Belgian Regulator Finds Facebook Violations; Company Says Ireland Has Privacy Oversight

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

May 15 — Facebook Inc.'s use of social plug-ins on third-party websites to collect the personal data of Internet users breaches Belgian and European Union privacy law, the Belgian Privacy Commission said in a recommendation report to the social media giant made public May 15.

Facebook uses plug-ins, such as like or share buttons, to “secretively” collect the data of “all internet users who come into contact with Facebook,” whether or not they are Facebook members, the Belgian Privacy Commission said in a May 15 statement.

Facebook disputed the binding authority of the commission's findings, saying in a May 15 statement to Bloomberg BNA that it was “already regulated in Europe and complies with European data protection law.”

Facebook maintains that because its European operations are headquartered in Ireland, only the Irish Data Protection Commissioner has jurisdiction to regulate its activities. The applicability of the Belgian Privacy Commission's recommendation is “unclear,” the company said.

“We will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner,” Facebook said.

Belgian Privacy Commission President Willem Debeuckelaere told Bloomberg BNA May 15 that the commission was confident in its authority to regulate Facebook's practices due to the physical presence of a lobbying office in Brussels. In addition, national supervisory authorities are obliged to protect the privacy rights of their citizens, he said.

Right to Forget Jurisdiction Theory 

Debeuckelaere said the May 2014 right to be forgotten ruling of the European Court of Justice was significant to establish jurisdiction. The EU's top court held that the Spanish DPA was competent to regulate Google Inc. because of its marketing presence in Spain.

Google has complied with the ECJ's right to forget decision, Debeuckelaere said, adding that “we hope after Google, Facebook will take the same position.”

But Tom de Cordier, counsel with Allen & Overy LLP in Brussels, told Bloomberg BNA May 15 that he had doubts over whether that presence was sufficient to provide the Belgian data protection authority with jurisdiction over Facebook.

The commission might struggle to prove that the activities of a lobbying office in Brussels were “tightly linked” to Facebook's social media business, de Cordier said. It isn't clear if there was “enough of a nexus between the Belgian entity and the social media activity being run out of Ireland and the United States,” he said.

In addition, the commission can't argue that Belgian citizens don't have recourse against Facebook under EU law because the company has said that the Irish regulator is competent and Belgian citizens could file privacy cases in Ireland, de Cordier said.

Tracking Via Social Plug-Ins 

The Belgian Privacy Commission found that Facebook collects information about visitors to non-Facebook websites that include social plug-ins, which are present on 35 of the 100 websites most visited by Belgian Internet users.

For Facebook members that visit third-party websites while logged-in to Facebook, the information collected includes Facebook and Internet browser identifiers, the commission said. For non-Facebook members, Facebook is able to track browsing behavior by placement of unique identifier cookies with a two-year life span, the commission said.

Facebook's potential tracking of online behavior also applies to Facebook users that are logged out of Facebook, that have deactivated their Facebook accounts and that have opted out of targeted Facebook advertisements, the commission said.

Facebook is “in a unique position, since it can easily link its users' surfing behavior to their real identity, social network interactions and sensitive data such as medical information and religious, sexual and political preferences,” the commission's recommendation, which is dated May 13, said.

“This implies that tracking by Facebook is more intrusive compared to most of the other cases of so-called ‘third-party tracking,' ” the recommendation added.

Instructions to Facebook 

The commission recommendation said that Facebook “must provide full transparency about the use of cookies” and should only use cookies to collect information about non-users of Facebook with their consent.

The consent requirement should also apply to “deactivated users and users who have logged out,” who must “be treated like non-users in this context,” the recommendation said.

Facebook should also ensure that “the mere presence of a social plug-in on an external website does not lead to the transmission of data to Facebook,” and Facebook should, for example, only send data when users click on a share button, the recommendation said.

Belgian DPA chief Debeuckelaere told Bloomberg BNA that he would seek a response from Facebook to the commission's recommendation. The Belgian investigation of issues arising from a new Facebook privacy policy, which was introduced at the end of January, is taking place in liaison with other EU data protection authorities.

“It's an ongoing process,” he said. “We hope we can have a good discussion, with our Dutch, German and Spanish colleagues together, and come to a settlement.”

Although the Belgian Privacy Commission has limited enforcement powers, it can pass cases of continued noncompliance to the Belgian federal prosecutor, which could potentially trigger a criminal investigation, Debeuckelaere said.

Further Recommendations Coming 

The commission's recommendation report relied to a great extent on an advisory report prepared by the Interdisciplinary Center for Law & Information and Communications Technology at Belgium's Leuven University.

The February draft report found that Facebook's updated privacy policy contravenes EU privacy law and that Facebook insufficiently seeks the consent of data subjects.

Cliff Beeckman, an information security adviser at the Belgian Privacy Commission, told Bloomberg BNA May 15 that the regulator is working on another recommendation report to Facebook, to be published in the next few months related to other issues raised in the advisory report.

Beeckman added that Facebook had provided limited answers to the Belgian Privacy Commission about its collection of Internet user information via social plug-ins.

Facebook says “they don't use that information, but they shouldn't collect that information in the first place,” he said.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

The Belgian Privacy Commission's recommendation report to Facebook is available at