On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in June 2016.
The more recent judgment comes from the Belgian Court of First Instance (the “Court”) and concerns both Facebook users (Belgian internet users with Facebook accounts) and non-users (Belgian internet users without Facebook accounts). In these proceedings, the Court found in favor of the Privacy Commission, granting claims directed at three Facebook entities for allegedly improperly tracking the online behavior of internet users on Belgian territory through the use of social plug-ins, cookies and pixels. Cookies are placed on a user’s device, usually in a first party capacity (i.e. by Facebook itself), and retrieved when the user visits a third party website (e.g. through the use of a Facebook social plug-in integrated on that website). According to the Court, this in theory allows Facebook to track the user’s browsing behavior.
The Court ordered all three Facebook entities to cease the placement and collection of cookies with tracking capabilities without obtaining the user’s informed consent and offering an opt-out mechanism. The Court also ordered Facebook to delete personal information collected via such cookies from its own servers and from servers operated on its behalf. Material non-compliance with the Court’s order could potentially result in a civil penalty of 250,000 EUR per day, capped at 100 million EUR.
While the Court’s ruling has been widely published, it raises a number of questions that may yet be addressed on the appellate level. The Court adopted the Belgian Privacy Commission’s suggestion that it had jurisdiction over two non-Belgian Facebook entities, Facebook Ireland Ltd (“Facebook Ireland”) and Facebook Inc. (“Facebook Inc.”) – and it also found that Belgian privacy law applied to each entity. The Court reasoned that the territoriality principle of public international law made it competent to adjudicate the Privacy Commission’s claims against Facebook Ireland and Facebook Inc. The territoriality principle generally permits a state to subject conduct occurring on its territory to its laws, including conduct that occurs abroad but causes effects within its territory. However, Belgian privacy statutes do not expressly state that they govern conduct occurring abroad; instead, the Court used public international law principles to arguably extend the reach of Belgian privacy law to Facebook Ireland and Facebook Inc. This is a novel argument that Facebook may elect to challenge before the Belgian appeals courts.
Note that the under the GDPR, the Court’s resort to public international law to extend the scope of privacy law to non-EU actors may no longer be necessary. Unlike its predecessor Data Protection Directive and the Belgian privacy statutes passed to implement it, the GDPR provides for explicit extraterritorial application to companies outside the EU that “offer services to” or “monitor the behavior of” EU users from (see Art 3(2) GDPR).
* * *
Alston & Bird and its Brussels-based EU Privacy Team is closely following DPA action and privacy litigation in the EU Member States. For more information, contact Jan Dhont, Jim Harvey or David Keating.