What’s The Problem?
According to Belgium’s privacy watchdog, the Belgian Commission for the Protection of Privacy (CPP), Facebook placed tracking code in the form of ‘cookies’ on third-party websites. This would mean that Facebook’s actions did not comply with Belgium’s privacy laws because:
- It tracked people without consent.
- It tracked people who were not Facebook users.
- It (presumably) stored the tracked personal data that it obtained illegally in the first place.
If Facebook fails to comply with Belgium’s CPP it could face fines of £221,000 per day.
Facebook is reported to have expressed disappointment at the verdict and has stated that it is simply using the same industry standard cookies and pixels that other EU businesses use to help them grow their business.
This latest case appears to be the latest round in a long-running, ongoing dispute between the social media giant and the CPP. For example, back in November 2015, the CPP won a case against Facebook concerning the tracking of people with a ‘datr cookie’ when they visited pages on the site and clicked on like or share, even if they had never registered for an account, or if they had but weren’t even logged in.
Facebook was able to appeal and win an overturning of the verdict because it was judged that Belgian courts didn’t have international jurisdiction over Facebook Ireland i.e. because the data collected by the cookies was stored on servers in Dublin, the European base of Facebook’s operations.
The CPP then indicated that it would try to appeal against Facebook’s successful appeal through Belgium’s court of cassation, using a Yahoo case as an example. With Yahoo, for example, it was ruled back in 2015 that finding against Yahoo wouldn’t have to mean intervention outside of Belgium, and that, since Yahoo actively participated in the economic life of Belgium by using the domain name .be or displaying ads based on users’ location e.g. in Belgium, it voluntarily submitted itself to Belgian law.
What Does This Mean For Your Business?
This story has commercial, legal and political aspects to it. Cookies can provide useful information and functions for businesses e.g. helping to personalise user browsing experiences, and gathering information about users of the company website - usually with an initial registration of consent by users of a website.
With this Facebook case, as web users, we may feel uneasy that trusted companies may be tracking all-comers without consent. This kind of story reminds us all about the importance of privacy and security, and its worth remembering that cookies sent over the web without encryption i.e. if the website doesn’t have HTTPS in front of the domain, could be a security risk because they are readable by anyone on a network and could sensitive data e.g. credit card details, e-mail address and more. Google, for example, has just announced that from July, Chrome will be labelling websites without HTTPS as ‘Not Secure’ to try and combat this kind of risk.
The legal aspect of this case relates to which country has jurisdiction over the actions of a company whose services are used in that country, but the HQ and the data storage are in another country. This is another long-running legal argument e.g. Apple’s tax breaks in Ireland.
Many see the EU and people like the EU’s commissioner for competition, and measures like greater regulation and taxation as being useful to curb some of the more suspect behaviour of the big US Internet companies in Europe.
The introduction of GDPR should also provide greater protection for EU citizens in terms of online privacy and security. The UK will soon not be an EU member, but will have its own similar Bill added to UK law, but this could produce more legal grey areas.
There is clearly a political dimension to this story too as Belgium seeks to hold a powerful overseas company to account, and it wouldn’t be the first time that an EU country has tried to do this.