Once again, Facebook is in the spotlight. On November 9, following the Recommendation 04/2015 of May 13, 2015, issued by the Belgian Data Protection Authority (Belgian DPA) that we mentioned in a previous blog post, a Belgian court sentenced Facebook, under high penalties, to stop profiling data subjects when they simply navigate on third parties’ websites. Following its prior investigations, the Belgian DPA filed a claim against Facebook before a Brussels court, in order to obtain a preliminary ruling ordering the immediate interruption of the infringements. In its decision, the court highlighted the scope of profiling technologies implemented by Facebook, beyond the social network itself, for targeted advertisings and marketing purposes, and the lack of legal basis to do so.
Indeed, when a web user consults a Facebook page, shares Facebook content or simply consults a third party’s website where a “Like” button is incorporated, Facebook is able to track him/her via a specific cookie and collect data related to his/her individual interests. The data massively collected this way are then processed to propose commercial links in Facebook-related pages, even if the individuals concerned are not Facebook members.
Therefore, in substance, Facebook processes personal data for commercial purposes without complying with the legal basis of data subject consent, since these data subjects may not have entered into a contract with the firm. As ordered by the Belgian court in the decision issued on November 9, Facebook must now cease all profiling of Belgian web users without cause. Facebook must comply with this decision under a 48-hour deadline. If Facebook fails to comply with it, the firm will have to pay the Belgian DPA a fine of 250,000 Euros (approx. $270,000 USD) per day of delay.
Facebook intends to challenge the decision, but such appeal will not suspend its possible enforcement.
For more information on this Facebook case, please also refer to the following prior Password Protected blog posts: