On 9 November 2015, the President of the Court of First Instance of Brussels (the "Court") ordered Facebook, Inc., Facebook Belgium SPRL and Facebook Ireland Limited ("Facebook") to cease the use of "datr" cookies for non-Facebook users under forfeiture of a daily penalty payment of 250,000 EUR.
The case had been brought by the Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée – the "Privacy Commission") following an earlier recommendation regarding Facebook's use of personal data (See, VBB on Business Law, Volume 2015, No. 5, p. 8-9, available at www.vbb.com).
The case hinges upon Facebook's use of a specific cookie, called the "datr" cookie, which Facebook argues to be necessary for the security and protection of its services. By contrast, according to the Privacy Commission, the installation and use of this cookie on the devices of non-Facebook users infringes data protection rules and gives Facebook insight into the Internet use of non-registered users. An investigation conducted at the request of the Privacy Commission indicates that the cookie is kept on the device for two years. The Privacy Commission contended that the use of the cookie infringes the Law of 8 December 1992 on the protection of personal data (Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens/ Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel) (the "DPL").
Application of Belgian Data Protection Law
The President of the Court first examined the application of the Belgian data protection legislation and the jurisdiction of the Belgian courts.
Facebook had argued that Facebook Ireland Limited should be considered as the "controller" and that this is decisive for determining the applicable national law under Article 4(1)(a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive").
However, the President of the Court held, based on the Google Spain judgment of the Court of Justice of the European Union of 13 May 2014 (See, VBB on Business Law, Volume 2014, No. 5, p. 6, available at www.vbb.com), that Article 4(1)(a) of the Data Protection Directive must be read to mean that the Belgian data protection rules apply if the activities of the local establishment of Facebook are inextricably linked with the activities of the data controller. In the case at hand, the President of the Court found that Facebook Belgium SPRL qualified as a local establishment and was responsible for specific commercial interests of Facebook, such as marketing and lobbying activities, and that therefore its activities are inextricably linked with the activities of the data controller, i.e., Facebook Inc.
The President also considered that it is not required that the personal data is processed by the Belgian establishment for Belgian data protection laws to apply. It is sufficient that the personal data is processed 'in the context of' the activities of this Belgian establishment. In that case, Belgian law applies, even if the actual processing is carried out by an affiliated company outside Belgium. If a company has various establishments in different Member States, the Data Protection Directive states that the controller must comply with each applicable national law. Consequently, the Court concluded that Belgian law applies, the Privacy Commission is competent and Belgian courts have jurisdiction to rule over the case at hand.
Urgency and Public Order Nature of Data Protection Laws
Second, in order to bring summary proceedings, the Privacy Commission had to show urgency. The President held that the urgency requirement is always met if the action relates to the infringement of fundamental rights and freedoms. The President also noted that this violation concerns a very large group of individuals and a significant number of websites.
Facebook's Compliance with Data Protection Principles
On the substance of the proceedings, the President of the Court determined that the combination of the cookies, IP-addresses and visited websites allows Facebook to monitor the surfing behaviour of the individual internet user.
The President of the Court considered that under Article 129 of the Law of 13 June 2005 on Electronic Communications (Wet betreffende de elektronische communicatie/Loi relative aux communications électroniques) the installation and use of cookies requires, as a rule, the prior consent of the user. The President added that the exceptions for which consent is not required did not apply to the "datr" cookie.
The President determined that a banner which Facebook recently posted to explain its cookie policy does not give rise to informed consent. In addition, a one-time visitor of the Facebook.com domain who is not a Facebook user cannot be considered to have explicitly solicited a Facebook service when he or she later visits a social plug-in of a third-party website.
The President went on to consider alternative grounds for consent and concluded that none of these grounds could be relied on by Facebook to install and use "datr" cookies. For instance, non-Facebook users do not have any kind of agreement with Facebook and therefore the processing of the information cannot be deemed to be necessary for the execution of the agreement or as a result of a legal obligation.
Facebook also argued that the processing was permitted because it is needed to pursue the legitimate interest of a secure service under Article 5, f) of the DPL. However, the President of the Court rejected that argument as well and held that any security consideration is primed by the fundamental right to privacy. This is because the processing on the basis of the "legitimate interest" criterion is only possible if this interest is not outbalanced by the need to protect the data subject's fundamental rights.
In the absence of a ground for legitimate processing, the President ruled that use of "datr" cookies falls short of Articles 4 §1, 1° and 4 §1, 2° of the DPL.
Facebook was thus held to process personal data without being able to present a specified, explicit and legitimate purpose. It thus violated the DPL and the Law on Electronic Communications. Facebook was therefore ordered (i) to stop placing "datr" cookies on devices of non-registered Facebook users who visit Facebook websites without prior information to such data subjects; and (ii) stop collecting "datr" cookies that are installed through social plug-ins on third party websites. Taking account of the public order nature of data protection rules and the large number of data subjects and websites involved, the President of the Court imposed a daily penalty of EUR 250,000 if Facebook fails to end the infringement.
Facebook plans to lodge an appeal against this judgment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
