The dispute largely hinges around Facebook's use of a special cookie called 'datr' that the company claims helps it distinguish between legitimate and illegitimate visits to its website.
"We've used the datr security cookie for more than five years to keep Facebook secure for 1.5 billion people around the world," a Facebook spokesman said Monday. "We will appeal this decision and are working to minimize any disruption to people's access to Facebook in Belgium.”
The court in Belgium on Monday gave the social networking company 48 hours to stop tracking users that don't have accounts on the site or risk fines of up to 250,000 euros (US$269,000) a day, according to news reports.
Facebook Chief Security Officer Alex Stamos wrote in a blog post last month that the Belgian Privacy Commission, which filed the complaint, had initially argued incorrectly that Facebook uses the datr cookie to target ads to people who aren’t its users.
The commission subsequently "focused on the fact that we set the datr cookie when someone visits one of our sites, such as Facebook.com, or clicks a Like button on a publisher's website and interacts with the login page that appears," according to Stamos, who added that the company does not set the datr cookie "when someone simply loads a page with a Like button."
A report by technical experts assisting the Belgian Privacy Commission on Facebook tracking through social plug-ins noted that Facebook is in an unique position as it can "link the browsing behavior of its users to their real world identities, social network interactions, offline purchases, and highly sensitive data such as medical information, religion, and sexual and political preferences."
The experts found that when a user not signed on to Facebook visited the social networking site, the datr cookie with a two-year lifetime was set. When they then visited a Web page on gayworld.be, a website that includes a Facebook social plug-in, the inspection of the network traffic revealed that the datr cookie was sent to the facebook.com domain in the cookie header of the HTTP requests.
If blocked from using the datr cookie, Facebook said it would have to treat visits to its service from Belgium as untrusted logins, requiring a range of other verification methods to establish that people are legitimately accessing their accounts.
Facebook faced a setback in October when the Court of Justice of the European Union, in a complaint against the company, declared invalid a "safe harbor" agreement governing personal data transfers between the European Union and the U.S., as the data was not protected from spying by U.S. agencies.
Facebook claims the controls related to datr have been evaluated and validated many times by the Irish Data Protection Commissioner. The company has held that it has only one establishment in the EU in Ireland, and that Irish law is applicable to the processing of personal data of all European users, according to a recommendation in May by the Belgian Privacy Commission. The commission asserted jurisdiction, stating, among other reasons, that local processor Facebook Belgium was a permanent establishment in Belgian territory being run by Facebook in the U.S.