The Data Protection authority in Belgium, called the Commission for the Protection of Privacy (CPP), lost a legal battle against Facebook over the issue of tracking non-users of Facebook— that is, Facebook users that weren’t even logged in to the service–through the “Like” social media buttons that appear on other websites.
Facebook won in this case not necessarily because the appeals court thought Facebook was in the right to use such tracking, but because it thought Belgium courts have no jurisdiction over Facebook Ireland, where all the data of European Union citizens is gathered.
Facebook has been using the “DATR” cookie tracking since 2011, but it has always said (until recently) that it wasn’t tracking non-users. When it was caught doing so on two separate occasions, it said both times that it was just a software bug, and that it would be fixed.
Then, Facebook was caught doing it again last year in Belgium by a group of researchers, and the company responded with the following, in an official post on its website:
“Claim: Facebook wants to use Social Plugins to add cookies to the browsers of people who don’t use Facebook.
Fact: We don’t, and this is not our practice. However, the researchers did find a bug that may have sent cookies to some people when they weren’t on Facebook. This was not our intention – a fix for this is already under way.”
Later, when Facebook was sued by the CPP, the company’s new argument for the tracking of non-users became that it has been doing this sort of tracking for many years, but only to protect its users against security breaches.
One of the reasons why the CPP authority may have lost this case is because the previous Data Protection directive was used more as a guideline for how EU members can implement digital privacy laws at the national level. The EU Parliament recently passed the Data Protection regulation, which is a set of unified privacy laws that apply in the same way to all EU countries, but it won’t be implemented nationally for another two years.
Once the new Data Protection regulation goes live, if Facebook, for instance, violates the Data Protection regulation in one country, the company could be liable for that violation in any other EU country, as well. However, it may still be up to the privacy authorities in the country in which Facebook has its headquarters to start the investigation against Facebook on behalf of another country.
Alternatively, EU citizens themselves could also sue Facebook over privacy violations in the same way Max Schrems did when his case reached the Court of Justice of the European Union, which ended up declaring that the “Safe Harbor” data transfer agreement between the EU and the U.S. was invalid.
In the meantime, the CPP can still take this case to the Belgian Court of Cassation, the highest Court in Belgium, for another chance to win jurisdiction over Facebook and try to protection Belgian citizens’ privacy from foreign companies’ privacy violations.
