Belgian court orders Facebook to stop collecting personal data from non-Facebook users

The Brussels tribunal of first instance yesterday issued an injunction against Facebook to stop it collecting personal data from non-Facebook users in Belgium. The injunction, initiated by Willem Debeuckelaere, President, Belgium’s Commission for the Protection of Privacy (DPA), takes effect within 48 hours after notification of the judgment which was published on 9 November. If Facebook fails to comply, it faces a fine of 250,000 euros, payable to Belgium’s DPA.

The Tribunal says that Facebook’s practice of putting cookies on devices of non-Facebook registered users visiting Facebook violates Belgian data protection law. According to Facebook, these cookies are necessary for security reasons.

Belgium’s DPA published on 16 May 2015 a statement which provides the basis for this case. It stated “Since January 2015 the privacy commissions of the Netherlands (the lead authority), Hamburg-Germany and Belgium have worked together as an own-initiative group. France and Spain recently joined the contact group…. Up to this day Facebook refuses to recognize the application of Belgian legislation nor the Belgian Privacy Commission.”

A Facebook spokesman said: “We’ve used the datr cookie for more than five years to keep Facebook secure for 1.5 billion people around the world. We will appeal this decision and are working to minimize any disruption to people’s access to Facebook in Belgium.”
Importantly, the Tribunal ruled, following the view of Belgium’s DPA, that Facebook is subject to Belgian DP law for all its activities in Belgium. Facebook’s lawyers argued in vain that Facebook organises its European activities entirely from its establishment in Dublin, Ireland. Consequently, according to Facebook, it only needs to take into account the Irish data protection legislation under the supervision of Ireland’s Data Protection Authority. But the judge rejected this argument and referred to the decision of the European Court of Justice in the Google Spain case as a precedent.

If the decision of the Brussels tribunal is followed in other EU Member States, DPAs in these Member States will now also claim that they are competent to supervise Facebook’s activities in their territory. In practice, this would mean that, as long as European data protection law is not entirely harmonised, Facebook would need to take into account all 28 different data protection regimes in the EU.
The Brussels-based lawyers representing the Belgian DPA were Frederic Debusseré, Partner; Jos Dumortier, Partner; and Ruben Roex, Associate; from the law firm, time.lex. The Brussels-based lawyers representing Facebook Belgium were Dirk Lindemans, Partner, Liedekerke Wolters Waelbroeck Kirkpatrick ; and Henriette Tielemans, Partner, Covington & Burling.
http://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook

 Source:

Belgian court orders Facebook to stop collecting personal data from non-Facebook usersm  http://www.privacylaws.com/Int_enews_10_11_15

Transfer of the data of European Facebook subscribers to servers located in the United States

The Opinion OF ADVOCATE GENERAL BOT, delivered on 23 September 2015

The Data Protection Directive provides that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of data protection. The directive also provides that the Commission may find that a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is kept. Mr Schrems lodged a complaint with the Irish data protection authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency ‘the NSA’), the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

More particularly, it referred to following questions to the CJEU: 

Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC1 ) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/012 ), the provisions of Article 25(6) of Directive 95/46/EC3 notwithstanding?

Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?
In his opinion, the Advocate General Yves Bot takes the view that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the national supervisory authorities’ powers under the directive on the processing of personal data. He considers furthermore that the Commission decision is invalid.
In more particular, he concludes that: 
1) Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
2) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the Department of Commerce of the United States of America is invalid.
Admittedly, it is not sure that the Court will follow the opinion of the Advocate General. Nevertheless, it will certainly influence the future decision of the Court and it may lead to the affirmation that national data protection authorities retain the right to investigate complaints against third countries that allegedly infringe data subject’s rights.
It also becomes clear that, in view of Edward Snowden’s revelations, the Decision 2000/520/EC is unjustified and should be annulled. What is also important is Advocate General’s view that the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the Charter of Fundamental Rights. Likewise, the inability of citizens of the EU to be heard on the question of the surveillance and interception of their data in the United States amounts, in the Advocate General’s view, to an interference with the right of EU citizens of the to an effective remedy, protected by the Charter.

Απόλυση λόγω επισκέψεων στο Facebook

ΜΠρΑθ 34/2011

Απόλυση για αντισυμβατική συμπεριφορά – Επισκέψεις σε ιστοσελίδες κοινωνικής δικτύωσης (facebook) κατά την ώρα της εργασίας.

