Is Facebook Inc (FB) an Outlaw? Possibly, According to EU Privacy Regulations

facebook home page

The “Like” button is just one of the many features used to track users in an excessive zeal to protect their privacy. A contradiction? Not according to Facebook Inc (NASDAQ:FB). But let’s start from the beginning.

The European Union imposes to all websites with a European user base to comply with its cookie policy, otherwise called “informed consent”. The rule, though, is open to interpretation, as it is demonstrated in the ongoing case that involves Facebook’s use of cookies in Belgium.

In fact, back in November, a Belgian court issued an order that was to prevent Facebook from tracking non-Facebook web users through social plugins on other websites. In other words, Facebook was able to “spy” – thanks to the use of a special cookie – the web activity of users who didn’t have a Facebook account.

According to Brendan van Alsenoy, a legal researcher at KU Leuven Centre for IP & IT Law,  EU data-protection laws not only require a dual notice-and-consent exchange prior to the treatment of personal data but they also prohibit a use of personal data that goes far beyond the very purposes pursued.

In the specifics of the Facebook case, the firm is said to hide a cookie which is called “datr” in the code of its social plugins, as well as on the main website, Facebook.com. The firm disputed that the cookie is meant to protect users’ data from any breach.

On the other side, the “datr” cookie should fall under the excessive data-tracking methods, deemed unlawful by EU privacy laws. But it doesn’t because the informed-consent cookie policy does not, in fact, extend its protective wing over users’ data tracked through cookies such as the highly controversial “Like” button.

Present in more than  13 million websites, the “Like” button is also found on government and health websites, a “territory” where Europe has yet to impose limits on data-tracking cookies. Most of EU member states argue that health and government sites are of public use and they should be open to all users, without any discrimination founded on their privacy preferences. In other words, one should not be given a similar but: you – Facebook user or not – either accept the cookie policy or you won’t be able to navigate the website.

The Belgiam judge condemned Facebook’s tracking of non-users – that happens any time a user visits Facebook, regardless having a Facebook profile or not -, even if intended for security purposes, as excessive and unreasonably invasive of one’s privacy.

Facebook agreed to block non-Facebook users from accessing Facebook.com so that their browser won’t download or update the datr cookie and their privacy would remain intact. The court decided Facebook will have to pay Euros 250.000 for each day that the California-based firm breaks the order.

Facebook is appealing against the Belgian court’s ruling and it keeps using the datr cookie outside Belgium. In this scenario, a data-privacy consortium that includes privacy regulators from different EU member states is putting pressure on the American firm to comply with the Belgian sentence.

Moreover, new legislation approved by the European Commission is aimed at giving national privacy regulators more power – in terms of issuing fines and corrective actions – to protect a country’s privacy rules against rogue privacy policies embraced by internet companies.