The use of the datr-cookie by the Social Network is not compatible with Belgian Privacy Laws
An article by Pieter Gryffroy*
A. Introduction
In a recent judgment of 9 November 2015[1] following a lawsuit brought by the Belgian Commission for the Protection of Privacy (further: the CPP), the President of the Dutch division[2] of the Court of First Instance in Brussels ordered Facebook[3] to cease registering the surfing behaviour of Belgian Internet users who do not have a Facebook account through the use of cookies and social plug-ins.
B. Facts of the Case
The case arose from Facebook’s November 2014 announcement that it would change certain policies relating to its terms of use and the consequent concerns raised by Facebook users, the general media and governmental institutions in Belgium.[4] As a result, the CPP opened a technical and legal investigation in order to assess whether the proposed changes would meet the requirements of Belgian Privacy Law.[5] In the light of this investigation, the CPP called upon the technical expertise of researchers at the Katholieke Universiteit Leuven and the Vrije Universiteit Brussel. In their report of 31 March 2015, titled “From Social Media Service to Advertising Network. A Critical Analysis of Facebook’s Revised Policies and Terms”[6] the researchers revealed that Facebook was using a so-called datr-cookie to track the surfing behaviour of people who do not have a Facebook account.[7]
Essentially, this means that when an Internet user without a Facebook account visits a page on the facebook.com-domain, such as personal pages of private persons or organisations,[8] Facebook will install the datr-cookie on the computer of the visitor.[9] The datr-cookie will, save interference by the owner of the device, remain on the HDD for two years.[10] The purpose of this cookie is to uniquely identify the Internet user through an IP-address and to automatically send the browser history information it gathers to Facebook every time the Internet user accesses a website, which features any of the so-called social plug-ins offered by Facebook.[11] Social plug-ins, such as the “like” option or the “comment” option are often[12] used on third party websites in order to boost their content, thus profiting from Facebook’s popularity.[13]
Given the fact that Internet users who have no Facebook account have never agreed to any of Facebook’s policies, let alone to have their surfing behaviour tracked, the CPP took issue with this practice and demanded that Facebook stop.[14] Facebook consistently refused to cease its activities claiming, first that it only installs the datr-cookie when Internet visitors directly interact with Facebook content, e.g. by visiting a site of the Facebook.com-domain, thereby at least implicitly agreeing to this processing of information,[15] and second that the datr-cookie is of vital importance for Facebook in order to protect its users and non-registered users against different digital security threats.[16] Following the continued reluctance of Facebook to cooperate, the CPP brought the matter before the President of the Court of First Instance, seeking provisional measures requiring Facebook to cease its practices.[17]
C. The Judgment
I. Jurisdiction of the Court and Applicable Law
In its judgment, the Court starts by assessing its jurisdiction and the applicability of Belgian Law to the conflict. During the course of the proceedings, Facebook maintained that the Irish Privacy Commission was the only competent institution to pass judgment on Facebook’s activities in the EU, which would have equally meant that only Irish law was of any relevance.[18] The Court, however, holds that following article 4.1.a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Belgian Privacy Law is applicable to the conflict because the processing of personal data was carried out in the context of the Belgian establishment. The Court reasons that it is not important which of the companies of the Facebook concern actually processed the data, nor whether this happened within the EU or outside of it.[19] It states that it has been proven that the main activities of Facebook Belgium BVBA/SPRL are to provide support in Facebook’s public policies and to provide support in selling and delivering marketing services (in Belgium) to the Facebook group.[20] With an explicit reference to the CJEU’s Google Spain case,[21] the Court concludes that since the activities of companies such as Facebook Belgium are necessary to make Facebook’s service, which includes the processing of personal data, commercially viable, they are inextricably linked to the activities of the (mother) company actually processing the personal data (i.e. the controller).[22] In any case the processing of the data is carried out in the context of the activities of the Belgian establishment and therefore Belgian law applies.[23]
