On 30 June 2016, the Brussels’ Court of Appeal has overruled the decision of the President of the Brussels’ Court of First Instance (decision of 9 November 2015 – see our earlier post: http://www.astrealaw.be/nl/news/updates/belgian-privacy-watchdog-vs-facebook-1-0), and dismissed the Privacy Commission’s claim vis-à-vis Facebook Inc., Facebook Ireland and Facebook Belgium.
Summary of the facts
In summary, the facts were as follows: the Privacy Commission requested a cessation order against Facebook regarding their practice of storing and processing personal data of non-Facebook users without their explicit consent, by making use of the so-called “datr-cookie”. Pursuant to the Belgian Privacy Act, both the use of the cookie as well as the processing of the IP address are considered to be “processing of personal data”. As a result, the Privacy Commission considered that the explicit consent of non-Facebook users should be obtained.
No international jurisdiction – Rejection of ‘Google Spain’ and ‘Weltimmo’
Contrary to the first judge, the Court of Appeal agreed with Facebook’s argumentation and ruled that the Belgian courts do not have jurisdiction over Facebook Inc. and Facebook Ireland, as these entities are situated outside Belgium and the relevant personal data are stored in Ireland. As a result, they do not have the power to examine the case, not even in summary proceedings.
In this respect, the Court explicitly rejected the applicability of the Google Spain case and the Weltimmo case by holding that in those cases, both Google Inc. and Weltimmo acted as the parties seeking redress. As a result, both parties explicitly accepted the (cross border) jurisdiction of the court, which was not contested by the counterparty or by the judge. Hence, both cases were considered to be irrelevant with respect to the present case.
In addition, the Court held that from Article 28 of the Directive 95/46/EG, which includes the powers of the supervisory authority, no international jurisdiction could be derived, nor could international jurisdiction be derived from Article 35 of Regulation 1215/2012/ (“Brussels Ibis Regulation”) or Article 10 of the Belgian Code of International Private Law, since the claim falls outside the scope of application of both regulations (i.e. the case cannot be considered a civil or commercial case, but actually concerns a claim exercised by the government).
Fundamental rights do not overrule the required urgency
With respect to Facebook Belgium, the Court of Appeal held that the Belgian courts do indeed have jurisdiction, but that the Privacy Commission’s claim was unfounded, as it was unable to prove the urgent nature of its claim (which is essential in summary proceedings). Already in 2011, the Irish Data Protection Commissioner investigated Facebook’s use of the “datr-cookie” and social plug-ins. The investigation results were publicly available. The fact that the Privacy Commission did not act in 2012, and was unable to provide evidence to the contrary, caused the Court to decide that the urgent nature was not present.
Even the fact that the measures claimed by the Privacy Commission intended to safeguard the fundamental rights and freedoms is not sufficient to conclude to the urgency of the claim.
Finally, the court also rejected the preliminary questions raised by the Privacy Commission.
Game over for the Privacy Commission ?
Despite this unfavourable decision, the Privacy Commission seems to stick to its guns, and announced that it will examine whether or not to lodge an appeal with the Belgian Supreme Court. In the Yahoo! case, the Supreme Court accepted the jurisdiction of the Belgian courts with respect to foreign companies, so it is not unlikely that the Privacy Commission would lodge such appeal.
In any event the proceedings on the merits will be held in September 2017, regardless of the outcome of the ongoing summary proceedings.