Report says Facebook tracking breaches EU law

By EDRi · April 8, 2015

On 31 March 2015, researchers of the University of Leuven and Vrije Univeristeit Brussel, Belgium, issued a report claiming that Facebook tracks online activity both of its users and non-users. According to the report, which was commissioned by the Belgian Privacy Commission, this type of tracking contravenes EU online privacy laws.

Facebook uses a tracking cookie to trace its users online activity whenever visiting a web page belonging to a domain. Furthermore, users are being tracked across websites even when they are logged out or do not use social plug-ins. This means that Facebook receives data whenever someone visits a website with the Facebook “Like button”, even if a person does not use this plug-in. What is more, people who do not have a Facebook account are being tracked with the help of a “datre” cookie. “Datre” cookie contains a unique identifier which is placed onto the browsers of people in Europe who are not Facebook users. When placed, it takes two years before it expires.

The report argues that this kind of behaviour is clearly in violation of the EU e-Privacy Directive. In order for a website to use a cookie or perform tracking via social plug-ins it must require a prior consent, unless it is needed to connect to the service network or is specifically requested by the user.

According to an opinion of the Article 29 Data Protection Working Party, issued in 2012, Facebook’s tracking practices have no legal basis in the EU. Social plug-ins must have a consent before placing a cookie, unless one of the exceptions applies. Since social plug-ins are by definition for the member of a social network, the e-privacy directive exception cannot apply to non-users. Furthermore, the report argues that it is not legal to trace even Facebook users who are logged out at the time of browsing. The Article 29 Working Party document explains that logged-in users cannot be served a “datre” cookie but only a “session cookie” which expires when logged out or when the browser is closed.

Therefore, Facebook default settings that allow it to gather information about people for advertising purposes contravenes EU privacy policy. As explained by Brendan Van Alsenoy, one of the authors of the report: “To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in.”

Facebook spokesperson commented the report by Belgian academics claiming that it contains factual inaccuracies, however he not specifying what he was referring to, and stating that Facebook completely complies with the EU Data Protection Directive. On the other hand, the authors of the study claim the opposite, saying the users have very little control over the data Facebook tracks and are unaware how exactly their data is used for advertising purposes.

Facebook ”tracks all visitors, breaching EU law” (31.03.2015)

Facebook tracking said to breach EU law (01.04.2015)

Facebook “violates Euro data law” say Belgian data cops’ researchers (01.04.2015)

ICRI/CIR and iMinds-SMIT advise Belgian Privacy Commission in Facebook investigation

(Contribution by Morana Perušić, EDRi intern)