Tuesday

9th Aug 2022

ECJ to clarify power of Belgian watchdog on Facebook cookies

  • In 2015, an investigation revealed Facebook was tracking the browsing behaviour of internet users in Belgium - whether or not were on Facebook (Photo: Amy Osborne / Getty Images)

The European Court of Justice (ECJ) on Monday (5 October) was weighing arguments in a public hearing on whether the Belgian data protection watchdog can pursue legal action against Facebook.

While likely date for the verdict is not known yet, a favourable ruling for the Belgian Data Protection Authority (DPA) could encourage other privacy watchdogs in the bloc to legally challenge tech companies such as Google, Amazon, Apple or Twitter.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

In 2015, a case against Facebook was initiated, based on an investigation undertaken by the former Belgian privacy commission (which became the Belgian DPA in 2018 following new EU data protection provisions.)

The probe revealed that the social media giant was tracking the browsing behaviour of internet users in Belgium through cookies stored in Facebook's social plug-ins - whether or not they were members of the social network. That practice that remains in place today.

Accordingly, a Brussels court found Facebook guilty of breaching Belgian privacy legislation.

Facebook then argued that only Irish courts had the jurisdiction to initiate a proceeding before a court, given that Facebook's European headquarters are in Dublin.

However, the court ultimately found that it effectively had the jurisdiction to evaluate whether Facebook complies with Belgian law.

When the case arrived at the Belgian court of appeal last year, the DPA decided to refer this case to the ECJ to clarify the competency of the Belgian privacy watchdog before making a ruling.

The EU's data protection regulation (GDPR), which entered into force in 2018, introduced a mechanism for multi-state investigations - known as 'one-stop-shop' - which is supposed to serve both people and companies.

Such multi-state investigations require that a lead authority drives investigations in cooperation with other data protection agencies.

However, the GDPR also allows some room for manoeuvre for national privacy regulators to rule on violations limited to a specific country.

For the Belgian DPA, which is not the lead authority in this long-standing investigation, the Facebook case raises important questions regarding the application of European law.

"The question is whether or not the one-stop-shop mechanism under the GDPR is exhaustive or leaves some room for local DPAs such as the Belgian DPA to enforce, in particular by bringing court proceedings before a national judge," Belgian watchdog spokesperson Aurélie Waeterinckx said.

According to Belgian DPA lawyer Rubin Roex, "GDPR does not say anywhere that the lead authority has exclusive competence and that the non lead authority may not go to court".

Previously, the European Commission admitted in its GDPR's two-year review that the 'one-stop-shop' mechanism was problematic.

However, the ECJ will also have to clarify whether GDPR rules apply in this case which dated back to 2015, before GDPR was adopted.

Meanwhile, this week's hearing is also important as it addresses the fact that Facebook is using cookies to track all users, including non-Facebook users, points out Romain Robert from the Vienna-based NGO Noyb, which campaigns on digital privacy rights.

"Facebook uses social plug-ins for collecting more information on the users and building profiles - such tracking is particularly intrusive since advertising companies can easily track and monetise this information," Robert said.

"The EU policy on cookies is to be reinforced, especially with the to-be-adopted new ePrivacy Regulation, which has been delayed for years now. We need clear and effective rules to prohibit such practices and enforce them," he added.

Opinion

Schrems privacy ruling risks EU's ties to digital world

With more and more trade moving to the digital realm, Europe can ill-afford to cut itself off. Meanwhile, China continues to advance a vision for an internet that is fractured along national boundaries and controlled by governments.

EU top court bins 'Privacy Shield' in Schrems privacy case

The EU's top court ruled that the EU-US data-transfer pact fails to protect EU citizens' rights to privacy - following a legal challenge from Austrian privacy activist Max Schrems against Facebook. Washington said it was "deeply disappointed" with the ruling.

Facebook cries foul on EU request for internal documents

Facebook, a US tech giant known for abusing its users' private data, has filed a complaint at the EU court in Luxembourg, saying the EU Commission's data request was too broad and would affect its employees' medical and financial information.

Column

Four tweets broke Facebook - good news for EU regulators

Facebook PR chief Nick Clegg tried to make us believe that it is comparable to a phone company. Nothing could be further from the truth. His company decides which messages users see. It literally "ranks" content.

Stakeholder

Podcast: 'Big Tech' and the threat to democracy

Do tech giants like Google, Apple or Facebook have too much power? Is their growing power a threat to democracy? These topics are highlighted in the latest Nordic Talks podcast, featuring three specialists - among them EU commissioner Margrethe Vestager.

Opinion

Amazon's spying on EU workers just tip of iceberg

Amazon is leading an assault on workers' rights in Europe, using big data and surveillance to crush efforts by workers to improve their conditions. It's symptomatic of a climate of impunity around breaches of privacy that benefit corporations over workers.

Opinion

The Digital Services Act — a case-study in keeping public in dark

Companies and lobby groups like Spotify, Google and International Federation of the Phonographic Industry (IFPI) were able to lobby member states using live knowledge of the trilogue discussions on content-ranking systems, advertising and liability for search engines.

Stakeholder

The CPDP conference wants multidisciplinary digital future

During the Computers, Privacy and Data Protection (CPDP) conference, many high-level discussions will touch upon the dynamics of decision-making in the design of new technologies, including the importance of inclusion, diversity, and ethics perspectives within these processes.

News in Brief

  1. Rhine river on the brink of closure for shipping
  2. Moldova sees 'prelude to war' with Russia-backed forces
  3. Taliban preventing Afghan evacuations to Germany
  4. Amnesty regrets 'distress' caused by Ukraine report
  5. Energy companies warn UK gas exports to EU are contaminated
  6. EU set for clash over rules on political adverts
  7. Three grain ships due to leave Ukraine on Friday
  8. EU on track to reach gas-storage November target

Stakeholders' Highlights

  1. EFBWW – EFBH – FETBBConstruction workers can check wages and working conditions in 36 countries
  2. Nordic Council of MinistersNordic and Canadian ministers join forces to combat harmful content online
  3. European Centre for Press and Media FreedomEuropean Anti-SLAPP Conference 2022
  4. Nordic Council of MinistersNordic ministers write to EU about new food labelling
  5. Nordic Council of MinistersEmerging journalists from the Nordics and Canada report the facts of the climate crisis
  6. Council of the EUEU: new rules on corporate sustainability reporting

Latest News

  1. Italy poised to elect far-right rulers
  2. UN chief demands access to nuclear plant after new attack
  3. Greek PM embroiled in spyware scandal
  4. How Ukraine made the case anew for an EU army
  5. 'We must take back institutions', Orban tells US conservatives
  6. Putin must lose Ukraine war, Nato chief says
  7. Let Taiwan's democracy shine brighter
  8. Droughts prompt calls to cut water use amid harvest fears

Join EUobserver

Support quality EU news

Join us