A district court in Belgium ruled that Facebook is indeed violating EU’s privacy laws with its "shadow tracking" of users across the web. Unless the company changes its behavior, it will have to pay 250,000 euro ($310,000) a day in fines.
Facebook’s Difficult Time In The EU
Two years ago, Facebook emerged as the victor in a lawsuit launched by the Belgium Privacy Commission against the company for violations of EU privacy laws. The Commission accused Facebook of tracking both users and non-users of its platform across the web via the “datr” cookie.
Facebook has for years said that the datr cookie wasn’t meant to track users across the web, and when it got caught twice doing it anyway, the company said it was only a bug and that it would be fixed.
However, in the lawsuit at the time, Facebook argued that it has to use the datr cookie to track everyone for security purposes. Facebook argued that it could use the datr cookie to identify PCs infected by botnets. Earlier, Facebook had also announced that the datr cookie would be used for advertising purposes as well.
Facebook was able to win on technical grounds the first lawsuit, as the court then agreed with Facebook that the Belgium Privacy Commission didn’t have jurisdiction to sue Facebook, because the company had its headquarters in Ireland.
Since then, other European courts ruled that companies that have operations and a headquarters anywhere in Europe can be sued in any of the EU member states, if those countries find the company has been violating EU law. In one of those cases, Facebook also tried to argue that its Terms of Service say that any Facebook user can only sue it in the United States. The courts disagreed and called Facebook’s policy “abusive.”
New Belgium Ruling
A Belgium Court of First Instance said that users doesn’t do enough to teach users how it’s tracking them, for them to be able to give valid consent to that tracking. There is also too much uncertainty about the type of data that Facebook collects and users don’t know for how long the company stores the data.
Unless Facebook brings its privacy policies in line with Belgium and EU privacy law, the company has to stop tracking users surfing from Belgium. It must also destroy all unlawfully collected personal data. Failing that, Facebook will have to pay a fine of 250,000 euro ($310,000) a day until it makes those changes, or until it reaches a maximum of $100 million in fines.
The court also said that Facebook must publish the 84-page ruling on its website, and that the last three pages of the ruling will also go into Belgian newspaper.
Facebook wasn’t too happy with the ruling, and in a statement to Tom's Hardware, the company said that it’s going to appeal:
The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU. We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.
We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe.
Compliance doesn’t seem to mean the same to Facebook and the EU Data Protection Authorities, as well as most of the EU courts, which have already found that Facebook was violating--not complying--with EU privacy laws. Authorities from France, Ireland, Spain, and Germany are also investigating Facebook’s privacy practices.
Belgium Secretary of State for Privacy Philippe De Backer (Open Vld) said:
What a victory for privacy. You can not secretly follow someone on the internet without your knowledge, an important milestone for privacy in our country and Europe.