Belgium to Facebook: stop tracking non-Facebook users or face $267K daily fines

Max Schrems must be pleased.

He who rose up from the ranks of Facebook’s privacy-ravaged users to file complaints against what he said was Facebook’s illegal data collection/retention, and is now witnessing the fruits of his labor.

Or, as he tweeted in response to the Belgian court giving Facebook 48 hours to stop tracking those without Facebook accounts, lest it face substantial penalties, “*WOW*”:

Max Schrems @maxschrems
*WOW* @SophieKwasny: episode Belgium v. Facebook. Judge gives 48 hours to conform to law or will be fined 250000 euros / day

As the AFP reports, Belgium set the clock ticking on Monday, saying that Facebook would face fines of up to €250,000 EUR ($267,000 USD) a day if it doesn’t comply within 48 hours.

Facebook said it will appeal.

The AFP quotes the court decision:

Today the judge... ordered the social network Facebook to stop tracking and registering internet usage by people who surf the internet in Belgium, in the 48 hours which follow this statement.

If Facebook ignores this order it must pay a fine of 250,000 euros a day to the Belgian Privacy Commission.

The court order is the latest salvo in the Europe v. Facebook privacy battle.

It follows a case lodged by Belgium’s privacy watchdog – the Belgian Privacy Commission (BPC) – which dragged Facebook into court in June for allegedly “trampling” over Belgian and European privacy law.

In June, the court said that Facebook indiscriminately tracks internet users – even non-Facebook users – when they visit its pages or pages on other sites with “like” or “share” buttons.

Since then, the BPC’s lawyers have called Facebook “as bad as the NSA [National Security Agency].”

The latest in a string of EU slap-downs

This 48 hours or-else decision is only the latest EU action against private data flowing into Facebook.

Last month, the EU’s highest court struck down the transatlantic Safe Harbor agreement, which had allowed companies to transfer European citizens’ personal data to the US, calling the agreement “invalid” because it didn’t protect data from US surveillance.

At the heart of the recent Belgian court case is a move Facebook made in June 2014 to give advertisers more ammunition to target users, by mixing data about what we do on its site with data about what we do on other sites.

The Belgian court on Monday said that Facebook does indeed use a special cookie that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook like or share code in it – all without the visitor having ever signed up for a Facebook account.

That cookie stays on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.

AFP quotes the court’s statement:

The judge ruled that this is personal data, which Facebook can only use if the internet user expressly gives their consent, as Belgian privacy law dictates.

Facebook calls that cookie the “datr” cookie and says it’s safe.

Safe, or maybe even some type of prophylactic infosec wonder cookie.

In the recent “Facebook is as bad as the NSA” rhetoric swap, Facebook claimed that its cookies keep Belgium from becoming “a cradle for cyber terrorism.”

AFP quotes a statement from Facebook about its appeal of Monday’s court decision:

We've used the datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world.

We will appeal this decision and are working to minimize any disruption to people's access to Facebook in Belgium.

Back home in the US of A

Meanwhile, back on its home turf, Facebook is having a much easier time of it with a US regulator – the Federal Communications Commission (FCC) – having recently shrugged off the notion that it should trouble Google or Facebook with demands to honor “Do not track” requests.

The FCC dismissed a petition from rights group Consumer Watchdog, which had called on the commission to require “edge providers” – a catch-all term covering websites and apps, including Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn – to honor such requests from consumers.

The FCC’s rationale: it doesn’t have the authority.

Consumer Watchdog thinks otherwise, and it’s reportedly considering an appeal.

Image of gavel on Belgium flag courtesy of Shutterstock.com

Leave a Reply