Belgian ban on Facebook cookies should apply to all of Europe, privacy watchdogs say

07.12.2015
European data protection authorities want Facebook to stop using cookies to track people who don't have a Facebook account.

As part of a case brought by the Belgian Privacy Commission, a Brussels court ordered Facebook in an interim ruling not to track people in Belgium using its "datr" cookie unless they have an account on the site.

Facebook is appealing that ban, which finally took effect last week.

On Monday, data protection authorities in five European Union countries published a joint declaration calling on Facebook to act as if the ban applied across the EU. The five formed a "contact group" to communicate with Facebook about their coordinated investigation into changes to the company's privacy policy.

"While recognizing the right of Facebook to appeal the aforementioned judgment, the contact group expects Facebook to comply with these orders in all territories of the EU as a means of contributing to ensure consistency with the requirements” of the 1995 and 2002 EU privacy directives, they wrote. The declaration was signed by national DPAs in France, Belgium, the Netherlands, and Spain, and the regional data protection commissioner in Hamburg, Germany.

It seems the authorities will be disappointed: Facebook won't stop using the cookies outside Belgium, although it is willing to talk about why it uses them.

"The interim order obtained by the Belgian DPA threatens the security we can offer to everyone who uses Facebook, and we are appealing it to a court that will have the benefit of all the facts. Although the order has no effect outside of Belgium, we welcome the opportunity to share the security threats created by the order with other interested regulators," a company representative said via email.

The Privacy Commission's objection to the datr cookie is that Facebook sets it in the browser of anyone who visits the site facebook.com -- perhaps to check out the public web page of an event -- but then receives it each time that browser is used to visit any webpage containing a Facebook social plugin, such as a Like button, even when the visitor doesn't have a Facebook account.

Facebook says that the datr cookie is used to maintain the security of its site, helping it stop 400,000 unauthorized attempts to take over people's accounts each day, including 33,000 in Belgium in the past month.

As the Belgian cookie ban came into effect last week, the company's head of security, Alex Stamos, blogged about all the things the company will have to stop doing in Belgium because it can't use the cookies.

Those steps include blocking visitors not signed into Facebook from accessing the site, and forcing Facebook account holders to jump through additional security hoops when logging in from an unrecognized browser.

The five DPAs warned Facebook in their declaration that its response to the ruling should not have any negative effects on Internet users.

Peter Sayer