On November 9, 2015, the President of the Brussels Court of First Instance ordered Facebook to stop tracking non-members in Belgium without their consent. The court imposed a penalty of EUR 250,000 per day for non-compliance.
The proceeding is the result of a formal recommendation that the Belgian Privacy Commission (BPC) issued in May 2015 requesting Facebook to cease the tracking of non-users. The BPC alleged that Facebook collected information about the web browsing behavior of users who were not Facebook members by using social plug-ins and cookies, which the BPC alleged Facebook placed on users’ computers when they visited a web page that was part of the Facebook domain or clicked on Facebook “Like” or “Share” buttons on other websites. After Facebook and the BPC were unable to resolve the allegations, the BPC (which itself does not have the authority to impose fines or enforce orders) sought a cease and desist order from the President of the Brussels Court.
The court found that Facebook’s practices of collecting data on the web browsing behavior of Internet users from Belgium who have decided not to become members of Facebook violated the Belgian Data Protection Law (BDPL), irrespective of the purpose for which Facebook uses the data. The court found that there was no legal ground for the processing of personal data of non-members because Facebook has not obtained those users’ prior consent, and processed their personal data before informing the users about Facebook’s services. Facebook processed the data despite those users’ choice not to become Facebook members. Although Facebook announced that it will appeal the court’s order, the appeal will not suspend any penalty payments, which are immediately enforceable once the judgment has been officially served on Facebook.
The court did not accept Facebook’s argument that because its European headquarters are in Ireland, Facebook need only comply with the Irish data protection legislation. Citing the European Court of Justice Google Spain decision, in which the ECJ found that the BDPL applied to Facebook’s activities in Belgium because Facebook’s Belgian subsidiary – Facebook Belgium SPRL – served and promoted the commercial interests and advertising activities of the entire Facebook group, and thus the activities of the Belgian Facebook entity were inextricably linked to those of Facebook Inc. The Court ruled that the fact that Facebook Belgium SPRL did not itself process personal data or enter into contracts with advertisers was not relevant to the jurisdictional determination.
The court’s Facebook decision demonstrates that companies can be subject to the Belgian data protection legislation even if they do not have their main European establishment in Belgium, and even if the Belgian subsidiary is not involved in data processing. The decision also serves as a reminder for website owners to inform visitors of the types of cookies and plug-ins the sites are using, the information they are collecting, the purpose for which this information is used, the length of storage of the cookie/plug-in on the visitor’s computer and, for most types of cookies and plug-ins, to obtain visitors’ specific prior consent before activating them. The decision is a further reminder to companies that data protection authorities in Europe are becoming more active in data protection enforcement.