On Monday, a Belgian court gave Facebook 48 hours to stop tracking Internet users who don’t have accounts with the social media site or face fines of up to €250,000 ($269,000) a day.
The court’s order follows a case filed against the company in June by Belgium’s privacy watchdog saying the site indiscriminately tracks Belgian users who visit Facebook pages and the site or click on “like” or “share” buttons, even if they don’t have Facebook accounts.
The argument stems from conflicting views about a tiny file called the “datr” cookie, which Facebook says it uses to prevent unauthorized logins to the site and to verify users. The Belgian regulators argue that its use is far broader, making a record of when an Internet user visits a Facebook page, even if they don’t have an account, which the site can keep for up to two years.
“The way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action,” Willem Debeuckelaere, president of Belgium’s Privacy Commission, said in May.
Because such tracking occurs without obtaining a user’s consent, it violates local privacy laws, the court said in a statement, according to the AFP.
Facebook said on Monday it will appeal the court’s ruling, arguing that it should be subject only to data privacy laws in Ireland, where its European headquarters are located.
“The actions of the Belgian Privacy Commission could undermine our efforts to keep the accounts of people in Belgium safe,” Alex Stamos, Facebook’s Chief Security Officer, wrote in a blog post on Oct. 13, before the court’s ruling.
But the spat has been long-running. In his blog post, Mr. Stamos calls himself “bullish” regarding the datr cookie and argues that it has been used successfully for five years to maintain users safety by stopping the creation of fake or spam accounts and prevent users’ content from being stolen.
“If the court blocks us from using the datr cookie in Belgium, we would lose one of our best signals to demonstrate that someone is coming to our site legitimately,” he wrote, adding it would also make users accounts more attractive to spammers.
Stamos wrote that the Belgian regulators initially argued incorrectly that Facebook uses the cookie to track people who aren’t Facebook users through “like” buttons that simply appear on another site, even if a user does not click them.
The cookie can only identify browsers, not people, and only tracks users’ movements if they click one of the buttons or use the site’s login page, he wrote.
But the regulators have dismissed Facebook’s arguments that the cookie is used solely for security purposes.
“The argument that placing and receiving cookies is also strictly necessary to ensure Facebook users' security, lacks both a legal and a factual basis,” the regulators wrote in a filing in May. “First of all it is possible to guarantee user security in a less intrusive way. Moreover, it would be child's play for a potential attacker to simply block and/or remove cookies when launching the attack."
The Belgian court’s move comes as Facebook has faced a number of battles with European regulators, including a sweeping European Court of Justice ruling last month that invalidated a 15-year-old data transfer law that governed how American companies could handle the data of European users. That ruling also set Facebook up to face regulation by data protection officials in Ireland, where the case was originally filed.
The social media site's commenting practices have also faced scrutiny in Germany after a slew of racist posts directed at Syrian refugees.
On Monday, Bart Tommelein, Belgium’s secretary of state for the protection of privacy, rejected Facebook’s argument that it should be subject only to Irish data protection laws. He told Reuters the Belgian court’s ruling meant that it could regulate the US-based company’s operations in Belgium.