A long-running case between the Belgian Data Privacy Authority (CVPV/CBPL) and Facebook is due for hearing on its merits this October.
On 13 November 2014 Facebook announced a global revision of its data policy, cookie policy and terms. After issuing a recommendation on compliance with EU and Belgian privacy laws in May 2015, the CVPV/CBPL decided to file summary proceedings with the President of the Brussels Court of First instance, seeking interim measures. In November 2015 the judge condemned Facebook’s practice of collecting and registering personal data of millions of Belgian internet users who did not sign-up to the Facebook social network site, as a ‘manifest violation of privacy law’ and imposed daily fines for continued non-compliance.
Facebook successfully appealed this decision. Whereas, the Belgian court did have jurisdiction regarding Facebook Belgium, the appeal court decided that the requirement of urgency in summary proceedings was not met. Further, the appeal court concluded that the Belgian courts did not have jurisdictional competence to rule on the complaints against Facebook Ireland and its US parent company. The merits of the CVPV/CBPL’s case will now be decided in hearings due to take place in October 2017.
Facebook has been having this and similar battles not only in Belgium, but also with the Data Privacy Authorities (DPAs) in France, Hamburg, the Netherlands and Spain. The question is ‘Why’? Direct marketing revenues provide at least part of the answer – more than 80% of Facebook’s revenues are derived from advertising. Through its use of cookies Facebook has the ability to build a browsing history of non-Facebook users for a period of up-to 10 days. This is argued to be an unfair practice as there was no opportunity for individuals to know about or refuse such cookies. (France’s DPA, the CNIL agreed, with the Belgian CVPV/CBPL on this point. It fined Facebook for unfair tracking in March 2017). Facebook argues that it obeys EU data protection law. Nevertheless, it has recently made changes, including in Belgium, to make its practices more transparent.
From 25 May 2018, when the new General Data Protection Regulation (GDPR) is enforceable, all data controllers or processors (whether or not they are established within the EU) who offer goods or services to citizens in the EU need to comply with the GDPR. Fines of up to 4% of total worldwide annual turnover for the preceding financial year can be levied for non-compliance.