The Court then turns to its international jurisdiction and very concisely states that since the activities of the companies of the Facebook concern are inextricably linked, and given that the Belgian subsidiary is therefore an establishment of the controller of the processing of personal data in the sense of article 4.1.a) of Directive 95/46/EC, the involvement of the Belgian subsidiary was not artificial and justifies the international jurisdiction of the Belgian Courts.[24] Moreover, the Court points out that since the applicant seeks provisional measures, the Court would still have jurisdiction, even if a foreign judge would have sole jurisdiction to hear the merits of the case.[25]
II. Urgency
After confirming that the CPP indeed has the required capacity and interest to bring its claim,[26] the Court turns to the issue of urgency, which is a mandatory requirement in proceedings seeking provisional measures.[27] It finds that the matter is indeed urgent because the breach of fundamental rights is always a matter of urgency. Moreover, Directive 95/46/EC explicitly aims to protect such fundamental rights.[28] The Court further states that the fact that the alleged breach stands to harm a large group of people and often concerns very sensitive information, such as information relating to health, religion and sexual or political preferences, only strengthens the finding of urgency.[29]
As a last remark, the Court adds that the CPP was not negligent in terms of the timing of its actions. This is because the CPP acted immediately after the rendering of the CJEU’s Google Spain judgment,[30] which reshaped the state of EU law concerning the applicability of the law of a Member State to Internet service companies that operate on their territory through an establishment, but without locally processing personal data. Therefore, urgency has not been lost, nor has the CPP created this urgency through its own inaction.[31] Having found that urgency exists, the Court moves on to the merits of the claim for provisional measures.
III. The Assessment under Belgian Privacy Law
- The Information Collected by the datr-cookie is Personal Data
The Court commences its assessment by refuting Facebook’s argument that the datr-cookie only identifies computers and does not concern personal data. It states, citing the CJEU’s SABAM decision,[32] that IP addresses do indeed constitute personal data, making the automatic processing of those IP-addresses and uniquely identifying cookies such as the datr-cookie a processing of personal data in the sense of article 2b of the Directive. Therefore Facebook needs to fulfil the requirements in articles 6 and 7 of the Directive, implemented in articles 4 and 5 of the Belgian Privacy Law.
- The Breach of Belgian Privacy Law
The court commences its assessment of Facebook’s practices under articles 4 and 5 of the Belgian Privacy Law by stating that Facebook has failed to prove that it has obtained the consent of Internet users on the Belgian territory to install and collect the datr-cookie and the information it gathers respectively.[33] The duration for which Facebook retains this information is in that regard irrelevant.[34] The court also rejected Facebook’s argument[35] that it has through the institution of a cookie banner, solved all possible issues concerning the lack of consent by non-members.[36]
The banner, which appears when an Internet user first visits a page on the Facebook.com-domain, states that by continuing to use the site, the Internet user agrees to Facebook’s cookie policies. However, when the non-registered[37] Internet user then clicks on links such as “Facebook services” or “our declaration of rights and duties” in order to assess whether he or she wishes to use Facebook’s services, the datr-cookie will be automatically installed although the non-registered user is still in the process of informing him- or herself. The same happens when a non-registered user clicks on a social plug-in offered by Facebook on a third party website, and subsequently chooses the “annul” option, trying to close the social plug-in.[38]
The Court logically finds that this does not amount to informed consent by the non-registered user for Facebook to either install the datr-cookie or to later collect the information gathered by the datr-cookie.[39] It further concludes that even if one could assume that consent is given to install the datr-cookie, the processing pursuant to Facebook’s practice would still be a prima facie[40] breach of article 6, 1° and 2° of the Directive, as implemented in article 4, 1° and 2° of the Belgian Privacy law.[41]
Next, the Court assesses whether, given the absence of unambiguous consent by the non-registered user, any of the other justifications contained in article 7 of the Directive and implemented in article 5 of the Belgian Privacy Law might exists for the processing of the personal data in question. If no such justification exists, this means that the processing of the personal data as such was not even allowed in the first place.[42] The Court reaches the conclusion that none of the grounds mentioned in article 7 of the Directive are present, but devotes special attention to the rejection of the ground mentioned in article 7, f), namely the legitimate interests of the data controller.[43]
