Gregory P. Bufithis
Founder/Executive Director
10 November 2015 – Facebook has been given 48 hours to stop tracking non-users in Belgium. Yesterday the Brussels Court of First Instance told the social network it faced daily fines of €250,000 if it did not stop tracking people around the web who are not even signed into Facebook. The ruling raises interesting jurisdictional issues, as Facebook claimed it was only answerable to the data protection authority in Ireland, where its non-North-American operations are sited. The Belgian authority disagreed, and turned to the court to enforce its demands. Facebook said it would appeal.
Note: the court is a Dutch-language court of first instance in Brussels and we are having the decision translated.
At stake is the so-called “datr” cookie, which Facebook places on people’s browsers when they visit a Facebook.com site or click a Facebook “Like” button on other websites, allowing it to track the online activities of that browser. As we know, websites use cookies to track their visitors’ online activities, including but not limited to the preferences they set and the duration of their visit. The Belgian court claims that Facebook’s “datr” cookie automatically and discretely installs itself on any device, even if the visitor isn’t a member of the site.
Facebook has a pretty rough relationship with Belgium, where the Belgian Privacy Commission accused it of acting like the National Security Agency of the United States. According to Belgium’s privacy watchdog, when online users visit websites or click on the Facebook Like or Share button, the social media website indiscriminately tracks them, regardless of whether or not they are part of the site’s 1 billion active users. The court’s press release regarding the matter:
“The judge ruled that this is personal data, which Facebook can only use if the [I]nternet user expressly gives their consent, as Belgian privacy law dictates”.
Much of this stems from the Schrems decision that the EU/US “safe harbor” deal regarding the transfer of personal information of Europeans to the United States is “invalid”.
Meanwhile across the pond …
Back in the U.S., the Federal Communications Commission dismissed a petition to force web firms to honor do-not-track (DNT) requests. The DNT standard is built into most browsers, allowing people to say they do not want to be followed around by tracking cookies. However, many companies such as Facebook and Microsoft do not respect these signals and track people anyway. The FCC said it “only regulates broadband provision issues (such as net neutrality) and not what service providers on the Internet do”.
Ah, the FCC. Sometimes it is seen as the enemy and sometimes as the advocate of consumer rights and interests. Depending on which side of the fence you’re on. Or on which issue. Recently, its new net neutrality rules have put it on not so friendly terms with some in the Internet and tech businesses.
But this latest statement might earn it back some points, at the expense of irking some privacy advocates. It has said that it won’t be imposing rules on Internet companies that would block or hinder them from tracking user’s online activities.
User activity tracking has been one of the most contentious and criticized methods used by companies that offer online services, like Google, Facebook, and even Microsoft’s Bing. Some use it to gather usage statistics to improve their services. Other use it to gather marketing information for targeted ads. Some even do both. While there are legal limits to what they can harvest, privacy groups always fear hidden abuse.
DNT features have become popular among certain Internet software, particularly browsers. However, while such a feature would, in theory, prevent activity from being recorded, it relies on websites and services to actually respect the user’s wishes. As one can imagine, not everyone does.
Last June, Consumer Watchdog asked the FCC to put its foot down on the matter and officially recommend that websites support Do Not Track features. This would, in effect, make it a standard across the country. The FCC did put its foot down, but in the other direction. It said that it doesn’t regulate individual websites, only Internet providers. Some see this as a compromise the agency is placate worries that it is trying to regulate major Websites and services.
It doesn’t help that there is also no standard for DNTcompliance in the first place, and advocates themselves are in disagreement as to what that would entail. Some go to the extreme of blocking all sorts of tracking activities while some try to take the middle road of blocking targeted ads but not data collection. Still, there are proposals, like the ones sitting at the World Wide Web Consortium or W3C, that are criticized for not offering any privacy protection at all.
And over at the in-store tracking aisle …
Fortune reports that U.S. retailers such as Walmart have experimented with using facial recognition technology in their stores to identify known shoplifters and alert security guards to their presence. Walmart ended its experiment after a few months as it did not provide sufficient return on the investment — the cost of running the technology outweighed the savings from cutting down on shoplifting. For the full story click here.