On 13 November 2014, Facebook announced a global revision of its data policy, cookie policy and terms. Following this announcement, a Contact Group was created at European level with the Data Protection Authorities (DPAs) of The Netherlands, France, Spain, Hamburg and Belgium. The members of the Contact Group have initiated national investigations, relating to, amongst others, the quality of the information provided to users, the validity of consent and the processing of personal data for advertising purposes. Three of the members publish results today (France, Belgium and the Netherlands).

Results of national procedures

In France the Restricted Committee of the CNIL has decided to pronounce a public sanction of 150,000 euros against Facebook Inc. and Facebook Ireland Limited. The Restricted Committee finds that the Facebook group does not have a legal basis to combine of all the information it has on account holders to display targeted advertising. It also finds that the Facebook group engages in unlawful tracking, via the datr cookie, of internet users. The cookie banner and the mention of information collected “on and outside Facebook” do not allow users to clearly understand that their personal data are systematically collected as soon as they navigate on a third-party website that includes a social plug in.

In Belgium the Belgian Privacy Commission today issues new recommendations to the Facebook Group  about its tracking of users and non-users of Facebook through cookies, social plug-ins and pixels, following Facebook’s changes thereto in September 2015 and May 2016 after the Privacy Commission’s first recommendations of 15 May 2015.  The Belgian Privacy Commission considers that Facebook continues to act in non-compliance with both Belgian and EU data protection law as regards the tracking of both users and non-users of Facebook through cookies, social plug-ins and pixels. In particular the legal requirements regarding consent, fairness, transparency and proportionality are not met, amongst others due to the shortcomings in the information that Facebook communicates to data subjects and the inadequacy of the choices that Facebook offers data subjects.

The Belgian Privacy Commission further considers that the collection of personal data by Facebook using cookies, social plug-ins and pixels is excessive in several circumstances. The Privacy Commission is seeking judicial enforcement of its recommendations before the Court of First Instance of Brussels. Oral pleadings are set to take place on 12-13 October 2017.

In the Netherlands, Facebook Group violates Dutch data protection law. That is the conclusion of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; hereinafter: DPA) after its investigation into the processing of personal data of 9.6 million Facebook users in the Netherlands. The company breaches Dutch data protection law including by giving users insufficient information about the use of their personal data. The Dutch DPA has also found that the Facebook Group uses sensitive personal data from users without their explicit consent. For example, data relating to sexual preferences were used to show targeted advertisements. The Facebook Group has made changes to end the use of this type of data for this latter purpose. The Dutch DPA currently assesses whether the other violations have stopped. If that is not the case, the Dutch DPA may decide to issue a sanction.

In Germany (Hamburg) the Hamburg DPA has issued two different orders relating to the Facebook Group. One case was centered around the use of pseudonyms. Facebook appealed against the decision. The Higher Administrative Court lifted the order to allow pseudonymous use, without taking a decision on the question whether the Hamburg DPA was competent. Instead the Court referred to the ongoing procedure at the European Court of Justice to decide about applicable law (in the case of the DPA of Schleswig Holstein, EUCJ case C-210/16 [1]). In a second procedure, the Hamburg DPA ordered the Facebook Group to stop combining data from WhatsApp users without their prior consent. On 25 April 2017, the (lower) Administrative Court confirmed the validity of this order, without deciding on applicable law. [2]

In Spain, the Spanish DPA, after preliminary investigations on FB’s privacy policy and terms of use opened two infringement procedures. The procedures, taking into account the results of the investigations, are based on the alleged infringement of the provisions of the Spanish data protection law.

Applicable law

In each of the aforementioned national investigations, the Facebook Group has contested the applicability of national data protection law of the Member State in question. According to the Facebook Group, only Irish data protection law would be applicable, and only the Irish DPA would be competent to supervise the processing of personal data of users of the service in Europe. However, the DPAs united in the Contact Group conclude that their respective national data protection law applies to the processing of personal data of users and non-users by the Facebook Group in their respective countries and that each DPA has competence. Following case law from the European Court of Justice (the cases of Google Spain, Weltimmo and Amazon [3] ), the DPAs note that the Facebook Group has offices in multiple countries in the EU. These offices aim to promote and increase the sales of targeted advertising aimed at national users and non-users of the service. For its revenues, the Facebook Group almost completely depends on the sale of advertising space, and personal data must necessarily be processed for the type of targeted advertising services offered by the Facebook Group. Therefore, the activities of these offices are “inextricably linked” to the data processing by the Facebook Group, and all the investigated national offices are relevant establishments under Article 4(1)a of the European Data Protection Directive 95/46/EC.