Sophos Cloud Optix
Max Schrems must be pleased.
He who rose up from the ranks of Facebook’s privacy-ravaged users to file complaints against what he said was Facebook’s illegal data collection/retention is now witnessing the fruits of his labor.
Or, as he tweeted in response to the Belgian court giving Facebook 48 hours to stop tracking those without Facebook accounts, lest it face substantial penalties, “*WOW*”:
*WOW* @SophieKwasny: episode Belgium v. Facebook. Judge gives 48 hours to conform to law or will be fined 250000 euros / day
— Max Schrems (@maxschrems) November 9, 2015
Max Schrems @maxschrems
*WOW* @SophieKwasny: episode Belgium v. Facebook. Judge gives 48 hours to conform to law or will be fined 250000 euros / day
As the AFP reports, Belgium set the clock ticking on Monday, saying that Facebook would face fines of up to €250,000 EUR ($267,000 USD) a day if it doesn’t comply within 48 hours.
Facebook said it will appeal.
The AFP quotes the court decision:
Today the judge... ordered the social network Facebook to stop tracking and registering internet usage by people who surf the internet in Belgium, in the 48 hours which follow this statement.
If Facebook ignores this order it must pay a fine of 250,000 euros a day to the Belgian Privacy Commission.
The court order is the latest salvo in the Europe v. Facebook privacy battle.
It follows a case lodged by Belgium’s privacy watchdog – the Belgian Privacy Commission (BPC) – which dragged Facebook into court in June for allegedly “trampling” over Belgian and European privacy law.
In June, the court said that Facebook indiscriminately tracks internet users – even non-Facebook users – when they visit its pages or pages on other sites with “like” or “share” buttons.
Since then, the BPC’s lawyers have called Facebook “as bad as the NSA [National Security Agency].”
The latest in a string of EU slap-downs
This 48 hours or-else decision is only the latest EU action against private data flowing into Facebook.
Last month, the EU’s highest court struck down the transatlantic Safe Harbor agreement, which had allowed companies to transfer European citizens’ personal data to the US, calling the agreement “invalid” because it didn’t protect data from US surveillance.
At the heart of the recent Belgian court case is a move Facebook made in June 2014 to give advertisers more ammunition to target users, by mixing data about what we do on its site with data about what we do on other sites.
The Belgian court on Monday said that Facebook does indeed use a special cookie that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook like or share code in it – all without the visitor having ever signed up for a Facebook account.
That cookie stays on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.
AFP quotes the court’s statement:
The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates.
Facebook calls that cookie the “datr” cookie and says it’s safe.
Safe, or maybe even some type of prophylactic infosec wonder cookie.
In the recent “Facebook is as bad as the NSA” rhetoric swap, Facebook claimed that its cookies keep Belgium from becoming “a cradle for cyber terrorism.”
AFP quotes a statement from Facebook about its appeal of Monday’s court decision:
We've used the datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world.
We will appeal this decision and are working to minimize any disruption to people's access to Facebook in Belgium.
Back home in the US of A
Meanwhile, back on its home turf, Facebook is having a much easier time of it with a US regulator – the Federal Communications Commission (FCC) – having recently shrugged off the notion that it should trouble Google or Facebook with demands to honor “Do not track” requests.
The FCC dismissed a petition from rights group Consumer Watchdog, which had called on the commission to require “edge providers” – a catch-all term covering websites and apps, including Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn – to honor such requests from consumers.
The FCC’s rationale: it doesn’t have the authority.
Consumer Watchdog thinks otherwise, and it’s reportedly considering an appeal.
Image of gavel on Belgium flag courtesy of Shutterstock.com
I detest and avoid Facebook with every ounce of my energy – but apparently I still cannot stop Zuckerberg illegally intruding into my life whenever he feels like it. Is there any software out there designed to keep Facebook out of my PC? I doubt it, and if there was Zuckerberg would soon buy it up.
The great thing about cookies is that they only work (can only track you) if you accept them and not accepting them is easy.
You can set your browser to reject 3rd party cookies or use a plugin like Privacy Badger or Ghostey.
Of course they can’t stop your friends uploading photos of you…
shouldnt that read ghostery :-]
Yup 🙂
the judges/government have no idea how the Internet works. They always think as it was some ‘country-like’ area with borders, but you can ‘visit’ the whole world just by clicking around. if they users dont want be tracked then just dont accept cookies or dont visit fb…btw fb doesnt force users use their service.
gosh, the courts should really care more about privacy in eu states first, then some companies somewhere else
I think the point is that Facebook are tracking people who aren’t Facebook users and aren’t visiting Facebook pages.
If you want to operate in the EU then the law says that you need to obtain consent rather than forgiveness for that kind of tracking.
Are these cookies easily identifiable by name?
Can’t be too hard to create a PowersHell script to remove them.
The name of this cookie is datr. Alternatively just ditch anything set with a facebook.com domain.
Wow, have a bit of money and every coutroom in the world is going to sue you for a piece of it. If you don’t want facebook coockie than don’t enter facebook pages. If it’s a share code than facebook should remove that part.
Is ridicolous the borders of an internet company. Seems like nowadays anyone can sue you based on any cyberlaws from any country.
Facebook should just pay the 267,000 USD per day. For them, that is the equivalent of three micro-seconds of profits from sharing customer (and non-customer) data with marketeers.
And what will happen if facebook doesnt pay up? Belgium has no jurisdiction there. I wouldnt pay a fine another country ordered me to pay so how would they even enforce it? Would need the cooperation of the US to enforce it and I doubt they would give it
Facebook has an Irish subsidiary which _is_ within the reach of the Belgian courts.
Yes, they could pay the daily fine but companies which do that and don’t take action invariably end up with judges upping the ante (up to and including arrest warrants for C-level staff for contempt of court)
I should add:
This case was referred to Belgium by the Irish High Court, so anything the Belgians bring down on Facebook will happily be enforced by Irish courts and the Irish Data Comissioner.