A Belgian privacy lawsuit targeting Facebook highlights the difficulties national regulators will face policing the activities of international Internet companies until new privacy laws are passed.
The Belgian Commission for the Protection of Privacy is unhappy with the way Facebook handles the personal information of the nation’s citizens and in May asked it to change its policies in a number of “recommendations,” which have the force of law in the country.
Facebook, though, maintains it doesn’t have to answer to the Belgian privacy watchdog as its international operations are run from Dublin, where the Irish Data Protection Commissioner oversees its compliance with the European Union Data Protection Directive as implemented under Irish law.
Exasperated by Facebook’s flouting of its recommendations, the Belgian watchdog filed suit last week to force it to stop tracking people who do not have Facebook accounts, among other demands, and next Thursday the Court of the First Instance in Brussels will hear the Commission’s case.
The case highlights a problem with current EU privacy regulations, and underscores the importance of reaching agreement on new laws under discussion.
National data protection authorities (DPAs) feel they should have jurisdiction over companies offering online services in their country—but because many aspects of privacy law are defined at a European level, international companies want to be regulated where they are incorporated or registered.
It’s not just an issue for Belgians: In other EU countries, including the Netherlands, Germany, France and Spain, DPAs are also having difficulties enforcing their rules.
EU lawmakers have been discussing a single set of data protection rules to fix the patchwork of national laws, but the Commission and Parliament have so far failed to reach agreement with ministers from the 28 member states. Proposals agreed by the ministers on Monday afternoon allow those negotiations to move forward, however.
Facebook said Monday it believes the Belgian suit has no merit. It had been due to meet the Commission next Friday, and slammed the regulator for what it called the “theatrical action” of taking the company to court a day before that meeting.
Among the regulator’s accusations are that Facebook tracks all users, even people without an account, and continues to track people who have opted out of targeted ads. Facebook tracks users through plugins such as Like buttons installed on third party sites and cookies, according to a report commissioned by the Belgian DPA from the University of Leuven and researchers at the Vrije Universiteit Brussel.
Facebook disputed the report in an April blog post in which it said the researchers found “a bug” that may have sent cookies to some people that don’t use Facebook, but promised to address the issue. While it receives standard information about visitors when people who opted out of ad-tracking visit sites with its plugins or other integrations, it is misleading for the researchers to call this tracking, it said.