Facebook Loses Belgium Privacy Lawsuit

A district court in Belgium ruled that Facebook is indeed violating EU’s privacy laws with its "shadow tracking" of users across the web. Unless the company changes its behavior, it will have to pay 250,000 euro ($310,000) a day in fines.

Facebook’s Difficult Time In The EU

Two years ago, Facebook emerged as the victor in a lawsuit launched by the Belgium Privacy Commission against the company for violations of EU privacy laws. The Commission accused Facebook of tracking both users and non-users of its platform across the web via the “datr” cookie.

Facebook has for years said that the datr cookie wasn’t meant to track users across the web, and when it got caught twice doing it anyway, the company said it was only a bug and that it would be fixed.

However, in the lawsuit at the time, Facebook argued that it has to use the datr cookie to track everyone for security purposes. Facebook argued that it could use the datr cookie to identify PCs infected by botnets. Earlier, Facebook had also announced that the datr cookie would be used for advertising purposes as well.

Facebook was able to win on technical grounds the first lawsuit, as the court then agreed with Facebook that the Belgium Privacy Commission didn’t have jurisdiction to sue Facebook, because the company had its headquarters in Ireland.

Since then, other European courts ruled that companies that have operations and a headquarters anywhere in Europe can be sued in any of the EU member states, if those countries find the company has been violating EU law. In one of those cases, Facebook also tried to argue that its Terms of Service say that any Facebook user can only sue it in the United States. The courts disagreed and called Facebook’s policy “abusive.”

New Belgium Ruling

A Belgium Court of First Instance said that users doesn’t do enough to teach users how it’s tracking them, for them to be able to give valid consent to that tracking. There is also too much uncertainty about the type of data that Facebook collects and users don’t know for how long the company stores the data.

Unless Facebook brings its privacy policies in line with Belgium and EU privacy law, the company has to stop tracking users surfing from Belgium. It must also destroy all unlawfully collected personal data. Failing that, Facebook will have to pay a fine of 250,000 euro ($310,000) a day until it makes those changes, or until it reaches a maximum of $100 million in fines.

The court also said that Facebook must publish the 84-page ruling on its website, and that the last three pages of the ruling will also go into Belgian newspaper.

Facebook wasn’t too happy with the ruling, and in a statement to Tom's Hardware, the company said that it’s going to appeal:

We are disappointed with today’s verdict and intend to appeal. Over recent years we have worked hard to help people understand how we use cookies to keep Facebook secure and show them relevant content. We’ve built teams of people who focus on the protection of privacy - from engineers to designers - and tools that give people choice and control.The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU. We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads. We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe.

Compliance doesn’t seem to mean the same to Facebook and the EU Data Protection Authorities, as well as most of the EU courts, which have already found that Facebook was violating--not complying--with EU privacy laws. Authorities from FranceIreland, Spain, and Germany are also investigating Facebook’s privacy practices.

Belgium Secretary of State for Privacy Philippe De Backer (Open Vld) said:

What a victory for privacy. You can not secretly follow someone on the internet without your knowledge, an important milestone for privacy in our country and Europe.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • canadianvice
    While I can appreciate someone wanting to maintain their privacy .... I've always wondered why exactly people on FaceBook of all things expect it? The company is very forward with the fact you're the product.
    Reply
  • derekullo
    Facebook's service/job is quite literally to invade your privacy, as much as you are willing to say/type, in exchange for ease of communication with others.

    The lawsuit is about Facebook tracking the other sites you go to using the datr cookie so that they can then target you with ads.

    For instance lets say you check Facebook and wish your grandmother happy birthday.
    You then goto walgreens.com and check for some aspirin.

    The datr cookie is able to record that visit and report back to Facebook to send over some aspirin ads.


    I do find privacy lawsuits with Facebook to have quite a bit of irony, but I guess the privacy line has to be drawn somewhere ...


    Having said all that I am able to block 99% of all cookies and ads using a combination of:

    Custom hosts file from winhelp2002.mvps.org/hosts.htm
    Noscript
    Adblock+
    Adguard DNS
    Reply
  • Rock_n_Rolla
    Well if they got FB fined for tracking users and exploiting users web behavior for ad purposes and for other data minning purposes, i assume Google will be the next in the line who will got fined big time as well.

    IMO, no matter how EU fined FB or Google, the fact still remains that even if these two loose their tracking ability to make their ad posting business more profitable, these two will simply use their ad features to throw users different ads eventho its not relevant to the users while using the FB app or chrome.

    --Same <mod edit> in other words... In order to secure user data in FB, the EU must demand total Ad removal from FB app so there's no need or no sense of tracking their users anymore because it would be a waste of time doing it and would get nothing about it.

    But im sure it wont happen bcoz and FB will fight EU to their last breath, with out targeted ads in FB or google, they loose their profitability since they earn from ads thru it.
    Reply
  • berezini.2013
    Rock_n_rolla, if they remove ads and sneaky ways to make money off users then they would have to file for bankruptcy. The companies in question are leaches. They only exist because you allow them to.
    Reply
  • friedlander.m.s
    Only 30% of USA population is smart enough to "not" use facebook.
    Reply
  • Dark Lord of Tech
    Social Media = spying tools.
    Reply
  • therealduckofdeath
    It is bad that companies like Facebook, Google and their likes use hidden third party browsing data about their users to aggressively target ads. Though, I think authorities should focus more on the dangerous social engineering experiments these companies do by using similar information to generates Internet traffic for profits, no matter how much damage those experiments do to society.
    Reply
  • milkod2001
    They also should really look into FB and Google adsense. Companies are paying $millions to get into search results. Then FB and Google are charging for the clicks / interactions. Are those clicks reals clicks or just fake bots click? Is there any way how to track authenticity of clicks down?
    Reply
  • shrapnel_indie
    Facebook argued that it could use the datr cookie to identify PCs infected by botnets. Earlier, Facebook had also announced that the datr cookie would be used for advertising purposes as well.

    could does not equal are. FB was grasping at straws to justify their data mining.

    The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU. We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.

    Industry standard? Maybe, maybe not. Their requirement to have any business that uses their tech, here in the States, to clearly inform users is a bit of a joke. Is this requirement EU only, just to have a claim for privacy compliance in the EU? Sad if it is, especially concerning the amount of people who use it daily to connect with friends, family, and the special interest groups formed on there.
    Reply
  • shrapnel_indie
    20716516 said:
    Social Media = spying tools.

    And... obviously, in more ways than one.
    Reply