Belgium vs Facebook
On November 9th, 2015, a Belgian court ordered Facebook to stop tracking non-Facebook users, and imposed a fine of $250,000 per day in case of non-compliance. A look at the facts, the rules at hand, and the questions that matter.
The story so far
This is a story about privacy, and about collision between two worlds that are dear to me - Belgium and Silicon Valley. On November 9th, 2015, a Belgian court ordered Facebook to stop tracking non-Facebook members in Belgium and gave the company 48 hours to comply. A fine of $250,000 per day was set to encourage cooperation. Unsurprisingly, Facebook immediately stated that it would appeal the judgement.
According to the BBC, the Belgian Privacy Commission stated at the end of November that the judgement had yet to be formally served to Facebook because it is "waiting for an English translation" of the 33 pages (a Dutch version of the judgement can be found here). Facebook stated at that time that it was negotiating with the Belgian Privacy Commission.
Update 1: On December 2nd, the company stated that it would stop tracking browsers of Facebook pages in Belgium who are not signed into a Facebook account, hence complying with the judgement. The immediate effect for Belgian Facebook visitors? Certain facebook pages that were viewable without logging in before, will now no longer be visible until the user signs in. Facebook still plans to appeal the ruling, but is now no longer at risk of seeing a fine of EUR 250,000 / day levied against it.
Update 2: On December 4th, Privacy Commissions of the Netherlands, Spain, France, Spain, Hamburg and Belgium issued a joint statement, calling upon Facebook to "comply with these orders in all territories of the EU". This joint statement escalates the matter from a small annoyance to something that may very well impact Facebook's data collection policies across the entirety of the European Union.
Update 3: On January 28th, Politico reported that Facebook is appealing the ruling of the Belgian court, based on a rather interesting theory. The court’s ruling contained some English words — like "cookie", "homepage" and "browser". Belgian law enshrines a wide range of protections for the countries' different language groups. Amongst others, it says that all rulings must be in the official languages of the country: French, Dutch and German. Because words such as "cookie", "homepage" and "browser" were not translated, Facebook argues, the whole ruling must be annulled. Dirk Lindemans, who represents Facebook in Belgium, comments: “It is a requirement that justice for all is understood. Otherwise you get a slippery slope towards class justice”. It remains to be seen whether the court will agree with this procedural argument. Dutch being my mother-tongue, I can attest that I (together with most other Belgian citizens, regardless of their language group) would say "cookie" rather than "koekje", "homepage", rather than "thuispagina" and "browser" rather than "webnavigator".
The feud between Facebook and the Belgian Privacy Commission dates back to early 2015, when a group of Belgian researchers released a study (sponsored by the Commission) that demonstrated some of the more dark-side tracking capabilities of Facebook's social plugins.
The study showed how the company tracks behavior on its own domain and on sites of third parties. This included scenarios where the user is tracked even when logged out of Facebook and where the user had explicitly opted out of being tracked through a Facebook-recommended opt-out site (Facebook ascribed the latter situation to a bug). In June 2015, the Belgian Privacy Commission took Facebook to court for violating Belgian privacy laws.
That Belgium is picking a battle with Facebook makes for a mildly interesting story in itself. But the implications of this case reach beyond the Belgian sphere of influence. To understand what's going on, we need to dive a little bit deeper into the technical and legal aspects.
When you visit Facebook or a website that embeds one of the Facebook widgets (such as the like button or comment feed), facebook places a cookie on your computer. This little file, basically a message from Facebook's servers to your web browser, contains a “unique identifier”. You can see it in the screenshot below, which was taken when visiting facebook in an incognito window.
As you travel across the Internet, the information in this cookie is retained. If you visit another website that embeds the Facebook tracking code, the value in the datr cookie persists, allowing Facebook to associate the two separate webpage visits with each other. You can see this in the screenshot below, taken immediately after the previous one.
In other words, Facebook was able to track my movements on the Internet from one page to another, even though I was never signed into Facebook. And because Facebook is embedded into a lot of websites, that technical capability is rather significant.
On the legal side of things, it's important to understand that Belgian privacy law is mainly an implementation of European privacy rules. European privacy rules are not like US privacy rules. Just have a look at the Data Protection Directive, implemented by all EU member states. The Data Protection Directive provides for strong privacy protections, that are often at odds with the rapid advances of technology, in contrast with the more light-touch approach typical of the US common law system.
The European Data Protection Directive defines 'personal data' very broadly. It covers "any information relating to an identified or identifiable natural person ("the data subject") [...], in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". The identification number in the screenshot above comes to mind.
