The Brussels tribunal of first instance yesterday issued an injunction against Facebook to stop it collecting personal data from non-Facebook users in Belgium. The injunction, initiated by Willem Debeuckelaere, President, Belgium’s Commission for the Protection of Privacy (DPA), takes effect within 48 hours after notification of the judgment which was published on 9 November. If Facebook fails to comply, it faces a fine of 250,000 euros, payable to Belgium’s DPA.
The Tribunal says that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons.
Belgium’s DPA published on 16 May 2015 a statement which provides the basis for this case. It stated “Since January 2015 the privacy commissions of the Netherlands (the lead authority), Hamburg-Germany and Belgium have worked together as an own-initiative group. France and Spain recently joined the contact group…. Up to this day Facebook refuses to recognize the application of Belgian legislation nor the Belgian Privacy Commission.”
A Facebook spokesman said: “We've used the datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world. We will appeal this decision and are working to minimize any disruption to people's access to Facebook in Belgium.”
Importantly, the Tribunal ruled, following the view of Belgium’s DPA, that Facebook is subject to Belgian DP law for all its activities in Belgium. Facebook’s lawyers argued in vain that Facebook organises its European activities entirely from its establishment in Dublin, Ireland. Consequently, according to Facebook, it only needs to take into account the Irish data protection legislation under the supervision of Ireland’s Data Protection Authority. But the judge rejected this argument and referred to the decision of the European Court of Justice in the Google Spain case as a precedent.
If the decision of the Brussels tribunal is followed in other EU Member States, DPAs in these Member States will now also claim that they are competent to supervise Facebook’s activities in their territory. In practice, this would mean that, as long as European data protection law is not entirely harmonised, Facebook would need to take into account all 28 different data protection regimes in the EU.
The Brussels-based lawyers representing the Belgian DPA were Frederic Debusseré, Partner; Jos Dumortier, Partner; and Ruben Roex, Associate; from the law firm, time.lex. The Brussels-based lawyers representing Facebook Belgium were Dirk Lindemans, Partner, Liedekerke Wolters Waelbroeck Kirkpatrick ; and Henriette Tielemans, Partner, Covington & Burling.