Belgian
data protection agency demands Facebook stops its tracking of users
without explicit consent, including through social plugins
The Belgian data protection authority has told Facebook to stop tracking
users who logout or those that have never registered for the social
network.
Photograph: Anatolii Babii / Alamy/Alamy
The Belgian privacy commission has told Facebook
to stop tracking the internet activities of people who have not
registered with the site or have logged out, after a “staggering” report
showed alleged breaches of EU privacy law.
“Facebook tramples on European and Belgian privacy laws”, the data
protection authority said in a statement. “Facebook has shown itself
particularly miserly in giving precise answers,” it continued, adding
that the results of its investigation were “disconcerting” and that it
would take legal action if its recommendations were not followed.
Willem Debeuckelaere, president of the Belgian privacy commission,
said that the way Facebook is treating its users’ private lives “without
respect needs tackling”, and that “it’s make or break time.”
According to a report commissioned by the Belgian data protection
agency Facebook has been tracking users on a long-term basis who visit
any page – be it a fan page, profile or any other portion of the site
that does not require a Facebook account to visit – belonging to the
Facebook.com domain.
The opinion published on Friday noted that because Facebook has the
power to link internet users’ browsing habits to their real identity,
social network interactions and sensitive data including medical
information, religious, sexual and political preferences, it is in a
unique position compared to most of the other cases of so-called
“third-party tracking”.
Explicit consent needed
The privacy commission insists that Facebook seeks explicit consent
from users for any tracking related to serving ads, commonly called
behavioural ads, and that its current measures are insufficient to
obtain that explicit consent and are not exempt under EU law.
Advertisement
EU
privacy law states that prior consent must be given before issuing a
cookie or performing tracking, unless it is necessary for either the
networking required to connect to the service (“criterion A”) or to
deliver a service specifically requested by the user (“criterion B”),
neither of which apply to tracking for ads according to the watchdog.
The same law requires websites to notify users on their first visit to a site that it uses cookies, requesting consent to do so.
A cookie is a small file placed on a user’s computer by a website
that stores settings, previous activities and other small amounts of
information needed by the site. They are sent to the site on each visit
and can therefore be used to identify a user’s computer and track their
movements across the web.
The opinion also states that Facebook should only track users when
logged into the social network and not when logged out, using session
cookies which expire after a set time period or when no longer needed.
Social plugins on 13m sites
The watchdog’s opinion was published after scrutinising the findings
of a study it commissioned into Facebook’s use of tracking technology
and amendments made to its privacy.
The report found that Facebook’s social plugins
such as the “Like” button, which has been placed on more than 13m sites
including health and government sites, read tracking cookies and send
that data back to Facebook.
The data protection authority recommends that website owners using
Facebook’s social plugins implement a two-stage click-through process so
that users not wanting to interact with Facebook are not exposed to the
service.
It also requests that Facebook alter the design of its plugins so
that the mere presence of a social plug-in on an external website does
not lead to the transmission of data to Facebook
Users are also advised to adopt the use of privacy-guarding software,
such as Privacy Badger, Ghostery or Disconnect browser extensions.
‘Facebook is already regulated in Europe’
A Facebook spokesman said: “As we expressed to the CBPL in person
when we met, there is nothing more important to us than the privacy of
our users and we work hard to make sure people have control over what
they share and with whom. Facebook is already regulated in Europe
and complies with European data protection law, so the applicability of
the CBPL’s efforts are unclear. But we will of course review the
recommendations when we receive them with our European regulator, the
Irish Data Protection Commissioner.”
The Irish data protection watchdog declined to comment.
The opinion comes at a time of increased scepticism in Europe over
the practices of US technology companies when it comes to user data.
Many operate their European businesses from Ireland, which has its own
data protection authority.
Facebook, in particular, has been very bullish over the fact that it
conforms to the letter of the law as laid down by Ireland. Under
European Union law, companies that conform and are governed by one
member state, in this case Ireland, can operate in other parts of
Europe.
However, there is growing political pressure outside of Ireland to
investigate the practices of Facebook and others, including Google,
concerning data privacy.
Probed all over Europe
The Belgian regulator said it has the power to investigate the
company’s possible breaches of its citizens’ privacy rights because
Facebook operates a politically and operationally active office within
the country.
Facebook is also being investigated by the Dutch data protection authority and is currently being probed by the pan-European data protection working party, Article 29.
The Belgian data protection authority does not have the power to fine
companies, such as Facebook, but can initiate lawsuits and can be aided
by the Belgian prosecution service if breaches of law are found.
The opinion could also carry weight with Article 29, which is
currently discussing the possibility of establishing a pan-European data
regulator.
The European Commission recently warned that EU citizens should close their Facebook accounts if they want to keep their information private from US security services, after finding that current Safe Harbour legislation does not protect citizen’s data.
Facebook was also recently ordered by a Vienna court to respond to a
class action data privacy lawsuit that was filed against Facebook in
Austria by privacy activist and lawyer Max Schrems, which is seeking damages of €500 (£397) per plaintiff for alleged data protection violations.
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon