Belgium Rules Facebook Data Collection Illegal

Nearly three years after a Belgian court began its litigation against Facebook over privacy concerns, a ruling was made and the tech giant fell hard.

Now, the world’s largest social network is staring down daily fines of €250,000 (approximately $300,000 USD) — up to 100 million euros—until they cease collecting data on Belgian residents. Additionally, the court ruled Facebook must destroy any data it previously illegally obtained.

The Decision

The court said Facebook does not adequately inform users about what happens to their data: “Facebook informs us insufficiently about gathering information about us, the kind of data it collects, what it does with that data and how long it stores it,” the court said. “It also does not gain our consent to collect and store all this information.”

As we’ve previously reported, Facebook has a history of trouble with privacy compliance and user trust. In 2016, Facebook gave its newly acquired WhatsApp user-base the choice to either agree with sharing their information or leave the popular messaging platform altogether.

Though Facebook does offer a policy page on their use of cookies, including how users might opt out of targeted advertisements depending upon their location, these settings, like all ‘recommended’ settings on Facebook, are automatically engaged by default unless the user manually disables them. A user must also dig more deeply than necessary to locate all the privacy options. Moreover, Facebook’s policy page regarding the use of data collection is an extensive, alarmingly vague list of generalized information it collects from users for use with, among other things, targeted ads.

The Reception

The latest ruling comes as a victory for people who are not even members of the social network. At the heart of this lawsuit was the company’s collection of data from everyone online who visited an affiliate website, registered member or otherwise: “Facebook uses various technologies, such as the famous ‘cookies’ or the ‘social plug-ins’ (for example, the ‘Like’ or ‘Share’ buttons) or the ‘pixels’ that are invisible to the naked eye,” explained the Belgian Privacy Commission. “It uses them on its website but also and especially on the websites of third parties. Even if you have never entered the Facebook domain, Facebook is still able to follow your browsing behavior without you knowing it, let alone, without you wanting it, thanks to these invisible pixels that Facebook has placed on more than 10,000 other sites.”

Facebook spoke about their disappointment with the ruling, insisting it will seek another appeal. However, Richard Allan, Facebook’s vice president of public policy for Europe and Middle East Africa, told Reuters; “We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe.”

In a recent statement, Belgium Secretary of State for Privacy Philippe De Backer said, “What a victory for privacy. You can not secretly follow someone on the internet without your knowledge, an important milestone for privacy in our country and Europe.”

This Brussels ruling against Facebook arrives before the dawn of a new regulatory effort. The General Data Protection Regulations moving into play across Europe in late May will bring the EU into an age where users have more control over their data, including a “right to be forgotten.” Keep an eye on our blog for future updates about these efforts to protect user privacy.