Με την παραπάνω απόφαση απορρίφθηκε η αγωγή της υπαλλήλου αεροπορικής εταιρίας, με την οποία ζητούσε να αναγνωρισθεί η ακυρότητα της απόλυσής της. Συγκεκριμένα, κρίθηκε νόμιμη η καταγγελία σύμβασης εξαρτημένης εργασίας αορίστου χρόνου εργαζομένης σε αεροπορική εταιρία, λόγω πλημμελούς εκπλήρωσης των συμβατικών της υποχρεώσεων, η οποία συνίστατο στην κατ’ επανάληψη καθυστέρηση προσέλευσης στην εργασία, στην χρήση των τηλεφωνικών γραμμών της εταιρίας για προσωπικές κλήσεις της εις βάρος της εταιρίας και της εξυπηρέτησης των πελατών της, καθώς και στην καθημερινή επίσκεψη ιστοσελίδων κοινωνικής δικτύωσης όπως το facebook, δηλ. ιστοσελίδων με περιεχόμενο άσχετο με την εργασία της, παρά τη ρητή απαγόρευση εκ μέρους της εργοδότιδας εταιρίας. Απόρριψη της αγωγής της εργαζομένης με την οποία ισχυρίζετο ότι η επίδικη καταγγελία ήταν άκυρη ως καταχρηστική και ζητούσε την αναγνώριση της εν λόγω ακυρότητας, την καταδίκη της εναγομένης να αποδέχεται τις υπηρεσίες της και να της καταβάλει τις οφειλόμενες αποδοχές, αποδοχές υπερημερίας καθώς και χρηματική ικανοποίηση λόγω ηθικής βλάβης.

Το Δικαστήριο δέχθηκε ότι η ενάγουσα αργούσε συστηματικά να προσέλθει στην εργασία της, χρησιμοποιούσε τις τηλεφωνική γραμμές της εναγομένης για να πραγματοποιεί προσωπικές της κλήσεις και δη όχι αναγκαίες κατά την ώρα της εργασίας της καθώς και (χρησιμοποιούσε) το διαδίκτυο, όπου πραγματοποιούσε επισχέσεις σε ιστοσελίδες άσχετες με την εργασία της, όπως ιστοσελίδες για κοινωνική δικτύωση και ιστοσελίδες συνομιλίας για συναντήσεις ανθρώπων, γεγονός το οποίο, όπως αναφέρονταν στην επιστολή, έγινε αντιληπτό παρουσία του Γενικού Διευθυντή και του Διευθυντή Πωλήσεων της εναγομένης (αερ. εταιρίας), στις 29-4-2009, οπότε και καταλήφθηκε οπό αυτούς να επισκέπτεται ιστοσελίδα στο facebook, με την παράλληλη γνωστοποίηση στην επιστολή, άτι εάν η ενάγουσα συνεχίσει την ίδια αντισυμβατική συμπεριφορά, η εναγομένη δεν θα έχει άλλη επιλογή από το γα προβεί στη λήξη της σύμβασης εργασίας της χωρίς καμία περαιτέρω προειδοποίηση.

Παραπέρα, η απόφαση δέχθηκε ότι, παρότι η εναγομένη είχε αποστείλει ήδη από τις 16-12-2008, γενικό ηλεκτρονικό μήνυμα, με το οποίο απαγόρευε στο προσωπικό της να επισκέπτεται ιστοσελίδες κοινωνικής δικτύωσης, όπως το facebook, ήτοι ιστοσελίδες με περιεχόμενο άσχετο με την εργασία του, η ενάγουσα, όπως καταθέτει στην ανωτέρω ένορκη βεβαίωσή της, η μάρτυρας της εναγομένης …, καθημερινά κατά τη διάρκεια της εργασίας της επισκέπτονταν την ανωτέρω ιστοσελίδα, προκειμένου να διάβασα και να γράψει σχόλια, ενώ αρκετές φορές, όταν την καλούσαν πελάτες νια να προβούν σε κράτηση εισιτηρίων, τους απαντούσε ότι το σύστημα κρατήσεων δεν λειτουργεί και τους ζητούσε να ξανακαλέσουν αργότερα, προκειμένου να έχει περισσότερο χρόνο για να αμοληθεί με την περιήγηση στο fecebook.