Facebook has won an appeal against a Belgian court ruling, which ordered it to stop tracking logged-out users who visit Facebook pages and other websites linked to Facebook.
On 29 June 2016 the Brussels Court of Appeal held that the Belgian data protection authority (the Belgian Privacy Commission), which brought the original case, does not have jurisdiction over Facebook’s operations in Ireland, where the data is actually processed.
How and why does Facebook track logged-out users?
Cookies are text files containing small amounts of information that are downloaded to a computer or mobile device when a website, such as Facebook, is visited. The cookies are then sent back to the same website on subsequent visits. Essentially, cookies allow a website to recognise a person’s device for various reasons such as website navigation, remember user preferences and tailor advertising to the user.
When any person visits a Facebook page, a “datr” cookie is automatically placed on their device which tracks every time that person visits another Facebook page or clicks a “like” button on a third party website. In our previous post, we discussed a German court’s ruling that Facebook’s “like” button violates users’ privacy rights, because it sends personal information to Facebook without the users’ consent even where they do not click “like.” In this instance the datr cookie only sends information from third party websites when a user clicks “like.”
The Belgian Privacy Commission initially claimed that Facebook tracks browsing to target advertising to non-users, but later abandoned this argument. Facebook claimed that the purposes of the datr cookies are to:
- prevent the creation of fake accounts and spam accounts (used to gather email addresses for sending spam);
- lower the risk of account theft;
- protect users’ content against theft; and
- prevent denial of service attacks that could prevent some users from accessing Facebook.
Facebook also claimed that the datr cookie does not contain any information that identifies a particular person and that the information is used in aggregated form and deleted after 10 days.
Facebook triumphs in court
In 2015 the Belgian Privacy Commission sought an order from a Brussels commercial court to stop Facebook from using cookies to track users when they aren’t logged in to Facebook. The order was granted on the basis that Facebook does not obtain explicit consent to track users in accordance with European privacy laws. Facebook was given 48 hours to comply, failing which it would have faced a daily fine of 250 000 Euros. To comply with the ruling, Facebook would have had to implement different methods of verifying that visits to Facebook pages or interacting with Facebook from a location in Belgium originated from a valid account-holder.
Facebook, however, appealed and was successful in having the ruling overturned.
Unfortunately the appeal court was not required to rule on whether the tracking of non-users through the datr cookie violates privacy laws. The decision was based on the fact that the Belgian Privacy Commission does not have jurisdiction over the processing of data in Ireland, where Facebook’s European operations are headquartered.
Cookies in South Africa