Facebook returns to Belgian court to defend data practices

12 October 2017. By Vesela Gladicheva.

Facebook will today seek to persuade Belgian judges that they don't have authority over the social network and cannot oblige it to obey data-protection rules in Belgium.

The country's privacy watchdog has taken Facebook to a Brussels court to force it to stop using cookies to track nonsubscribers.

It is understood that the social network, which has its European headquarters in Ireland, will again argue that its data processing in the EU is governed by Irish law, not by national laws in each of the bloc's 28 states.

The case goes back to 2015, when Mark Zuckerberg's company made changes to its data-privacy policy. The modifications led the Belgian Privacy Commission to file a lawsuit under an emergency procedure, seeking to oblige Facebook to obtain the "unambiguous consent" of web surfers before using certain kinds of cookies — small data packets that let websites monitor what the user is doing.

The lawsuit specifically targeted Facebook's "social plugins," including its Like and Share buttons, which allow users to react to, or share, content from external sources.

The Brussels Court of First Instance backed the Privacy Commission and required the social network to stop using a security cookie for anyone without a Facebook account. Last year, Facebook successfully challenged that decision at an appeals court, which said that it didn't have jurisdiction to hear the case.

Now the Privacy Commission has filed a new lawsuit following its normal procedures, armed with largely the same arguments.

— GDPR shadow —

At a hearing in the Brussels Court of First Instance today and tomorrow, the regulator will challenge Facebook's use of security and other cookies, as well as social plugins. The commission will also question whether Facebook's cookies policy should be clearer, it is understood.

Facebook is expected to argue that new EU privacy rules, which will come into effect next May, should make the case redundant.

The General Data Protection Regulation will force companies including Facebook to make EU-wide changes to the way they handle data. It will also allow businesses to come under the authority of a single regulator in the country where they are based and to apply a single interpretation of the law across the EU.

Facebook is expected to argue at the hearing that the Privacy Commission should ask its Irish counterpart to investigate its concerns.

The Brussels court will need to establish whether it has jurisdiction over Facebook's Irish subsidiary and whether Belgian law applies to it, before it can decide whether Facebook breached Belgian data-protection rules.

Countdown to the GDPR