Processing personal data is defined equally expansive, "as any operation [...] performed upon personal data [...], such as collection, recording, organization, storage, adaptation or alteration, [...]". As you can tell, it does not take much to be processing personal data.
This designation of "data processor" is important, as the Data Protection Directive imposes obligations on those who "process" personal data. Personal data may be processed only in a limited number of circumstances, such as when the data subject has given his consent, or when the processing is necessary to for the performance of a contract to which the data subject is party.
In its judgement, the Belgian court ruled on a couple of key points. Because the Belgian court ruled based on these rules, its judgement is relevant for (but not binding upon) other EU Member States.
1. Belgian data protection law applies and Belgian courts have jurisdiction
Facebook, which has its European HQ in Ireland, had argued that it has to comply with Irish data protection law only and that only Irish courts have jurisdiction. The Belgian Court disagreed. Referring to a case before to EU Court of Justice, it held that the activities of Facebook's Belgian entity (Facebook Belgium SPRL) were "inextricably linked" to the activities of Facebook as a whole.
The court decision was made in summary judgement, a procedure that requires "urgency". The Court deemed the situation urgent, because claims that relate to fundamental rights and freedoms (such as the protection of privacy), are always urgent, and because this claim relates not to the fundamental right of one single individual, but to the rights of an large group of people.
3. Facebook is processing “personal data”
The Court decided that the IP address and the “unique identifier” contained in Facebook’s datr cookie are “personal data” and that Facebook's collection thereof constitutes a “processing” of personal data. Facebook had argued that these are not personal data because these would merely enable to identify a computer.
4. Violation of Belgian data protection law
Subsequently, the Court called the fact that Facebook collects data on Belgian web users who have decided not to become a member of Facebook’s social network, a “manifest” violation of Belgian data protection law, irrespective of for which purposes Facebook uses the data.
The Court notes that Facebook does not have any legal justification for the processing personal data of people who do not have a Facebook account via cookies and social plug-ins, because:
• Facebook has not obtained their consent to do so;
• Facebook cannot invoke an agreement with people who do not have a Facebook-account;
• Facebook cannot invoke a legal obligation to do so;
• Any security interest pursued by Facebook is overridden by the fundamental right to privacy of people who do not have a Facebook account.
The court took issue with the fact that personal data is processed before the data subjects have been able to fully inform themselves about Facebook’s services, even though they may not want to use these services. It rejected Facebook's argument that the data collection was necessary for security purposes (more on that below).
The Court imposed a penalty on Facebook amounting to 250,000 EUR per day that it does not comply with the order. So far, there are no indications that the judgement has been executed.
This conflict raises lots of questions, and it's interesting to consider both parties' positions. What is the right balance between privacy and convenience? What are realistic implementation strategies for online privacy protection?
Facebook argued in court that the data collection is necessary for security purposes. The company has stated that the cookie helped stop more than 33,000 account takeover attempts in Belgium in October 2015. According to the write-up of the judgement by the Belgian Privacy Commission, one of the nicer things the court said about this argument was that it was "not credible".
Security argument aside, cookies are incredibly useful for web developers, and the Internet is literally paved with then. You probably have tracking cookies from Google and a variety of other services in your browser session right now. If you click this link Amazon will store a cookie on your computer, allowing it to track your purchase for the purpose of paying out referral revenue to yours truly (all proceeds will be used to advance access to justice). These cookies, with their ability to store snippets of data about us, bring us many conveniences that the public at large has come to expect from the modern web. The fact that Facebook finds itself in the crosshairs of the Belgian Privacy Commission probably has more to do with the size of the organization (and its pockets) than with the maliciousness of its intentions.
Picture: Cookie Monster by yahyanikrushdi
Under the broad definition of data processing implemented by the Data Protection Directive, service providers are constantly at risk of running afoul of privacy rules that are often unclear and always in motion. That can get though and complicated when you are running an online business. And resources towards compliance are typically not comparable to Facebook's.
That being said, we are right to be wary of being tracked our every move surfing on the web and regulators are right to keep an eye out for the public interest. More pervasive technologies, such as drones and virtual reality, are coming up fast, and will make these questions only more complicated. Technical initiatives (such as DoNotTrack) have been launched to address this issue of online tracking, but have yet to demonstrate massive traction. Advances in encryption may also provide a counterweight.
In a world where less and less activity escapes from sensors, how comfortable are we to relinquishing control of our online behavior? My guess is: Probably a bit too comfortable. The battle for privacy is on, but the war has just begun.