Judge in Brussels has told Facebook to destroy all unlawfully obtained personal data in Belgium, saying the social network failed to provide sufficient information to people about how it collects and stores data.
The judgment came in favour of the Belgian Privacy Commission, which has been pursuing the company for several years over unauthorised tracking of both Facebook users and others through cookies.
If Facebook does not comply with the verdict, the company can expect a penalty of EUR 250,000 per day, up to a maximum of EUR 100 million. Although Facebook said it plans to appeal, the penalty remains in force.
The latest ruling was an appeal by the Belgian regulator, after Facebook earlier scored a victory in the case.
It also does not gain proper consent to collect and store the information, putting it in violation of EU and Belgian data protection law.
The Privacy Commission’s case concerns Facebook’s use of the so-called ‘datr’ cookie, which collects information on users and non-users of Facebook, also through third-party websites.
Facebook claims the cookie was used for security purposes, but the court found this argument “not credible” as criminals could circumvent the cookies easily by using a cookies blocker.
Facebook’s argument that its European activities are based in Ireland so the Belgian regulator has no jurisdiction also was rejected.
The court noted earlier precedent in a case involving Google in Spain where if the company’s activities align with the regulator’s remit it may be subject to oversight.
Furthermore, Facebook already operates a subsidiary in Belgium for lobbying and sales and marketing.