16 May
2017

The Belgian Authority publishes new recommendation relating to the processing of personal data by Facebook through cookies, social plug-ins and pixels

On 16 May 2017, the Belgian Authority published a new recommendation relating to the processing of personal data by Facebook through cookies, social plug-ins and pixels, in response to the latest modifications to Facebooks cookie policy and the manner in which it processes personal data. The Authority has found that Facebook is now processing even more personal data of both users and non-users of Facebook, without obtaining valid consent and without complying with other legal requirements. The legal proceedings on the merits against Facebook are still ongoing. At the same time, various procedures against Facebook have been initiated by the European Contact Group of Data Protection Authorities, who released a common statement on May 16th 2017.


Context

On 13 May 2015, the Belgian Authority published an own-initiative recommendation relating to the processing of personal data by Facebook of both Facebook users as well as non-users through cookies and social plug-ins. Since then, Facebook has revised its cookie policy and -practices in September 2015 and May 2016. For this reason, the Authority adopted a new recommendation (03/2017) on April 12th 2017, which contains both a technical and legal analysis of the recent modifications.

New cookie policy and new tracking techniques

Notwithstanding the latest changes in Facebooks practices, the Authority considers that Facebook still does not obtain valid consent from data subjects. Moreover, the Authority is of the opinion that the processing of personal data by Facebook through cookies and social plug-ins is excessive in several circumstances. 

One significant change is that Facebook currently also tracks the online behavior of people that do not have a Facebook account for advertising purposes.

Another significant change is that Facebook - since August 2016 - uses so-called “pixels” to obtain information on the online behavior of users and non-users. Like social plug-ins, “pixels” are tools which Facebook makes available to operators of external website. Such pixels do not appear on the external website as a button or an icon (similar to the “I like”-button), but as a tiny dot, invisible to the naked eye.

The Belgian Authority has ascertained that a number of Belgian websites also use Facebook pixels, including hln.be, rtbf.be and gezondheid.be. The current recommendation does not assess the legality of the practices of these website operators, but the Authority will launch a separate investigation in relation to these practices.

Recommendations to Facebook

The Belgian Authority recommends Facebook to:

  • inform data subjects in a clear manner about its use of cookies and their collection through Facebook social plug-ins, Facebook-pixels or similar technological means;
  • obtain valid consent for the placement of cookies insofar as they are not strictly necessary for the provision of a service expressly requested by the data subject;
  • abstain from the excessive collection of cookies through social plug-ins, Facebook-pixels or similar technological means;
  • abstain from providing information that could reasonably mislead the data subject regarding the actual impact of the mechanisms which Facebook provides to manage its use of cookies.

Recommendations to website operators and internet-users

The Authority also offers a number of additional recommendations for operators of external websites who make use of the technologies and services provided by Facebook.

Finally, the Authority again provides a number of recommendations to internet-users who wish to protect themselves against the tracking practices of Facebook through social plug-ins.

Common statement of Data Protection Authorities

The Belgian Authority participates in the Contact Group, established at European level, together with the Data Protection Authorities of France, The Netherlands, Spain and Hamburg. Each of these Data Protection Authorities currently has its own independent procedure against Facebook. The members of the Contact Group share however certain substantive objections, among others the lack of information and the lawfulness of consent of the person concerned.

Legal proceedings on the merits

The current judicial procedure on the merits between the Authority and Facebook (before the Dutch Court of First Instance in Brussels) is still ongoing. This procedure on the merits refers to the processing of personal data by Facebook of both users and non-users of Facebook, by the use of cookies (among others the so-called ‘datr’-cookie), social plug-ins and pixels. The procedure on the merits was introduced on January 15th 2016 and oral arguments are scheduled to take place on October 12th-13th 2017.

Previous proceedings

On May 18th 2015, Facebook received a formal notice of default for violations of the Privacy Act and the Electronic Communications Act. On June 10th 2015, the Belgian Authority summoned Facebook Inc., Facebook Belgium BVBA and Facebook Ireland Limited in summary proceedings before the President of the Dutch Court of First Instance in Brussels. The object of the summary proceedings was limited to the registration of the browsing behavior of people who are not Facebook users through social plug-ins and cookies, in particular the so-called 'datr' cookie. The summary order of November 9th 2015, in which Facebook was ordered to discontinue the disputed use of the datr cookie, was annulled on 29 June 2016 by the judge sitting in chambers to deal with urgent matters upon appeal for reasons of competence and a lack of urgency. The Authority is now focusing on the legal proceedings on the merits.