Facebook's European privacy problems aren't getting any easier.
On Monday, a court in Brussels delivered a ruling that gives the social media giant 48 hours to stop tracking Belgian internet users who are not registered with the social media site or face daily fines upwards of $268,000. The ruling determined that, according to the country's privacy laws, the company does not have the consent of those visitors to store data from their online activities.
The Belgian Privacy Commission, a watchdog group, brought the case against Facebook. At issue was its use of tiny "cookie" files that install themselves when a computer visits Facebook pages and allow the company to track the user's internet activity. It can then use data that is collected using this technology to deliver personalized content and tailor advertisements to the user.
"Facebook installs cookies that record when an internet user has visited a Facebook page — for example, a friend's page — but also when they visit the websites of stores, political parties, aid groups and other charities," the court said in a statement. "These cookies record internet users' interests and preferences."
Facebook argues that European privacy laws only apply to its operations in Ireland, where its regional headquarters is located, and immediately said that it would challenge the decision in the Belgian Court of Appeal. But it's not going to chance having to pay a costly mountain of fines in the meanwhile. The social media site is taking measures to stop harvesting data from unregistered users that should be in place by the end of the week.
According to Belgian privacy law, internet users can only be tracked if they have been informed of and have agreed to the recording of their browsing activities. Accepting the company's terms and conditions in signing up for an account grants this consent, but at issue is the information of unregistered visitors who happen to visit a page in the network, such as a fan site.
"We believe that the ruling is an important step towards better privacy laws for internet users," said the researchers Brendan Van Alsenoy and Günes Acar, who had authored a report for the privacy protection commission earlier this year that investigated Facebook's data use and privacy policies. "It sends a clear signal: web companies aren't allowed to trace individuals indiscriminately without their consent and without them knowing about it."
According to their report, Facebook has been doing so using a file known as the "datr cookie."
The researchers believe that the tech corporation's use of datr violates European consumer protection laws, in particular, article 5(3) of the European Union's e-Privacy Directive on data protection in the digital age. The article stipulates that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
The report also criticized the fact that users registered with Facebook had no meaningful choice but to accept Facebook's tracking policy, and that their online activities could still be accessed once they had logged out of or deactivated their account.
The privacy commission had earlier recommended that Facebook "refrain from systematically placing long-life and unique identifier cookies with non-users." But Facebook ignored the recommendation, pointing to the central role cookies play in ensuring security and site integrity.
On October 13, Facebook's chief of security Alex Stamos posted a statement contending that cookies play "a fundamental role in our efforts to keep people safe. Most significantly, we use the datr cookie to help differentiate legitimate visits to our website from illegitimate ones."
The commission countered that it is possible to guarantee user security in a less intrusive way, and argued that any potential attacker could simply block and remove cookies when launching an attack on the site.
The ruling is just the latest legal headache for Facebook in Europe. The company is currently facing proceedings in Austria, after an Austrian appeals court ruled that a case involving a privacy complaint lodged by an Austrian law student could move forward.
On October 6, the European Court of Justice ruled invalid a data transfer pact known as the "Safe Harbor" agreement, which allowed tech companies like Facebook to move digital information — including personal data — between the EU and the United States. The court determined that such access to the data of EU individuals violated EU privacy laws.
As a result of the ECJ's ruling, a court in Dublin ordered Ireland's Data Protection Commission to investigate the social network's privacy and data transfer policies in Europe.