The Belgian Privacy Commission publishes new recommendation relating to the processing of personal data by Facebook through cookies, social plug-ins and pixels
Notwithstanding the latest changes in Facebooks practices, the Privacy Commission considers that Facebook still does not obtain valid consent from data subjects. Moreover, the Privacy Commission is of the opinion that the processing of personal data by Facebook through cookies and social plug-ins is excessive in several circumstances.
One significant change is that Facebook currently also tracks the online behavior of people that do not have a Facebook account for advertising purposes.
Another significant change is that Facebook - since August 2016 - uses so-called “pixels” to obtain information on the online behavior of users and non-users. Like social plug-ins, “pixels” are tools which Facebook makes available to operators of external website. Such pixels do not appear on the external website as a button or an icon (similar to the “I like”-button), but as a tiny dot, invisible to the naked eye.
The Belgian Privacy Commission has ascertained that a number of Belgian websites also use Facebook pixels, including hln.be, rtbf.be and gezondheid.be. The current recommendation does not assess the legality of the practices of these website operators, but the Privacy Commission will launch a separate investigation in relation to these practices.
Recommendations to Facebook
The Belgian Privacy Commission recommends Facebook to:
- obtain valid consent for the placement of cookies insofar as they are not strictly necessary for the provision of a service expressly requested by the data subject;
- abstain from the excessive collection of cookies through social plug-ins, Facebook-pixels or similar technological means;
Recommendations to website operators and internet-users
The Privacy Commission also offers a number of additional recommendations for operators of external websites who make use of the technologies and services provided by Facebook.
Finally, the Privacy Commission again provides a number of recommendations to internet-users who wish to protect themselves against the tracking practices of Facebook through social plug-ins.
Common statement of Data Protection Authorities
The Belgian Privacy Commission participates in the Contact Group, established at European level, together with the Data Protection Authorities of France, The Netherlands, Spain and Hamburg. Each of these Data Protection Authorities currently has its own independent procedure against Facebook. The members of the Contact Group share however certain substantive objections, among others the lack of information and the lawfulness of consent of the person concerned.
Legal proceedings on the merits
On May 18th 2015, Facebook received a formal notice of default for violations of the Privacy Act and the Electronic Communications Act. On June 10th 2015, the Belgian Privacy Commission summoned Facebook Inc., Facebook Belgium BVBA and Facebook Ireland Limited in summary proceedings before the President of the Dutch Court of First Instance in Brussels. The object of the summary proceedings was limited to the registration of the browsing behavior of people who are not Facebook users through social plug-ins and cookies, in particular the so-called 'datr' cookie. The summary order of November 9th 2015, in which Facebook was ordered to discontinue the disputed use of the datr cookie, was annulled on 29 June 2016 by the judge sitting in chambers to deal with urgent matters upon appeal for reasons of competence and a lack of urgency. The Privacy Commission is now focusing on the legal proceedings on the merits.