Facebook has collared Belgium’s privacy watchdog: it’s won an appeal in a privacy case and can now resume tracking any Belgian it wants to, including people who’ve never registered for an account and those who aren’t logged in.
This is the latest twist in a long-running case over Facebook’s use of the so-called datr cookie, which lets Facebook track users as they visit other sites, even when they’re not logged in to Facebook.
That cookie can be picked up by visitors who visit a friend’s page on Facebook, or on any other page on the web with Facebook like or share code in it – even if a visitor never signed up for a Facebook account.
In November, a Belgian court ruled that Facebook was using the datr cookie to illegally collect personal data – the type of data that Facebook should only be allowed to use if the internet user expressly gives their consent, as Belgian privacy law dictates.
Then, Belgium set the clock ticking, saying that Facebook would face fines of up to €250,000 EUR ($267,000 USD) a day if it didn’t stop tracking non-Facebook users.
Facebook appealed, on the grounds that Belgium doesn’t have the authority to reach cross-border and tell it what to do with data stored on servers in Dublin, which is the social network’s European base of operations.
On Wednesday, it won that appeal.
A Brussels appeals court overturned the ruling that had forced Facebook to block people without an account from accessing its site if they were located in Belgium.
The Brussels appeals court also threw out the Belgian privacy watchdog’s claim that the case was urgent and required expedited procedure.
From the ruling, as quoted by Bloomberg:
Belgian courts don’t have international jurisdiction over Facebook Ireland, where the data concerning Europe is processed.
The privacy watchdog who brought the suit against Facebook – the Belgian CPP (Commission for the Protection of Privacy) – said in a statement that the show’s not over yet.
It may launch an appeal to the court of last resort, the Belgian court of cassation, which has in the past overruled cases involving foreign company jurisdiction.
Specifically, in a case over whether Yahoo had to cooperate with local law enforcement, the court of cassation in December 2015 ruled that information disclosure from a communications network who operates in Belgium doesn’t imply that there will be intervention outside of Belgium.
In that case, the court of cassation declared that since Yahoo actively participates in the economic life of Belgium – by using the domain name .be or displaying ads based on users’ location – it “voluntarily” submits itself to Belgian law.
In the meantime, while the CPP decides whether to appeal Wednesday’s decision, the success of Facebook’s appeal simply means that the courts aren’t protecting Belgian citizens from privacy invasion, the CPP said.
Willem Debeuckelaere, president of the CPP:
Today’s decision means simply that the Belgian citizen cannot obtain privacy protection through the courts when it comes to foreign players. Belgians are thus exposed to massive violations of privacy.
Facebook has in the past countered that Belgium would be turned into a cradle for cyber terrorists without that datr cookie.
Specifically, Facebook has claimed that it uses the datr cookie as part of the security systems that protect users, and that the cookie prevents user accounts from being hacked.