The case of the DPA versus Facebook – matter referred to the CJEU!

Looking back. The saga continues! In 2015, a study conducted by researchers at KUL [Catholic University of Leuven] and VUB [Free University of Brussels], sponsored by the Belgian Privacy Protection Commission - CPVP, which later became the Data Protection Authority - and relayed by numerous international media outlets, had highlighted the possibility for the social media Facebook to track the navigation of any user, without their knowledge, on third party sites, even if they do not have a Facebook account or if they had logged out of it.

At issue? The "Datr" Cookie, stored by the company on the device of every Internet user who visits a public Facebook page - a public event, for example. The latter then allows Facebook to identify all of the websites that Internet user visits provided that they contain a redirect button bearing the famous white "f” on a blue background. According to Facebook, which defended its actions at the end 2015 via its chief of security, installing this cookie became necessary in order to limit the number of false profiles and prevent account theft, in particular.

The attack. The problem, then, is that the cookie was installed without the prior consent of the user. Consequently, this discovery was not to the liking of the Data Protection Authority - DPA, which had brought a legal action before the civil courts in Belgian in order to stop the use of this cookie by Mark Zuckerberg’s company, on the grounds that this use violated Belgian and European legislation.

The hitch: jurisdiction. Did the Belgian courts have jurisdiction to hear the DPA’s petition, since Facebook, as we know, conducts business in Europe through Facebook Ireland Ltd, located in the land of the shamrock? Within the framework of summary proceedings, the Court of Appeal (Brussels, 18th bench, 2016/KR/2, 29 June 2016) had held in June 2016 that the Belgian courts did not have jurisdiction.

Within the framework of the proceedings on the merits of the case, the Court of First Instance in its judgement of 16 February 2018 (Civ. Brussels, 24th bench, AR/2016/153/A, 16 February 2018), had, in contrast, established a parallel with the Google Spain judgement of the CJEU (CJEU , 13 May 2014, C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos) and held that there was an inextricable link between Facebook Inc. and Facebook Belgium given that the company tracked the behaviour of Internet users on the territory. Facebook has of course appealed the decision.

Transfer to the CJEU. By its judgement of 8 May 2019, the Court of Appeal decided to seek a preliminary ruling by the Court of Justice of the European Union in order to ascertain whether the proceedings brought before the civil courts by the DPA could continue, in light of the European rules in force.

In the meantime, as it were, the GDPR introduced the "one-stop-shop” mechanism, which stipulates that a company performing cross-border data processing no longer has to speak to each of the data protection authorities in the member countries in which it is active, but shall be in contact with one authority that is the sole point of contact, in the countries where its principal establishment is located. Practically speaking, this would mean that the Belgian authority cannot take cognisance of the Facebook file and therefore bring a legal action, and should let one of its counterparts, in this case the Irish, bring legal proceedings?

Is it all on Ireland’s shoulders? We know in fact, that almost all digital technology companies chose Ireland as host country for their main establishment in the European Union. So, does that mean that the Data Protection Commission of Ireland would be in charge of the investigations on all these good people? Helen Dixon, the President of the Irish authority, said on 1st May of last year before the Trade Commission of the U.S. Senate that no less than 51 investigations were in progress, of which 17 allegedly concerned large tech companies such as Facebook, Twitter, WhatsApp, Google, AirBnB, Microsoft or even Oath, and that the results would be produced as early as this summer!

On 21 January 2019, the CNIL [France’s Data Protection Authority] had condemned Google to a financial penalty of EUR 50 million, due to the Palo Alto Company’s "lack of transparency, unsatisfactory disclosure and absence of valid consent for the customization of advertising" during the configuration of the Android operating system by the user. Of course, Google quickly announced that it would appeal this decision, based on an appeal filed by organizations such as La Quadrature du Net and None of Your Business : there is no doubt that it will also assert its views as to the jurisdiction of the Parisian administrative authority.

At the same time, the US is thinking ahead, in particular by filing, last month, of a bipartisan proposal called DETOUR Act aimed at prohibiting dark patterns and continuing to ripen ideas on a potential text similar to the GDPR. Will this approach lead to a text corresponding to European standards, thus creating a veritable "western” framework, or will political and legal time be caught short, yet again, by technological time?

Until such time as these decisions, these texts and these cases prove conclusive, we can only advise you, if you are interested in this topic, to closely follow the latest news concerning personal data. The DPA has clearly chosen to play a role.