Earlier in the proceedings Facebook had argued that the datr-cookie was essential for the protection of the security of Facebook’s services.[44] The Court harshly rejects that argument stating (freely translated) that “even a digital illiterate understands that systematically collecting the datr-cookie cannot by itself be sufficient to counter the [cyber]attacks Facebook mentions, because criminals can very easily avoid the cookie with software which blocks cookies from being installed”.[45] The Court goes on to state that there are much less intrusive methods to realize the security goals Facebook invokes, to which it certainly has access.[46] Therefore, although Facebook has a legitimate interest in its security, the processing such as in casu is in no way necessary (or proportionate) to safeguard that interest.[47]
The Court finishes its full rejection of Facebook’s arguments by clarifying that even if there was any ground to process the personal data at issue at all, processing the data as happened in casu would still have been incompatible with articles 6, 2° and 3° of the Directive, as implemented in articles 4, 2° and 3° of the Belgian privacy Law.[48]
- The provisional measure
As a result of the foregoing, the Court orders Facebook to stop installing the datr-cookie as well as to stop collecting the information it gathers through the use of social plug-ins on third party sites within 48 hours after it has been given notice of the judgment.[49] It equally orders Facebook to pay a non-compliancy penalty of 250.000 EUR to the CPP for each subsequent day it fails to fulfil its duties under the order. While considering the appropriate measure to be taken, the Court clarified that Facebook’s practice is a manifest breach of articles of the Belgian Privacy Law, which touch upon Belgian public policy.[50] It also reiterates that the breach affects the fundamental rights of a large number of persons, by illegally collecting sensitive information about them through the monitoring of their surfing behaviour.[51] Moreover, given the financial strength of Facebook, the Court argues that the non-compliance penalty of 250.000 EUR is justified.[52]
D. Conclusion
With this judgment the CPP has successfully forced Facebook to stop collecting information about the surfing behaviour of Internet users who do not have a Facebook account. This is certainly a noteworthy step towards effective enforcement of privacy on the Internet. However, there are some side-notes to be made.
First, this judgment only concerns non-registered users. The situation for registered Facebook users (people with a Facebook account) will for the time being remain the same, since they can be said to have consented to Facebook’s policies.
Second, the judgment only concerns the situation for the Belgian territory, although other national data protection authorities can be expected to follow in the footsteps of the CPP.[53] Especially the national authorities in Germany and The Netherlands, who were part of and European task force investigating Facebook’s practices in the EU[54] can be expected to take action in the near future. Reaching EU-wide coverage will nonetheless take some time, unless Facebook decides to stop using the datr-cookie on non-registered users EU-wide or even worldwide, given that a Federal Appeals Court in the USA recently reinstated a class action against Google based on very similar grounds.[55]
If Facebook is to change its practices on a large scale and on a lasting basis it will have to be effectively forced to do so. This is reflected in the fact that Facebook has already announced its decision to appeal the judgment before the Brussels Court of Appeal, stating that it has been using cookies for more than 5 years without facing privacy complaints.[56] Nonetheless, the judgment will remain enforceable notwithstanding the appeal.[57] It will take effect once it has been translated and notice has been given to all the defendants.[58]
As a consequence of the judgment, Facebook has announced that it will (temporarily) stop collecting personal data of Belgian non-registered users.[59] However, instead of only preventing the datr-cookie from being installed when non-registered users visit a page on the Facebook.com-domain, Facebook has also decided to make public pages, such as a person’s or organization’s public profile page unavailable to this category of internet users.[60] From the moment the judgment has been served onwards, internet users on the Belgian territory will have to log on to Facebook to see such pages or, in case of non-registered users, register with Facebook in order to be able to access these public pages.[61] Rather then simply changing its practice of tracking non-registered Internet users, Facebook seems to have found another incentive for non-registered users on the Belgian territory to join the social network and therefore agree to Facebook’s tracking policies.
