Image: Hale Erguvenc, Getty Images

A ruling to protect German WhatsApp users' data from Facebook suggests that the EU bloc will not back down on protecting consumers' data privacy, despite an earlier win by Facebook in a Belgian appeal case.

This summer, the Brussels Court of Appeals decided to reverse an earlier ruling restricting Facebook from tracking non-Facebook users in Belgium through the use of cookies. The new ruling means Facebook is again allowed to place cookies on the computers of non-Facebook users.

It might seem that Facebook's win shows that European courts have little power in policing the digital privacy rights of their citizens in the face of large tech companies. But the Belgian and European privacy regulators continue to defend their strict consumer data-privacy rules against large tech companies.

In late September, the German privacy regulator in Hamburg ordered Facebook to cease collecting and storing the data of users of internet messaging company WhatsApp.

The Hamburg authorities believe that Facebook, which owns WhatsApp, has already stored the personal data of about 35 million WhatsApp users. The German regulator also ordered Facebook to delete this existing data from their servers.

While Facebook maintains that it has properly complied with the EU's strict digital-privacy rules, Germany says Facebook has committed a data breach of the country's specific data-privacy laws.

Germany's argument is that while WhatsApp users knowingly choose to upload their contact details into the messaging application, they may not be aware that it is sharing them with Facebook. Therefore, they say, Facebook takes these users' contact details against the users' wills, which is against German law.

A similar case against Facebook took place in Belgium in 2015. In December, a Belgian court ordered Facebook to stop placing data-tracking cookies on non-Facebook users' computers. At the time, the Belgian Privacy Commission had issued a set of recommendations to enforce in the case.

The commission felt that it was unlawful for Facebook to force data-tracking cookies onto non-Facebook members if they did not explicitly agree to Facebook's privacy policies.

Because non-Facebook users never gave informed consent to Facebook to take their data, Facebook could start tracking a non-Facebook user if the user simply visited Facebook's domain. These internet users would never have an opportunity to agree to Facebook's privacy policies.

Today, the Belgian Privacy Commission continues to lobby Facebook to comply with its 2015 recommendations and has decided not to challenge the outcome of June's Facebook appeal case.

In the meantime, German privacy regulators have continued the leadership that the Belgian court and the Belgian Privacy Commission established last year in policing the data of European consumers. Individual EU countries will need to defend their citizens' data privacy behind their national policies until forthcoming EU-wide legislation is set in place.

In May 2018, a new data-privacy policy will take effect across the EU, called the General Data Protection Regulation, or GDPR. These new regulations will replace the EU's current privacy rules, which have been in place since 1995. The updated rules aim to unify data privacy across the EU to simplify regulations for international businesses doing business in Europe.

According to the Belgian Privacy Commission, the new GDPR will replace the Belgian commission's current data-privacy recommendations. The commission is currently working to adapt its current privacy policies to the ones set out in the new GDPR.

Now that the German privacy regulator has issued its directive to Facebook, it is uncertain whether Facebook will permanently comply.

The same uncertainty loomed over Belgian internet users in the 2015 Facebook cookie case. Facebook subsequently filed for an appeal on the decision and won in June, when the Brussels Court of Appeals ruled that Belgian courts have no jurisdiction to enforce the provisions of the Belgian Data Privacy Act on foreign entities. Facebook's headquarters are in Silicon Valley, while Facebook stores European internet users' data in Ireland.

In the Belgian legal system, there is also an air of uncertainty over whether its courts will be able to defend citizens' personal data from large tech companies, says Caroline De Geest, a spokeswoman for the Belgian Privacy Commission.

Belgian courts should have the authority to proceed over legal suits against Facebook and other international tech companies over their personal data privacy, regardless of Facebook's win, De Geest says.

"It's not that this means that no court considers itself to have full jurisdiction over Facebook. It's just the decision of that particular court," she says.

At the end of 2017, the Belgian Court of First Instance will rule on the merits of the Facebook cookie case.

"In Belgium, we don't have binding precedence," De Geest says. "It's possible that the court that will have to decide on the merits of that case may decide completely differently."

Read more about data privacy