Belgium vs Facebook On November 9th, 2015, a Belgian court ordered Facebook to stop tracking non-Facebook users, and imposed a fine of $250,000 per day in case of non-compliance. A look at the facts, the rules at hand, and the questions that matter.

The story so far This is a story about privacy, and about collision between two worlds that are dear to me - Belgium and Silicon Valley. On November 9th, 2015, a Belgian court ordered Facebook to stop tracking non-Facebook members in Belgium and gave the company 48 hours to comply. A fine of $250,000 per day was set to encourage cooperation. Unsurprisingly, Facebook immediately stated that it would appeal the judgement. According to the BBC, the Belgian Privacy Commission stated at the end of November that the judgement had yet to be formally served to Facebook because it is "waiting for an English translation" of the 33 pages (a Dutch version of the judgement can be found here). Facebook stated at that time that it was negotiating with the Belgian Privacy Commission. Update 1: On December 2nd, the company stated that it would stop tracking browsers of Facebook pages in Belgium who are not signed into a Facebook account, hence complying with the judgement. The immediate effect for Belgian Facebook visitors? Certain facebook pages that were viewable without logging in before, will now no longer be visible until the user signs in. Facebook still plans to appeal the ruling, but is now no longer at risk of seeing a fine of EUR 250,000 / day levied against it. Update 2: On December 4th, Privacy Commissions of the Netherlands, Spain, France, Spain, Hamburg and Belgium issued a joint statement, calling upon Facebook to "comply with these orders in all territories of the EU". This joint statement escalates the matter from a small annoyance to something that may very well impact Facebook's data collection policies across the entirety of the European Union. Update 3: On January 28th, Politico reported that Facebook is appealing the ruling of the Belgian court, based on a rather interesting theory. The court’s ruling contained some English words — like "cookie", "homepage" and "browser". Belgian law enshrines a wide range of protections for the countries' different language groups. Amongst others, it says that all rulings must be in the official languages of the country: French, Dutch and German. Because words such as "cookie", "homepage" and "browser" were not translated, Facebook argues, the whole ruling must be annulled. Dirk Lindemans, who represents Facebook in Belgium, comments: “It is a requirement that justice for all is understood. Otherwise you get a slippery slope towards class justice”. It remains to be seen whether the court will agree with this procedural argument. Dutch being my mother-tongue, I can attest that I (together with most other Belgian citizens, regardless of their language group) would say "cookie" rather than "koekje", "homepage", rather than "thuispagina" and "browser" rather than "webnavigator".

#Privacywars The feud between Facebook and the Belgian Privacy Commission dates back to early 2015, when a group of Belgian researchers released a study (sponsored by the Commission) that demonstrated some of the more dark-side tracking capabilities of Facebook's social plugins. The study showed how the company tracks behavior on its own domain and on sites of third parties. This included scenarios where the user is tracked even when logged out of Facebook and where the user had explicitly opted out of being tracked through a Facebook-recommended opt-out site (Facebook ascribed the latter situation to a bug). In June 2015, the Belgian Privacy Commission took Facebook to court for violating Belgian privacy laws. That Belgium is picking a battle with Facebook makes for a mildly interesting story in itself. But the implications of this case reach beyond the Belgian sphere of influence. To understand what's going on, we need to dive a little bit deeper into the technical and legal aspects. The technology When you visit Facebook or a website that embeds one of the Facebook widgets (such as the like button or comment feed), facebook places a cookie on your computer. This little file, basically a message from Facebook's servers to your web browser, contains a “unique identifier”. You can see it in the screenshot below, which was taken when visiting facebook in an incognito window. As you travel across the Internet, the information in this cookie is retained. If you visit another website that embeds the Facebook tracking code, the value in the datr cookie persists, allowing Facebook to associate the two separate webpage visits with each other. You can see this in the screenshot below, taken immediately after the previous one. In other words, Facebook was able to track my movements on the Internet from one page to another, even though I was never signed into Facebook. And because Facebook is embedded into a lot of websites, that technical capability is rather significant. The law On the legal side of things, it's important to understand that Belgian privacy law is mainly an implementation of European privacy rules. European privacy rules are not like US privacy rules. Just have a look at the Data Protection Directive, implemented by all EU member states. The Data Protection Directive provides for strong privacy protections, that are often at odds with the rapid advances of technology, in contrast with the more light-touch approach typical of the US common law system.

The European Data Protection Directive defines 'personal data' very broadly. It covers "any information relating to an identified or identifiable natural person ("the data subject") [...], in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity". The identification number in the screenshot above comes to mind. Processing personal data is defined equally expansive, "as any operation [...] performed upon personal data [...], such as collection, recording, organization, storage, adaptation or alteration, [...]". As you can tell, it does not take much to be processing personal data. This designation of "data processor" is important, as the Data Protection Directive imposes obligations on those who "process" personal data. Personal data may be processed only in a limited number of circumstances, such as when the data subject has given his consent, or when the processing is necessary to for the performance of a contract to which the data subject is party.

The judgement In its judgement, the Belgian court ruled on a couple of key points. Because the Belgian court ruled based on these rules, its judgement is relevant for (but not binding upon) other EU Member States. 1. Belgian data protection law applies and Belgian courts have jurisdiction Facebook, which has its European HQ in Ireland, had argued that it has to comply with Irish data protection law only and that only Irish courts have jurisdiction. The Belgian Court disagreed. Referring to a case before to EU Court of Justice, it held that the activities of Facebook's Belgian entity (Facebook Belgium SPRL) were "inextricably linked" to the activities of Facebook as a whole. 2. Urgency The court decision was made in summary judgement, a procedure that requires "urgency". The Court deemed the situation urgent, because claims that relate to fundamental rights and freedoms (such as the protection of privacy), are always urgent, and because this claim relates not to the fundamental right of one single individual, but to the rights of an large group of people. 3. Facebook is processing “personal data” The Court decided that the IP address and the “unique identifier” contained in Facebook’s datr cookie are “personal data” and that Facebook's collection thereof constitutes a “processing” of personal data. Facebook had argued that these are not personal data because these would merely enable to identify a computer. 4. Violation of Belgian data protection law Subsequently, the Court called the fact that Facebook collects data on Belgian web users who have decided not to become a member of Facebook’s social network, a “manifest” violation of Belgian data protection law, irrespective of for which purposes Facebook uses the data. The Court notes that Facebook does not have any legal justification for the processing personal data of people who do not have a Facebook account via cookies and social plug-ins, because: • Facebook has not obtained their consent to do so; • Facebook cannot invoke an agreement with people who do not have a Facebook-account; • Facebook cannot invoke a legal obligation to do so; • Any security interest pursued by Facebook is overridden by the fundamental right to privacy of people who do not have a Facebook account. The court took issue with the fact that personal data is processed before the data subjects have been able to fully inform themselves about Facebook’s services, even though they may not want to use these services. It rejected Facebook's argument that the data collection was necessary for security purposes (more on that below). 5. Penalty The Court imposed a penalty on Facebook amounting to 250,000 EUR per day that it does not comply with the order. So far, there are no indications that the judgement has been executed.