Facebook has won an appeal against a Belgian court ruling, which ordered it to stop tracking logged-out users who visit Facebook pages and other websites linked to Facebook.

On 29 June 2016 the Brussels Court of Appeal held that the Belgian data protection authority (the Belgian Privacy Commission), which brought the original case, does not have jurisdiction over Facebook’s operations in Ireland, where the data is actually processed.

How and why does Facebook track logged-out users?

Facebook uses cookies to track the browsing of Facebook users who are either not logged into their Facebook accounts or who have opted out of tracking.

Cookies are text files containing small amounts of information that are downloaded to a computer or mobile device when a website, such as Facebook, is visited. The cookies are then sent back to the same website on subsequent visits.  Essentially, cookies allow a website to recognise a person’s device for various reasons such as website navigation, remember user preferences and tailor advertising to the user.

When any person visits a Facebook page, a “datr” cookie is automatically placed on their device which tracks every time that person visits another Facebook page or clicks a “like” button on a third party website. In our previous post, we discussed a German court’s ruling that Facebook’s “like” button violates users’ privacy rights, because it sends personal information to Facebook without the users’ consent even where they do not click “like.”  In this instance the datr cookie only sends information from third party websites when a user clicks “like.”

The Belgian Privacy Commission initially claimed that Facebook tracks browsing to target advertising to non-users, but later abandoned this argument. Facebook claimed that the purposes of the datr cookies are to:

  • prevent the creation of fake accounts and spam accounts (used to gather email addresses for sending spam);
  • lower the risk of account theft;
  • protect users’ content against theft; and
  • prevent denial of service attacks that could prevent some users from accessing Facebook.

Facebook also claimed that the datr cookie does not contain any information that identifies a particular person and that the information is used in aggregated form and deleted after 10 days.

See Facebook’s cookie policy.

Facebook triumphs in court

In 2015 the Belgian Privacy Commission sought an order from a Brussels commercial court to stop Facebook from using cookies to track users when they aren’t logged in to Facebook. The order was granted on the basis that Facebook does not obtain explicit consent to track users in accordance with European privacy laws.  Facebook was given 48 hours to comply, failing which it would have faced a daily fine of 250 000 Euros. To comply with the ruling, Facebook would have had to implement different methods of verifying that visits to Facebook pages or interacting with Facebook from a location in Belgium originated from a valid account-holder.

Facebook, however, appealed and was successful in having the ruling overturned.

Unfortunately the appeal court was not required to rule on whether the tracking of non-users through the datr cookie violates privacy laws. The decision was based on the fact that the Belgian Privacy Commission does not have jurisdiction over the processing of data in Ireland, where Facebook’s European operations are headquartered.

Cookies in South Africa

Unlike the European Union, there is no explicit requirement in South Africa that website users be notified of, and consent to, the use of cookies. The collection and use of personal information through cookies will only be required to be in line with the Protection of Personal Information Act, 2013 (POPI) when it is fully in force.  Websites will need to take reasonable steps to notify users of what personal information is being collected and for what purpose.  The collection and use must also be justified on one of the grounds in POPI, such as consent, legitimate interest or necessity to perform a contract.

Given that Facebook has a presence in South Africa, the (yet to be appointed) South African information regulator may have jurisdiction over use of cookies. This determination depends on whether any processing of the information actually occurs in South Africa and if not, whether Facebook’s mere presence in the country is sufficient to find jurisdiction.