In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
146
STATEMENT OF RECENT DECISION pursuant to Civil Local Rule 7-3.d filed byPerrin Aikens Davis, Brian K. Lentz, Cynthia D. Quinn, Matthew J. Vickery. (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C)(Straite, David) (Filed on 5/16/2017)
Exhibit A
Common Statement by the Contact Group of the Data Protection Authorities
of The Netherlands, France, Spain, Hamburg and Belgium
16 May 2017
On 13 November 2014, Facebook announced a global revision of its data policy, cookie policy and
terms. Following this announcement, a Contact Group was created at European level with the Data
Protection Authorities (DPAs) of The Netherlands, France, Spain, Hamburg and Belgium. The members
of the Contact Group have initiated national investigations, relating to, amongst others, the quality of
the information provided to users, the validity of consent and the processing of personal data for
advertising purposes. Three of the members publish results today (France, Belgium and the
Netherlands).
Results of national procedures
In France the Restricted Committee of the CNIL has decided to pronounce a public sanction of 150,000
euros against Facebook Inc. and Facebook Ireland Limited. The Restricted Committee finds that the
Facebook group does not have a legal basis to combine of all the information it has on account holders
to display targeted advertising. It also finds that the Facebook group engages in unlawful tracking, via
the datr cookie, of internet users. The cookie banner and the mention of information collected "on and
outside Facebook” do not allow users to clearly understand that their personal data are systematically
collected as soon as they navigate on a third-party website that includes a social plug in.
In Belgium the Belgian Privacy Commission today issues new recommendations to the Facebook Group
about its tracking of users and non-users of Facebook through cookies, social plug-ins and pixels,
following Facebook’s changes thereto in September 2015 and May 2016 after the Privacy Commission’s
first recommendations of 15 May 2015. The Belgian Privacy Commission considers that Facebook
continues to act in non-compliance with both Belgian and EU data protection law as regards the tracking
of both users and non-users of Facebook through cookies, social plug-ins and pixels. In particular the
legal requirements regarding consent, fairness, transparency and proportionality are not met, amongst
others due to the shortcomings in the information that Facebook communicates to data subjects and the
inadequacy of the choices that Facebook offers data subjects.
The Belgian Privacy Commission further considers that the collection of personal data by Facebook
using cookies, social plug-ins and pixels is excessive in several circumstances. The Privacy Commission
is seeking judicial enforcement of its recommendations before the Court of First Instance of Brussels.
Oral pleadings are set to take place on 12-13 October 2017.
In the Netherlands, Facebook Group violates Dutch data protection law. That is the conclusion of the
Dutch Data Protection Authority (Autoriteit Persoonsgegevens; hereinafter: DPA) after its investigation
into the processing of personal data of 9.6 million Facebook users in the Netherlands. The company
breaches Dutch data protection law including by giving users insufficient information about the use of
their personal data. The Dutch DPA has also found that the Facebook Group uses sensitive personal data
from users without their explicit consent. For example, data relating to sexual preferences were used to
show targeted advertisements. The Facebook Group has made changes to end the use of this type of data
for this latter purpose. The Dutch DPA currently assesses whether the other violations have stopped. If
that is not the case, the Dutch DPA may decide to issue a sanction.
In Germany (Hamburg) the Hamburg DPA has issued two different orders relating to the Facebook
Group. One case was centered around the use of pseudonyms. Facebook appealed against the decision.
The Higher Administrative Court lifted the order to allow pseudonymous use, without taking a decision
on the question whether the Hamburg DPA was competent. Instead the Court referred to the ongoing
procedure at the European Court of Justice to decide about applicable law (in the case of the DPA of
Schleswig Holstein, EUCJ case C-210/161). In a second procedure, the Hamburg DPA ordered the
Facebook Group to stop combining data from WhatsApp users without their prior consent. On 25 April
2017, the (lower) Administrative Court confirmed the validity of this order, without deciding on
applicable law.2
In Spain, the Spanish DPA, after preliminary investigations on Facebook’s privacy policy and terms of
use opened two infringement procedures. The procedures, taking into account the results of the
investigations, are based on the alleged infringement of the provisions of the Spanish data protection
law.
Applicable law
In each of the aforementioned national investigations, the Facebook Group has contested the
applicability of national data protection law of the Member State in question. According to the Facebook
Group, only Irish data protection law would be applicable, and only the Irish DPA would be competent
to supervise the processing of personal data of users of the service in Europe. However, the DPAs united
in the Contact Group conclude that their respective national data protection law applies to the processing
of personal data of users and non-users by the Facebook Group in their respective countries and that
1
ECJ, Request for a preliminary ruling from the Bundesverwaltungsgericht (Germany) filed on 14 April 2016,
Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein, Case C-210/16.
2
URL: http://justiz.hamburg.de/aktuellepresseerklaerungen/8628054/pressemitteilung/
each DPA has competence. Following case law from the European Court of Justice (the cases of Google
Spain, Weltimmo and Amazon3), the DPAs note that the Facebook Group has offices in multiple
countries in the EU. These offices aim to promote and increase the sales of targeted advertising aimed
at national users and non-users of the service. For its revenues, the Facebook Group almost completely
depends on the sale of advertising space, and personal data must necessarily be processed for the type
of targeted advertising services offered by the Facebook Group. Therefore, the activities of these offices
are “inextricably linked” to the data processing by the Facebook Group, and all the investigated national
offices are relevant establishments under Article 4(1)a of the European Data Protection Directive
95/46/EC.
3
ECJ C -131/12 (Google Spain), ECLI:EU:C:2014:317, C-230/14 (Weltimmo), ECLI:EU:C:2014:317 and C‑191/15
(Amazon), ECLI:EU:C:2016:612.
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?