Skip to content
Naked Security Naked Security

Facebook wins appeal, CPP warns of “massive violations of privacy”

Facebook can now go back to tracking any Belgians, even if they don't use Facebook

Facebook has collared Belgium’s privacy watchdog: it’s won an appeal in a privacy case and can now resume tracking any Belgian it wants to, including people who’ve never registered for an account and those who aren’t logged in.

This is the latest twist in a long-running case over Facebook’s use of the so-called datr cookie, which lets Facebook track users as they visit other sites, even when they’re not logged in to Facebook.

That cookie can be picked up by visitors who visit a friend’s page on Facebook, or on any other page on the web with Facebook like or share code in it – even if a visitor never signed up for a Facebook account.

In November, a Belgian court ruled that Facebook was using the datr cookie to illegally collect personal data – the type of data that Facebook should only be allowed to use if the internet user expressly gives their consent, as Belgian privacy law dictates.

Then, Belgium set the clock ticking, saying that Facebook would face fines of up to €250,000 EUR ($267,000 USD) a day if it didn’t stop tracking non-Facebook users.

Facebook appealed, on the grounds that Belgium doesn’t have the authority to reach cross-border and tell it what to do with data stored on servers in Dublin, which is the social network’s European base of operations.

On Wednesday, it won that appeal.

A Brussels appeals court overturned the ruling that had forced Facebook to block people without an account from accessing its site if they were located in Belgium.

The Brussels appeals court also threw out the Belgian privacy watchdog’s claim that the case was urgent and required expedited procedure.

From the ruling, as quoted by Bloomberg:

Belgian courts don’t have international jurisdiction over Facebook Ireland, where the data concerning Europe is processed.

The privacy watchdog who brought the suit against Facebook – the Belgian CPP (Commission for the Protection of Privacy) – said in a statement that the show’s not over yet.

It may launch an appeal to the court of last resort, the Belgian court of cassation, which has in the past overruled cases involving foreign company jurisdiction.

Specifically, in a case over whether Yahoo had to cooperate with local law enforcement, the court of cassation in December 2015 ruled that information disclosure from a communications network who operates in Belgium doesn’t imply that there will be intervention outside of Belgium.

In that case, the court of cassation declared that since Yahoo actively participates in the economic life of Belgium – by using the domain name .be or displaying ads based on users’ location – it “voluntarily” submits itself to Belgian law.

In the meantime, while the CPP decides whether to appeal Wednesday’s decision, the success of Facebook’s appeal simply means that the courts aren’t protecting Belgian citizens from privacy invasion, the CPP said.

Willem Debeuckelaere, president of the CPP:

Today’s decision means simply that the Belgian citizen cannot obtain privacy protection through the courts when it comes to foreign players. Belgians are thus exposed to massive violations of privacy.

Facebook has in the past countered that Belgium would be turned into a cradle for cyber terrorists without that datr cookie.

Specifically, Facebook has claimed that it uses the datr cookie as part of the security systems that protect users, and that the cookie prevents user accounts from being hacked.


OK so surely it’s not beyond the wit of someone to develop something which spots the code that does this and block it – isn’t that the sort of thing that AV companies do?

I know that is forcing users to “opt-out” when this sort of invasion should be “opt-in”, but Facebook is effectively saying that it has supra-national sovereignty!

(And people in my country are getting all worked up about purity of sovereignty in the EU which IS accountable to a council of ministers with a “parliament” that if not ideal is good at spotting these sorts of problems!)


This is unbelievable. Everyone is targeting the security services for eavesdropping or ‘violating’ our rights. Yet Mark Zuckerberg carries on regardless, violating the rights of just about every citizen on the planet with an internet connection including everyone who wants nothing to do with Facebook – and the courts tell him ‘carry on’. At least the security services pretend it’s for our protection, no such pretence from Facebook – bleed you dry of your personal information and pass it on for a buck.;


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!