Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Re Facebook’s tracking of non-users ruled illegal again in case brought by Belgium Privacy Commission

From: "Dave Farber" <farber () gmail com>
Date: Mon, 5 Mar 2018 18:20:30 -0500



Begin forwarded message:


From: "Paul Wilson" <pwilson () apnic net>
Date: March 5, 2018 at 5:59:31 PM EST
To: dave () farber net
Subject: Re: [IP] Facebook’s tracking of non-users ruled illegal again in case brought by Belgium Privacy Commission

In the past I’ve seen a completely new Facebook user being offered a bunch of fully accurate friend suggestions; 
which implies a form of tracking of people before they have joined.

Probably as simple as remembering the searches done by those friends, ready for when the target (the new user) turns 
up on FB at a later time.

Paul.


On 6 Mar 2018, at 4:48, Dave Farber wrote:




Begin forwarded message:


From: Kimi Wei <kimi () thewei com>
Date: March 4, 2018 at 12:49:15 PM EST
To: David Farber <dave () farber net>
Subject: Facebook’s tracking of non-users ruled illegal again in case brought by Belgium Privacy Commission

https://techcrunch.com/2018/02/19/facebooks-tracking-of-non-users-ruled-illegal-again/

Another blow for Facebook in Europe: Judges in Belgium have once again ruled the company broke privacy laws by 
deploying technology such as cookies and social plug-ins to track internet users across the web.

Facebook uses data it collects in this way to sell targeted advertising.

The social media giant failed to make it sufficiently clear how people’s digital activity was being used, the court 
ruled.

Facebook faces fines of up to €100 million (~$124 million), at a rate of €250,000 per day, if it fails to comply 
with the court ruling to stop tracking Belgians’ web browsing habits. It must also destroy any illegally obtained 
data, the court said.

Facebook expressed disappointment at the judgement and said it will appeal.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to 
grow their businesses and reach customers across the EU,” said Facebook’s VP of public policy for EMEA, Richard 
Allan, in a statement. “We require any business that uses our technologies to provide clear notice to end-users, and 
we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for 
its near invisible tracking of non-users via social plug-ins and the like. This followed an investigation by the 
agency that culminated in a highly critical report touching on many areas of Facebook’s data handling practices.

The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to 
take Facebook to court over one of them: How it deploys tracking cookies and social plug-ins on third-party websites 
to track the internet activity of users and non-users.

Following its usual playbook for European privacy challenges, Facebook first tried to argue the Belgian DPA had no 
jurisdiction over its European business, which is headquartered in Ireland. But local judges disagreed.

Subsequently, Belgian courts have twice ruled that Facebook’s use of cookies violates European privacy laws. If 
Facebook keeps appealing, the case could end up going all the way to Europe’s supreme court, the CJEU.

The crux of the issue here is the pervasive background surveillance of internet activity for digital ad targeting 
purposes which is enabled by a vast network of embedded and at times entirely invisible tracking technologies — and, 
specifically in this lawsuit, whether Facebook and the network of partner companies feeding data into its ad 
targeting systems have obtained adequate consent from their users to be so surveilled when they’re not actually 
using Facebook.

“Facebook collects information about us all when we surf the Internet,” explains the Belgian privacy watchdog, 
referring to findings from its earlier investigation of Facebook’s use of tracking technologies. “To this end, 
Facebook uses various technologies, such as the famous ‘cookies’ or the ‘social plug-ins’ (for example, the ‘Like’ 
or ‘Share’ buttons) or the ‘pixels’ that are invisible to the naked eye. It uses them on its website but also and 
especially on the websites of third parties. Thus, the survey reveals that even if you have never entered the 
Facebook domain, Facebook is still able to follow your browsing behavior without you knowing it, let alone, without 
you wanting it, thanks to these invisible pixels that Facebook has placed on more than 10,000 other sites.”

