28/07/15

Belgian Privacy Commission Urges Facebook to Improve Compliance

On 13 May 2015, the Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée) (the "Privacy Commission") published a recommendation (the "Recommendation") regarding Facebook's use of personal data. In its Recommendation, the Privacy Commission confirms its jurisdiction over Facebook’s services and addresses the use of social plug-ins and cookies. The Privacy Commission also announced a second recommendation that will address other data protection compliance issues of Facebook’s services.

It is exceptional for the Privacy Commission to issue a recommendation targeting a named company on its own initiative. However, the Privacy Commission explains that it received many questions regarding Facebook’s terms of use from Facebook users, the media, the Belgian Federal Parliament, as well as the Secretary of State for Privacy. As a result it felt compelled to issue recommendations, not only to Facebook, but also to websites using facebook plug-ins (such as “Like” buttons) and Internet users in general.

On 27 November 2014, Facebook announced a global revision of its terms of use, and the new terms entered into force on 30 January 2015. The new terms explain how Facebook processes the information which it receives and how it uses social plug-ins and cookies. It also sets out the rights of Facebook users.

Applicability of Belgian Data Protection Law to Facebook

As a preliminary issue, the Privacy Commission justified its jurisdiction over Facebook’s services.

The Privacy Commission rejected the notion that Facebook Ireland is the responsible controller for Facebook’s processing of personal data in the EU. Indeed, it held that Facebook applied everywhere a single set of terms and conditions and that, as a result, the US parent company Facebook Inc. rather than Facebook Ireland had determined the purpose and means of the data processing. Determining who defines the “purpose and means” of the processing allows identification of the controller responsible for the processing of personal data, which, in turn, determines the applicable law. Facebook had argued that Facebook Ireland should be considered as the “controller” and that this is decisive for determining the applicable national law under Article 4 (1) a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive").

The Privacy Commission referred to the Google Spain judgment of the Court of Justice of the European Union of 13 May 2014 (See, VBB on Belgian Business Law, Volume 2014, No. 5, p. 6, available at www.vbb.com), to consider that Facebook has a subsidiary in Belgium (Facebook Belgium SPRL) which can be considered as an "establishment" of Facebook Inc. within the meaning of Article 4 (1) a) of the Data Protection Directive. Under that provision, Belgian law applies if the processing takes place in the context of the activities of this Belgian establishment.  

Moreover, even if Irish law were to apply through Facebook Ireland, it is, according to the Privacy Commission, clear from Article 4 (1) a) of the Data Protection Directive that the application of Irish national law is not exclusive. Indeed, processing also takes place in the context of the activities of the Belgian establishment. Consequently, the Privacy Commission reached the conclusion that Belgian privacy laws apply to Facebook's activities and that Facebook must answer to the Privacy Commission.  

Use of cookies and social plug-ins

Having established its jurisdiction, the Privacy Commission then noted that social plug-ins (such as "Like" and "Share" buttons) allow Facebook to track the surfing behaviour of individuals (even non-users of Facebook) on a large number of webpages outside the domain of Facebook's social network. The social plug-ins install permanent cookies that contain unique identifiers. Such cookies are installed on users’ devices, even those of non-Facebook users, users who are logged out of Facebook or users who explicitly opted out from receiving targeted advertising through www.youronlinechoices.eu. Even if the user opted out, the cookies are still used for advertising purposes.

The Privacy Commission explained that the information received through the use of such cookies or plug-ins constitutes a "processing of personal data" which can only be authorised if there is an unambiguous and specific prior consent from the users (which is not the case when Facebook processes data from non-users).

Consequently, the Privacy Commission recommended that Facebook should provide full transparency about the use of cookies and that Facebook should refrain from placing long-lasting and unique identifier cookies on the devices of non-Facebook users, as well as from collecting and using data by means of social plug-ins unless it obtains the data subjects' unambiguous and specific consent.

Second, the Recommendation also contains advice addressed to website owners. In particular, the Privacy Commission recommended using measures such as “Social Share Privacy” which ensure that cookies are only installed if a user actually uses the “Like” or “Share” buttons.

Finally, the Recommendation offers guidance to end-users to protect their privacy online against Facebook’s social plug-ins.

Importantly, the Recommendation does not constitute a decision. The Privacy Commission is nevertheless of the opinion that its recommendations and the arguments it relies on are sufficiently clear and substantiated in order to constitute a set of rules safeguarding the observation of the law.

The Recommendation is remarkable for a number of reasons. First of all, the Belgian Privacy Commission takes a leading role in the international scrutiny of Facebook’s data protection policies. Second, the Privacy Commission applied the available general guidance, such as earlier recommendations on cookies and on social media, to a specific, named service at its own initiative. The Recommendation thus illustrates the shift in the Privacy Commission’s activities from a mere advisory body to a more enforcement-oriented authority.

dotted_texture