On 16th February 2018, Belgian courts ordered Facebook to pay €250,000 a day or up to €100 million, until they cease using cookies to gather and store the personal data of users (including non-Facebook users). They have been ordered to delete all of the data they have gathered and used to track Belgian citizens.
In 2015, the Belgian Commission for the Protection for Privacy (CPP) conducted an investigation with the aid of researchers from Katholieke Universiteit Leuven and the Vrije Universiteit Brussel. They found that Facebook places a cookie in a user’s web browser cache whenever they visit a page of the facebook.com domain or interact with a Facebook element embedded into another site, such as the ubiquitous “Like” and “Share” buttons. The cookie remains for two years and sends information to Facebook every time that person accesses the domain or interacts with any embedded element again. All of this is done without a user’s knowledge or express consent.
Cookies are small, often encrypted text files, located in web browser directories (its “cache”). Used initially by web developers to help users navigate their more websites efficiently by gathering their preferences (e.g. language, accessibility and layout), they have since become progressively more complex. As developers sought to optimise their sites, the amount of data they gathered increased and the browser cookies became too small. In response, developers began storing slimmed-down cookies in users’ caches while the bulk of the data is stored on the website’s server, effectively allowing them to store an unlimited amount of data. Each slimmed-down cookie contains a unique identifier which unlocks this server data.
A website that has placed a cookie in a user’s cache and is embedded into another host site, such as through “Like” and “Share” buttons, can place cookies, receive the unique identifier and unlock the server data as though the person is browsing on its own domain. This is referred to as a third-party cookie and it works even if the host site has not placed a cookie. The third-party cookie allows the embedded site to see, among other things, the host website the person is browsing.
This was among the chief complaints brought by the CPP to the Belgian Court of First Instance in 2015. The court held that it is “almost impossible to escape” the processing of a user’s sensitive personal data due to the “uncountable number” of people who have landed on a page of the facebook.com domain, thereby unknowingly acquiring a Facebook cookie, and of the “millions of websites with Facebook’s social plugins.” They were concerned that receiving cookie data from host websites may involve processing a user’s medical, religious, sexual life or political preferences without appropriate consents.
Although the 2015 ruling was successfully appealed by Facebook in 2016, on jurisdictional grounds, it was reaffirmed by Belgium’s court of last resort, the Court Cassation, in the February ruling. The Court agreed with the CPP and the Court of First Instance that the automated processing of cookies that contain unique identifiers, including IP addresses, is a processing of personal data.
In the UK, the Data Protection Act 1998 (DPA) establishes a more stringent regime for sensitive personal data (e.g. data that relates to racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences). This distinction is not made by the Belgian Privacy Act 1992; however, it does have a higher standard for personal data in that Article 5 requires unambiguous consent as opposed to just consent as per the DPA.
As the Belgian Court of First Instance held that “this data relates to very sensitive information,” Facebook would be held to an even higher standard if a similar case were to be tried in the UK- they would require explicit consent to deploy and use third-party cookies. This distinction is soon to become irrelevant as the incoming General Data Protection Regulation (GDPR) will harmonise data protection laws across the EU from 25th May 2018. The law on consent under the GDPR is a hybrid of current Belgian and UK laws and re-enforces the differing standards between personal data and sensitive personal data.
This is just one of the many recent legal battles Facebook has been fighting in Europe. In addition to increasing pressure from European states in relation to extremist online content, Facebook’s default privacy setting and use of personal data were recently ruled illegal by a Berlin court and French courts recently ordered WhatsApp (owned by Facebook) to stop sharing user data. Facebook were also fined €110 million by the European Commission for providing misleading information in their take-over of WhatsApp.
Facing tighter regulations, tougher penalties and political scrutiny, Facebook (and other technology companies) need to take their data privacy obligations seriously and ensure they obtain appropriate consents from their users (and non-users).