Facebook claims its use of cookie tracking is transparent and argues the technology benefits Facebook users by 
letting it show them more relevant content. (Presumably, it would argue non-Facebook users “benefit” from being 
shown ads targeted at their interests.) “Over recent years we have worked hard to help people understand how we use 
cookies to keep Facebook secure and show them relevant content. We’ve built teams of people who focus on the 
protection of privacy — from engineers to designers — and tools that give people choice and control,” said Allan in 
his response statement to the court ruling.

But given that some of these trackers are literally invisible, coupled with the at times dubious quality of 
“consents” being gathered — say, for example, if there’s only a pre-ticked opt-in at the bottom of a lengthy and 
opaque set of T&Cs that actively discourage the user from reading and understanding what data of theirs is being 
gathered and why — there are some serious questions over the sustainability of this type of “pervasive background 
surveillance” adtech in the face of successful legal challenges and growing consumer dislike of ads that stalk them 
around the internet (which has in turn fueled growth of ad-blocking technologies).

Facebook will face a similar complaint in a lawsuit in Austria, filed by privacy campaigner and lawyer Max Schrems, 
for example. In January Schrems prevailed against Facebook’s attempts to stall the lawsuit after Europe’s top court 
threw out the company’s claim that his campaigning activities cancelled out his individual consumer rights. (Though 
the CJEU’s decision did not allow Schrems to pursue a class action style lawsuit against Facebook as he had 
originally hoped.)

Europe also has a major update to its data protection laws coming in May, called the GDPR, which beefs up the 
enforcement of privacy rights by introducing a new system of penalties for data protection violations that can scale 
as high as 4 percent of a company’s global turnover.

Essentially, GDPR means that ignoring the European Union’s fundamental right to privacy — by relying on the fact 
that few consumers have historically bothered to take companies to court over legal violations they may not even 
realize are happening — is going to get a lot more risky in just a few months’ time. (On that front, Schrems has 
crowdfunded a not-for-profit to pursue strategic privacy litigation once GDPR is in place — so start stockpiling the 
popcorn.)

It’s also worth noting that GDPR strengthens the EU’s consent requirements for processing personal data — so it’s 
certainly not going to be easier for Facebook to obtain consents for this type of background tracking under the new 
framework. (The still being formulated ePrivacy Regulation is also relevant to cookie consent, and aims to 
streamline the rules across the EU.)

And indeed, such tracking will necessarily become far more visible to web users, who may then be a lot less inclined 
to agree to being ad-stalked almost everywhere they go online primarily for Facebook’s financial benefit.

The rise of tools offering tracker blocking offers another route for irate consumers to thwart online mass 
surveillance by ad targeting giants.

“We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection 
Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe,” 
added Facebook’s Allan.

It’s still not fully clear how Facebook will comply with GDPR — though it’s announced a new global privacy settings 
hub is coming. It’s also running a series of data protection workshops in Europe this year, aimed at small and 
medium businesses — presumably to try to ensure its advertisers don’t find themselves shut out of GDPR Compliance 
City and on the hook for major privacy legal liabilities themselves, come May 25.

Of course Facebook’s ad business not only relies on people’s web browsing habits to fuel its targeting systems, it 
relies on advertisers liberally pumping dollars in. Which is another reason consumer trust is so vital. Yet Facebook 
is facing myriad challenges on that front these days.

In a statement on its website, the Belgium Privacy Commission said it was pleased with the ruling. 

“We are of course very satisfied that the court has fully followed our position. For the moment, Facebook is 
conducting a major advertising campaign where it shares its attachment to privacy. We hope he will put this 
commitment into practice,” it said. 


Kimi Wei
kimi () thewei com  @kimiwei
facebook.com/thekimiwei
862-203-8814




Archives | Modify Your Subscription | Unsubscribe Now  

________________________________________________________________________
Paul Wilson, Director-General, APNIC dg () apnic net
http://www.apnic.net @apnicdg




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180305182038:CE9C2FA8-20CB-11E8-B27E-D88E63716AC1
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: