29/05/15

Belgian Privacy Commission finds tracking of surfers by Facebook breaches privacy regulations

The Belgian Privacy Commission recommends that Facebook changes its practices of tracking internet surfers' behaviour, alleging that these practices breach both Belgian and European privacy regulations. The Privacy Commission threatens to initiate legal proceedings if Facebook fails to implement its recommendations of 13 May 2015.


Key concerns and recommendations

The Privacy Commission investigated the tracking by Facebook of the behaviour of internet surfers through social plug-ins outside the domain of Facebook's social network. These social plug-ins are website components, offered by Facebook to third party website owners, which allow sharing of content with Facebook's social network. Examples of social plug-ins are the widespread "Like" and "Share" buttons.

The Belgian Privacy Commission takes the view that Facebook's current tracking practices infringe Belgian privacy regulations:

  • Tracking through social plug-ins can only take place with the unambiguous and specific prior consent of Facebook users and only while the users are logged on to Facebook. Facebook's current opt-out approach does not meet the conditions for lawful consent. Tracking of surfing behaviour of non-users of Facebook or of surfers who are not logged on to Facebook is not permitted.
  • Facebook should provide full transparency about its tracking practices. For each separate tracking cookie, Facebook must specify its contents and purpose.
  • The design and operation of Facebook's social plug-ins should be adjusted to prevent privacy infringements.
  • Website owners or webmasters who use social plug-ins offered by Facebook should inform visitors to their websites of their use, and obtain visitors' consent for cookies and other meta files. A possible solution would be social network buttons not being activated until users have given their specific consent.

Jurisdiction of the Belgian Privacy Commission

The Facebook group has only one subsidiary in Belgium, which is mainly active in lobbying and which does not process personal data of Facebook users. Facebook therefore argued that the Belgian Privacy Commission has no authority over Facebook and that it is not subject to Belgian privacy regulations. Facebook considers that only Irish national data protection regulations apply to all European users of its social network, since the processing of user data takes place under the control of its Irish subsidiary.

The Belgian Privacy Commission dismissed those arguments and found that Facebook is subject to Belgian privacy regulations. Following the same reasoning as the Court of Justice of the EU in the ground-breaking 'right to be forgotten' case1, the Belgian Privacy Commission states that it is irrelevant whether Facebook's Belgian subsidiary processes the personal data of users or not, as long as its subsidiary's activities are inextricably connected to the activities of the Facebook group. Facebook, therefore, needs to comply with Belgian data protection regulations and with all other national data protection regulations of those EU jurisdictions where it has a subsidiary or an establishment.

Background

The Belgian Privacy Commission investigated the compliance of Facebook's new terms of use, which entered into force on 30 January 2015, with Belgian privacy regulations. As part of the investigation, the Privacy Commission commissioned a report from academic researchers (the "Report") and heard Facebook representatives.

The Report concluded that Facebook's new terms of use breach Belgian and European privacy regulations on eight counts. The Belgian Privacy Commission now seconds the allegations made against Facebook in relation to user-tracking practices. The Privacy Commission announced that further action will also be taken in relation to the other allegations made in the Report against Facebook, and that it will issue a second recommendation later this year.

Next steps

Under the current legislative framework, the Belgian Privacy Commission is not vested with fining or other administrative sanction powers, but it can begin legal proceedings. The Privacy Commission threatens to initiate criminal proceedings against Facebook if it fails to implement the Commission's recommendations. In line with the comprehensive reform of the data protection rules at EU level, the Privacy Commission could be granted strengthened enforcement powers in the near future.

The Belgian Privacy Commission's investigative attitude towards Facebook, as well as similar investigations recently launched by the Belgian State Secretary for Privacy against tech companies such as Snapchat and Uber, show that Belgium is strengthening its stance with respect to data protection enforcement. The trend towards more vigilance and assertiveness is likely to develop if the Belgian Privacy Commission is vested with new enforcement powers. Companies with an establishment on Belgian territory are therefore strongly recommended to ensure compliance of their business activities with Belgian data protection legislation.
The Belgian privacy watchdog states that it liaises with the data protection authorities of Hamburg, The Netherlands, Spain and France, in all of which countries Facebook has local establishments. Facebook's concerns about privacy regulations and tracking of surfers may thus not remain limited to Belgium alone.


Key issues

  • Facebook's tracking of surfers through social plug-ins on third party websites, including the widespread "Like" and "Share" buttons, are found not to be compliant with both Belgian and EU privacy regulations
  • Website owners using Facebook social plug-ins must properly inform their website visitors of their use and obtain their specific consent
  • Users of Facebook can only be tracked if the user has opted-in to this tracking; tracking should cease when users have logged out or deactivated their account
  • Facebook should refrain from tracking non-users of Facebook through social plug-ins
  • Facebook should adjust the design of its social plug-ins to prevent privacy infringements

1 CJEU Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (13 May 2014)

dotted_texture