ECJ to clarify power of Belgian watchdog on Facebook cookies

In 2015, a case against Facebook was initiated, based on an investigation undertaken by the former Belgian privacy commission (which became the Belgian DPA in 2018 following new EU data protection provisions.)

The probe revealed that the social media giant was tracking the browsing behaviour of internet users in Belgium through cookies stored in Facebook's social plug-ins - whether or not they were members of the social network. That practice that remains in place today.

Accordingly, a Brussels court found Facebook guilty of breaching Belgian privacy legislation.

Facebook then argued that only Irish courts had the jurisdiction to initiate a proceeding before a court, given that Facebook's European headquarters are in Dublin.

However, the court ultimately found that it effectively had the jurisdiction to evaluate whether Facebook complies with Belgian law.

When the case arrived at the Belgian court of appeal last year, the DPA decided to refer this case to the ECJ to clarify the competency of the Belgian privacy watchdog before making a ruling.

The EU's data protection regulation (GDPR), which entered into force in 2018, introduced a mechanism for multi-state investigations - known as 'one-stop-shop' - which is supposed to serve both people and companies.

Such multi-state investigations require that a lead authority drives investigations in cooperation with other data protection agencies.

However, the GDPR also allows some room for manoeuvre for national privacy regulators to rule on violations limited to a specific country.

For the Belgian DPA, which is not the lead authority in this long-standing investigation, the Facebook case raises important questions regarding the application of European law.

"The question is whether or not the one-stop-shop mechanism under the GDPR is exhaustive or leaves some room for local DPAs such as the Belgian DPA to enforce, in particular by bringing court proceedings before a national judge," Belgian watchdog spokesperson Aurélie Waeterinckx said.

According to Belgian DPA lawyer Rubin Roex, "GDPR does not say anywhere that the lead authority has exclusive competence and that the non lead authority may not go to court".

Previously, the European Commission admitted in its GDPR's two-year review that the 'one-stop-shop' mechanism was problematic.

However, the ECJ will also have to clarify whether GDPR rules apply in this case which dated back to 2015, before GDPR was adopted.

Meanwhile, this week's hearing is also important as it addresses the fact that Facebook is using cookies to track all users, including non-Facebook users, points out Romain Robert from the Vienna-based NGO Noyb, which campaigns on digital privacy rights.

"Facebook uses social plug-ins for collecting more information on the users and building profiles - such tracking is particularly intrusive since advertising companies can easily track and monetise this information," Robert said.

"The EU policy on cookies is to be reinforced, especially with the to-be-adopted new ePrivacy Regulation, which has been delayed for years now. We need clear and effective rules to prohibit such practices and enforce them," he added.