18.05.2015

Belgian Privacy Commission issues Recommendation to Facebook regarding cookies etc.

Somewhat older:
The (Belgian) Commission for the Protection of Privacy: Recommendation no. 04/2015 of 13th May 2015 (pdf; unofficial English translation):
[...] 5. Applicable law and the Belgian Privacy Commission's competence
35. As shown below, it is undeniable that the Privacy Commission has the competence – granted to it by the Privacy Act and Directive 95/46/EC – to take measures against the processing of personal data by Facebook which are the object of this recommendation, since the Privacy Act is the applicable law in the light of article 4, § 1, a) of Directive 95/46/EC and the Judgment of 13 May 2014 of the European Court of Justice (CJEU) in the case Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12).
36. Even if the applicability of the Privacy Act was contested based on the application of article 4, § 1, a) of Directive 95/46/EC and article 3bis, paragraph 1, 1° of the Privacy Act, the Privacy Act would nevertheless remain applicable taking into account article 4, § 1, c) of the Directive, which is examined in the alternative. [...]
The Commission for the Protection of Privacy, Based on the competence it has been granted and on the law of Belgium and the European Union
Recommends:
To Facebook

  • Facebook must provide full transparency about the use of cookies. For each cookie separately, Facebook must specify its content (such as unique identifiers, language settings, etc.) and its purpose (such as advertising, security etc.). These descriptions must always be kept up-to-date and be offered to users of Facebook services in an readily accessible way.
  • Facebook must refrain from systematically placing long-life and unique identifier cookies with non-users of Facebook, as well as from collecting and using data by means of social plug-ins unless it obtains the data subjects' unambiguous and specific consent through an opt-in and to the extent that this is strictly necessary for legitimate purposes. Both deactivated users and users who have logged out must be treated like non-users in this context.
  • Facebook must refrain from collecting and using the data of Facebook users by means of cookies and social plug-ins, except when (and only to the extent that) this is strictly necessary for a service explicitly requested by the user or unless it obtains the data subjects' unambiguous and specific consent through an opt-in since working with an opt-out does not result in unambiguous consent. [...]