The judgment in the Facebook case
The order, which has been demanded by the Belgian Privacy Commission in a writ of summons of 10 June 2015, enters into force 48 hours after the Privacy Commission will officially serve the judgment to Facebook. If Facebook does not comply with the order, it will have to pay a penalty of 250,000 EUR per day of non-compliance. The order remains in force, even if Facebook appeals the judgement.
In summary, the Court rules as follows:
1. Belgian data protection law applies and Belgian courts have jurisdiction
First, the Court finds that Belgian data protection law applies and that Belgian courts have jurisdiction. Facebook argued that it has to comply with Irish data protection law only and that only Irish courts have jurisdiction. However, the Court does not agree and refers to the Google Spain case of the EU Court of Justice of 13 May 2014, in which the latter ruled that the national data protection law of an EU Member State applies if the activities of a local establishment in that Member State are inextricably linked to the activities of the data controller. The Brussels Court finds that this is the case here, because Facebook founded the company Facebook Belgium SPRL in Belgium and this local company performs lobbying activities in Belgium for the Facebook group and is involved in marketing and selling advertisement space of the Facebook service.
The Court points out that in this context it is irrelevant whether the data controller is Facebook Inc. or Facebook Ireland Limited, as Facebook Ireland Limited is also a part of the Facebook concern. It rules that it is also irrelevant whether Facebook Belgium SPRL itself does not process personal data or does not itself enter into contracts with advertisers.
In order to initiate summary proceedings, the case needs to be urgent. The Court finds that this condition is met, because claims that relate to fundamental rights and freedoms (such as the protection of privacy), are always urgent, and because this claim does not relate to the fundamental right of one single individual but of an enormous group of people. Because of the millions of websites with Facebook social plug-ins, it is almost unavoidable to escape from these. In addition, it may relate to very sensitive data revealing, for instance, health or religious, sexual or political preferences.
3. It concerns the processing of “personal data”
Facebook processes, amongst other things, the IP address and a “unique identifier” contained in Facebook’s datr cookie. The Court finds that these are “personal data” and that Facebook's collection thereof constitutes a “processing” of personal data. Facebook had argued that these are not personal data because these would merely enable to identify a computer.
4. Violation of Belgian data protection law
Subsequently, the Court finds that the fact that Facebook collects data on the web surfing behaviour of millions of people from Belgium who have decided not to become a member of Facebook’s social network, is a “manifest” violation of Belgian data protection law, irrespective of for which purposes Facebook uses these data after having collecting these.
The Court points out that Facebook cannot invoke any legal justification for processing personal data of people who do not have a Facebook account via cookies and social plug-ins, because:
• Facebook has not obtained their consent to do so;
• Facebook cannot invoke an agreement with people who do not have a Facebook-account;
• Facebook cannot invoke a legal obligation to do so;
• the security interest pursued by Facebook is overridden by the fundamental right to privacy of people who do not have a Facebook account.
In addition, according to the Court, Facebook’s processing of personal data of people who do not have a Facebook account is not fair and lawful, because their personal data are already processed even before they have been able to fully inform themselves about Facebook’s services and even though they do not want to use these services.
With respect to the security argument invoked by Facebook, the Court finds it not credible that collecting the datr cookie each time a social plug-in is loaded on a website, would be necessary for the security of Facebook’s services. According to the Court, “even an “internet illiterate” understands that systematically collecting the datr cookie as such is insufficient to counter the attacks referred to by Facebook because criminals can very easily circumvent this cookie from being installed by means of software which blocks cookies being installed”. Moreover, the Court finds that there are less intrusive methods to realise the intended security, so that Facebook’s processing of personal data of people who do not have a Facebook account is disproportionate.
The Court imposes a penalty upon Facebook amounting to 250,000 EUR per day that it does not comply with the order, because the penalty’s amount needs to be sufficiently deterrent. The Court points out that Facebook in 2014 realised a turnover of 12.4 billion US dollars and a profit of 2.9 billion US dollars and is one of the financially most capable companies in the world, so that the amount of 250,000 EUR is adequate.