Belgium Privacy Watchdog Takes 100 Million Exceptions to Facebook’s Illegal Stalking

This entry was posted in Guest Contributor Opinion Privacy Today's Most Interesting Security News and tagged Facebook Peerlyst on by

By: Graham Joseph Penrose
Guest Contributor

 

Facebook was ordered on the 16th February 2018, in an 84 page judgment by a Belgian court, to stop collecting certain data on users or face daily fines of €250,000, with an upper cumulative limit of €100 million.

In summary Facebook must stop placing cookies on users’ computers unless:

  1. It has informed users “in a clear and comprehensive manner, fully and accurately” about several points including:
    1. The circumstances when Facebook places these cookies and then collects the data
    2. The purposes for which Facebook uses these cookies
    3. The nature of the data that Facebook collects
    4. The recipients or categories of recipients of the data collected
    5. The existence of the right to object, access and rectification, and
    6. The retention period of the data Facebook collects via cookies and social plug-ins.
  2. The individuals have consented “freely, specifically and unambiguously to both the placement and use of these cookies”
  3. The individuals have been given the “option to refuse” the placement of these cookies.
  4. The judgment also instructed Facebook to “cease providing information that might reasonably mislead data subjects”;
  5. To destroy within three months all personal data of every Internet user in Belgium obtained by means of cookies and social plug-ins;
  6. The publication of this judgment on Facebook’s website and in summary in the major Belgian newspapers;
  7. The penalty for failing to comply with this judgment is a fine of 250,000 Euros per day up to a maximum of 100 million Euros, and payment certain legal costs to Belgium’s Data Protection Commission.

But this has been a very long time coming and once again Facebook intends to appeal.

Before cases like this ever see the light of day it is the Facebook tactic to belittle the merits of every privacy case taken against it in the EU by claiming with wide incredulous eyes that they are already regulated by the southern Irish and are fully compliant in every respect with every request that has been made of them.

This tactic inevitably leads to delays which suits Facebook just fine. Most of the time it wears down the stamina and resources of anyone who chooses to take them on. Before the substantive matters even get a hearing there is a gargantuan battle over jurisdiction.

Jurisdictional Hide and Seek

The Belgian CPP case (2015 – ?) and the Schrems case (2011 – ?) are excellent illustrations of how Facebook and other US corporations use jurisdictional obfuscation within the EU to dodge their opponents and evade their responsibilities. They are aided in this endeavor by their pet Data Protection Commission in the Republic of Ireland.

Facebook had initially refused to recognize the Belgian and other EU national jurisdictions, insisting that it was subject only to the law in the Republic of Ireland, the site of its European headquarters.

At the time a Facebook spokeswoman questioned the Belgians’ authority on the basis that she asserted they were already compliant with the rules as they understood them and they had been more or less told so by the Irish Data Protection Commission. This claim will be rolled out plenty in coming years, as Ireland’s data protection regime struggles to control its US MNC masters post GDPR enactment.

Whether it is from Facebook chief security officer Alex Stamos or Richard Allan Facebook’s vice president of public policy for EMEA a variant of the same quote is spun out to bat down any objections to Facebook’s behavior from data protection commissions or private citizens elsewhere in Europe.

Facebook is already regulated in Europe and complies with European data protection law …… [INSERT ANY CASE NAME OR COMPLAINT HERE] …… we will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner.

It is a generally held view in Europe that US firms based in the Republic of Ireland engage in rampant tax avoidance, abuse their power, discourage local start-ups, and jeopardise privacy laws cherished by other Europeans with memories of authoritarian rule.

For the government of the Republic its all about the dollar.

The Loneliness of the Long Distance Litigator

This battle between Belgium’s privacy watchdog the CPP (Commission for the Protection of Privacy) and Facebook in relation to data illegally gathered on Belgian citizens (including non Facebook users) started in 2015.

Back in May 2015 the Commission for the Protection of Privacy (also known as CPVP [Commission de la protection de la vie privée] / CBPL [Commissie voor de bescherming van de persoonlijke levenssfeer] ) said that “Facebook tramples on European and Belgian privacy laws” after publishing a report analyzing changes that the company made to its privacy policies in January of that year.

In a judgement of 9 November 2015, the President of the Court of First Instance in Brussels, Belgium, ordered Facebook Inc., Facebook Ireland Limited and Facebook Belgium SPRL in summary proceedings to cease registering via cookies and social plug-ins which websites internet users from Belgium, who do not have a Facebook account, visit.

“The CPP had commissioned the report from researchers at the University of Leuven, which found that Facebook’s tracking of all visitors without explicit consent using cookies breached EU law. The CPP, which does not have powers to directly penalise companies, took Facebook to court later that year for its alleged “trampling” over Belgian and EU privacy law after failing to come to an agreement with the social network following the report’s findings.

The Belgian court ordered Facebook to stop tracking non-members at the end of 2015, threatening fines. Facebook appealed against the court’s ruling at the start of 2016, disputing that Belgium had jurisdiction over the social network as its European operations were headquartered in Dublin. Facebook also disputed the use of English in the ruling including the words “browser” and “cookie”, which the social network said was against Belgian law that stipulates only Dutch, French or German may be used.

Facebook then won on appeal, overturning the decision that blocked it from using its so-called “datr cookies” to track the internet activity of logged-out users in Belgium. That appeal has now been overturned, with the court backing the findings of the CPP.”

[Above quote sourced in full from Facebook ordered by Belgian court to stop collecting user data. Also find previous versions of the KU Leuven report Version 1.3 (25 August 2015), Version 1.2 (31 March 2015), Version 1.1 (23 February 2015) here]

Belgium’s privacy watchdog welcomed the ruling saying that “Facebook has just launched a large campaign where they stress the importance of privacy. We hope they will now make this a reality,”. They now see the next step to be consideration of these issues at the new EU Data Protection Board when it starts work in May 2018.

However, the decision received scant attention in the Irish media. Where it was covered, the Irish media focussed on the fact that Facebook disagreed with the decision and declared that Facebook intends to appeal and that it has developed tools that give people choice and control over the privacy of their data.

This article was originally posted on Peerlyst.