belgium have worked together creating a group to monitor and investigate Facebook’s privacy policies. Both France and Spain have also expressed interest in this cooperation. With recent landmark ECJ rulings coupled with this more recent national court ruling, it would seem that the GDPR is more needed than ever; a harmonization of European data protection and privacy seems a necessary and sensible goal to establish standards of parity across the EU.
Failure to harmonise will see companies having to account for a diverse set of data protection regimes across the European single market. This would most likely translate into significant costs and constraints for businesses of all sizes, including the nimble innovators that are looking to make their mark on the global stage. In some quarters it is held that consumer behavior is shaping up increasingly in favor of privacy over convenience; this could invariably come with behavioral changes for businesses, particularly the digital industry. We shall have to wait and see how this plays out.