On 16 February 2018, the Dutch-language Brussels Court of First Instance (Nederlandstalige Rechtbank van Eerste Aanleg te Brussel/Tribunal de Première Instance néerlandophone de Bruxelles – the “Court”) handed down a significant judgment finding Facebook’s use of cookies to be in breach of Belgian privacy laws. The Court ordered Facebook to: (i) stop placing various infringing cookies on users’ devices; (ii) stop collecting information from these cookies; and (iii) cease providing any ‘misleading’ information on how the company uses cookies. In addition, the Court demanded that Facebook should delete any infringing information that had already been collected. If Facebook fails to comply with the order, it will have to pay a daily penalty of EUR 250,000.
The case pitted Willem Debeuckelaere, in his capacity as President of the Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer/Commission de la protection de la vie privée - the “claimant”) against Facebook Ireland Limited, Facebook Inc. and Facebook Belgium BVBA (“Facebook”). The Privacy Commission intervened in the case to support the position of its President.
This case on the merits follows earlier summary proceedings between the parties. In these summary proceedings, the injunction imposed on Facebook at first instance (which caused Facebook to close its website to all non-registered users in Belgium) was overturned on appeal, largely on procedural grounds (see VBB on Belgian Business Law, Volume 2016, No. 7, p.7, available at www.vbb.com). However, the scope of the new proceedings on the merits is broader than that which was at issue during the summary proceedings and concerns not only the registration by Facebook of the browsing histories of non-members, but also of its members. In addition, these proceedings concern the use of the so-called “c_user”, “xs”, “sb”, “fr” and “lu” cookies and “pixels”, in addition to the “datr” cookie, which was the main subject of the summary proceedings.
Territorial Competence of Court
In the summary proceedings, the Court of Appeal had refused the territorial competence of the court to rule over Facebook Inc. and Facebook Ireland. By contrast, the Court in the case on the merits accepted territorial jurisdiction over the three Facebook entities. The Court held that it was necessary for the Privacy Commission to be able to bring an action before the national court in order to have effective supervisory powers. Under Article 32, §3 of the Belgian Law of 8 December 1992 protecting privacy regarding processing of personal data (Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens/ Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel - the “DPL”), the President of the Privacy Commission can bring actions for infringement of the DPL before the Court.
Relying on the Google Spain case (C-131/12) (see VBB on Belgian Business Law, Volume 2014, No. 5, p. 6, available at www.vbb.com), the Court added that the activities of the Facebook group were linked with those of Facebook Belgium BVBA. The Court concluded that the processing of personal data took place in the context of the activities of Facebook in Belgium, and as a result, falls within the territorial scope of the DPL. Since the DPL authorises the President of the Privacy Commission to bring an action before the Court, the Court accepted territorial jurisdiction for this case.
Merits: No Informed Consent
In assessing the merits of the case, the Court held that Facebook could only place its cookies (and similar technologies, such as pixels) and access the information collected through the use of these cookies, subject to the prior informed consent of the data subjects. The Court added that Facebook bears the burden of proving that such informed consent has been secured.
In the case at hand, the data subjects are users as well as non-users of the Facebook social network. This is because Facebook also places cookies on devices of visitors of third party websites which use Facebook plugins, such as news websites featuring Facebook “like” buttons.
In its defence, Facebook referred to its use of a cookie banner on its own website. As regards cookies (and similar technologies) placed on third party websites, it explained that it relies on these third parties’ cookie acceptance mechanisms.
However, in assessing the information provided by Facebook through its own cookie banner, and the cookie policy to which this banner refers, the Court found that the policy was insufficiently clear on the processing operations. Indeed, the Court held that users could not reasonably be expected to understand that their behaviour would be tracked to the extent that it was based on the information provided. Furthermore, the Court held that the information was incomplete as it failed to inform data subjects about their rights to access and rectify their data.
In addition, the Court considered that the mechanism for collecting consent did not ensure “free, specific and unambiguous” consent from the data subject. The Court found that Internet users only had a choice to accept all cookies or none at all. Moreover, users who had opted out of cookies through their browser settings could still be targeted by Facebook.
As regards third party websites, the Court followed the reasoning of the Privacy Commission that Facebook determines the “purposes and means” of its use of cookies on third party websites and that Facebook therefore must be regarded as a “controller” of these cookies. The Court held that, as a controller, Facebook had taken insufficient measures to ensure that the third party website holders obtained consent for the use of Facebook’s cookies.
All of this formed the basis for the Court’s order which Facebook said it would appeal.
By Thibaut D’hulst, Associate, tdhulst@vbb.com and Melody Moodley, Associate, mmoodley@vbb.com