The reactions in the Belgian media have unsurprisingly been rather negative. Both the Belgian State Secretary for Privacy and the President of the CPP have stated that unless Facebook’s reaction is a temporary solution, caused by Facebook’s inability to comply with the judgment in such a short timeframe, it is to be considered a clear form of blackmail, intended to escape the consequences of the judgment by forcing non-registered users to create an account.[62]
Moreover, the CPP has declared through its President that it considers that Facebook’s decision creates a situation which is contrary to the right to freedom of information and that it will try to persuade its European colleagues to take appropriate action.[63] The reasoning here is that if all (or most) national data protection authorities take similar action, Facebook will be forced to stop using the datr-cookie on non-registered users while maintaining access for that group since it cannot restrict access for non-registered users to all its public pages EU-wide without losing substantial revenue. It remains to be seen whether this is true. In any case, it seems that Facebook’s solution is in principle legally sound under both Belgian Law and European Data Protection Law as they stand.
Looking to the future, on the one hand, the growing awareness among national data protection authorities in the EU[64] carries within it the promise that if Facebook is indeed breaching European Data Protection Law, it will not escape the responsibility of tomorrow by evading it today.[65] On the other hand, holding Facebook accountable might turn out to be a pyrrhic victory if it results in greatly restricted access to public pages for non-registered users, who might in turn be pressured into creating an account after all. Therefore, whether this judgment and its aftermath will cause a substantial change in Facebook’s ability to track the surfing behaviour of current non-registered Internet users across the EU remains to be seen.
————————————————
* Pieter Gryffroy was a reserach assistant at the Jean-Monnet-Chair of Prof. Dr. Giegerich for European Law and European Integration. He studied law in Leuven (LLB and LLM at the KU Leuven) and in Saarbrücken (Europa-Institut).
[1] President of the Court of First Instance Brussels, 9 November 2015, available online at: https://www.privacycommission.be/sites/privacycommission/files/documents/Vonnis%20Privacycommissie%20v.%20Facebook%20-%2009-11-2015.pdf, last accessed on 15/11/2015.
[2] In the bilingual area of Brussels, the Courts have both a Dutch- and French-speaking division.
[3] The proceedings were brought against three defendants of the Facebook concern, namely Facebook Inc., Facebook Ireland Limited and Facebook Belgium BVBA/SPRL.
[4] President of the Court of First Instance Brussels, 9 November 2015, p. 8
[5] Id.
[6]Available online at: https://www.law.kuleuven.be/citip/en/news/item/facebooks-revised-policies-and-terms-v1-2.pdf, last accessed on 15/11/2015.
[7] Ibid., p. 8-9.
[8] E.g. as part of a Google search in order to gather information about a certain person or organisation.
[9] Ibid., p.9.
[10] Id.
[11] Id.
[12] The researchers found that the “like” button was present on 32% of the 10.000 most popular sites, regardless of the category of sites concerned (see Id.).
[13] Ibid. p. 6.
[14] Ibid. p. 10.
[15] Ibid. p.7.
[16] Ibid. p. 6-8.
[17] Ibid. p. 11.
[18] Ibid. p. 9; this was based on the idea that only Facebook Ireland Limited would be an establishment in the sense of Directive 95/46/EC, offering the Facebook service (and thus processing personal data) for the whole EU, whereas daughter companies in other Member States, such as Facebook Belgium BVBA/SPRL merely serve to maintain relations with the national governments and to provide lobbying support (see ibid. p. 3).
[19] Ibid. p. 13.
[20] Ibid. p. 14.
[21] CJEU, case C-131/12, Google Spain SL and Google Inc. versus Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317, in particular paras. 52-57.
[22] Ibid. p. 14-15.
[23] Ibid. p. 16.
[24] The court doesn’t mention any legal grounds, but this is based on the requirements of article 5 of the Belgian law on international jurisdiction (Wetboek Internationaal Privaatrecht); this is also reflected in the CJEU’s case law on articles 4 and 8(1) of regulation 1215/2012 (Brussels I), which are however not applicable here.
[25] Again, the Court does not mention legal grounds. This is based on article 35 of regulation 1215/2012 (Brussels I) in conjunction with article 10 Wetboek Internationaal Privaatrecht.
[26] Ibid. p. 17-18.
[27] Article 584 of the Belgian Code of Civil Procedure.
[28] Ibid., p. 18-19.
[29] Ibid., p. 19.
[30] CJEU, case C-131/12, Google Spain SL and Google Inc. versus Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317.
[31] Id.
[32] CJEU, case C-70/10, Scarlet Extended SA versus Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), ECLI:EU:C:2011:771, para. 51.
[33] President of the Court of First Instance Brussels, 9 November 2015, p. 23.
[34] Id.
[35] Ibid. p. 7.
[36] Ibid. p. 24.
[37] That is, not registered on Facebook.
[38] The cookie is not installed if the annul option is not chosen, but in that case, one will be redirected to a site on the facebook.com-domain.
[39] President of the Court of First Instance Brussels, 9 November 2015, p. 24.
[40] Since the proceedings concern provisional measures, only a prima facie analysis can be conducted.
[41] President of the Court of First Instance Brussels, 9 November 2015, p. 26.
[42] Ibid. p. 27.
[43] Ibid. p. 26-28.
[44] Ibid. p. 8.
[45] Ibid. p. 28.
[46] Ibid. p. 29.
[47] Ibid. p. 29.
[48] Id.
[49] Ibid. p. 32.
[50] Ibid. p. 30.
[51] Ibid. p. 30.
[52] Ibid. p. 31.
[53] Data protection authorities in five Member States are currently investigating Facebook: Belgium, France, Germany, The Netherlands and Spain.
[54] http://arstechnica.co.uk/tech-policy/2015/12/facebook-bows-to-belgium-will-stop-tracking-non-facebook-users/, last visited 03/12/2015.
[55] The case is available online at: http://www2.ca3.uscourts.gov/opinarch/134300p.pdf, last visited on 15/11/2015.
[56] See the New York Times article “Facebook to appeal a Belgian Court’s ruling on data privacy”, available online at: http://www.cnbc.com/2015/11/11/facebook-appeal-belgian-courts-ruling-on-data-privacy.html, last visited 15/11/2015.
[57] President of the Court of First Instance Brussels, 9 November 2015, p. 31, p. 33.
[58] The proceedings were brought against three defendants of the Facebook concern, namely Facebook Inc., Facebook Ireland Limited and Facebook Belgium BVBA/SPRL. See fn. 3 supra.
[59] See the New York Times article “Facebook to appeal a Belgian Court’s ruling on data privacy”, fn. 55 supra.
[60] http://arstechnica.co.uk/tech-policy/2015/12/facebook-bows-to-belgium-will-stop-tracking-non-facebook-users/, last visited 03/12/2015.
[61] http://arstechnica.co.uk/tech-policy/2015/12/facebook-bows-to-belgium-will-stop-tracking-non-facebook-users/, last visited 03/12/2015; http://www.hln.be/hln/nl/4125/Internet/article/detail/2543949/2015/12/02/Facebook-schermt-publieke-pagina-s-af-voor-Belgische-surfers.dhtml, last visited 03/12/2015.
[62]http://www.hln.be/hln/nl/4125/Internet/article/detail/2544094/2015/12/02/Niet-toegeven-aan-chantage-door-Facebook.dhtml, last visited 03/12/2015.
[63] http://www.standaard.be/cnt/dmf20151202_02001867, last visited on 03/12/2015; http://www.hln.be/hln/nl/4125/Internet/article/detail/2544094/2015/12/02/Niet-toegeven-aan-chantage-door-Facebook.dhtml, last visited 03/12/2015.
[64] Facebook is currently already being investigated in five Member States, see fn. 53 supra.
[65] Loosely based on a quote by A. Lincoln (“You cannot escape the responsibility of tomorrow by evading it today”).
Suggested Citation: Gryffroy, Pieter, Belgian Court orders Facebook to stop tracking the surfing behaviour of non-members, jean-monnet-saar 2015, DOI: 10.17176/20220329-122521-0