«

»

The Belgian decision about Facebook cookies has huge data protection and press freedom implications

online_media_1

By Simon Davies

Like many other people, I’ve been grappling with the intricacies of the recent Belgian court decision about Facebook’s use of cookies (the English text of which is, at last, here.) I’m coming around to the view that the implications are far broader than we might imagine and it’s a little bewildering that there hasn’t been much discussion about those implications – least of all over the judgement’s  impact on core data protection rights.

This decision by Belgium should not be viewed as purely an EU sovereign rights issue (i.e. putting the boot into rogue US providers). Nor should it be merely a means of highlighting the idiocy of EU institutions and some of its (now) ‘holier-than-thou’ data protection regulators. It’s much more than that. My sense is that there is a bigger medium term media plurality issue at stake here, and a longer term free speech implication.

This decision by Belgium should not be viewed as purely an EU sovereign rights issue (i.e. putting the boot into rogue US providers). Nor should it be merely a means of highlighting the idiocy of EU institutions

Just to recap on the Belgian judgment and its aftermath, last month’s decision determined that Facebook had not obtained non-logged in users’ consent for the deployment of cookies. Put simply, this means the previous practice was that if you click a Facebook link anywhere – to any Facebook page – without already being logged in, you were hit with a cookie with a banner to comply with cookie regulations. The banner was seen as a sort of “one stop shop” mechanism to provide information and consent.

In Europe at least, this arrangement might seem standard practice in such matters, but the court ruled that Facebook’s use of such a cookie banner was not sufficient to prove consent under the Belgian implementation of the cookie-consent provision (I’ve bemoaned the default consent mindset numerous times on these pages).

Following this decision, media reported that in order to comply with the court’s consent interpretation, Facebook then decided to force people to log in if they wanted to view anything – even content that some might regard as “public”.

As an aside, this situation is weirdly resonant (in a compliance dimension) to Google’s revenue model to force people to log in for interactions with Youtube etc, except the FB shift takes it to a new level.

Crucially – at least according to Facebook – the ‘datr-cookie’ at the centre of this affair appears not to be used for behavioral advertising – or advertising in general; it’s used entirely for security purposes. However, the law does not differentiate between different cookies – with the exception of “functional cookies” and possibly some cookies used for analytics. So, whether the purpose is security or advertising, there’s no difference in law. Or, at least, that’s my interpretation.

Interestingly, this is where the ultimate problem for media plurality and independence arises. More on that later.

Returning to the basics of the current chaos of cookie compliance (which I’ve vented about elsewhere), consider the following irony. The Belgian Privacy Commission’s own guidance to companies on how to comply with the cookie-consent requirement references the use of a cookie banner informing the user about the use of cookies and that continuing to browse the website constitutes consent. Facebook implemented this guidance. Conducting business that way was the path of least resistance for all parties.

I’m not saying Facebook is therefore morally exonerated. I’m merely suggesting that DPA’s and other authorities had better see the Belgian decision as an opportunity to clean up this mess. And while they’re at it, the EU Parliament and the Commission should do likewise while there’s still a window of opportunity within the General Data Protection Regulation process. There are turbulent times ahead if they don’t. 

I’m not saying Facebook is therefore morally exonerated. I’m merely suggesting that DPA’s and other authorities had better see the Belgian decision as an opportunity to clean up this mess.

In essence, the Belgian court said that the generally accepted implementation of cookie-consent by way of an information banner does not constitute consent in the meaning of the Belgian cookie-consent provision – which of course is an implementation of the European cookie-consent provision in the ePrivacy Directive.

The fact that this is a European law means that ultimately this question has to be addressed at the European level, i.e. by the EU Court of Justice. It also means that the Belgian scenario could repeat itself in other European countries.

True, the judgment only addresses Facebook and does not immediately affect other businesses making use of cookies. However it goes without saying that the law should apply equally to everyone, therefore it’s conceivably only a matter of time until all website owners must ask themselves whether their use of a cookie banner satisfies the cookie-consent provision when this wasn’t the case for Facebook. Of course all this also depends on enforcement by the Belgian Privacy Commission and other DPAs (the description “erratic” springs to mind on this point).

The judgment means the cookie world is back to square one. In the beginning, nobody knew how to comply with the cookie-consent rules. DPAs filled the void by providing guidance for technical implementation (cookie banners). The Belgian judgment essentially strikes down the DPAs’ interpretation of a valid technical implementation and financially exposes every website owner that relies on the cookie banner solution.

In normal events – given the vast privacy issues that smother us daily – I would be ambivalent about which entities get tripped up on the loose ends of what banners. The reason I’m sounding the alarm here is that this mess affects a very wide spectrum of entities, not just advertisers. It has the potential to negatively affect everyone from human rights groups to niche publishers.

There’s also a substantial question concerning the ability and competence of the DP regulators. If the DPAs enforcing laws can bomb so badly when advising companies, then a breakdown of trust will surely follow. With the GDPR likely to mandate vast penalties based on global turnover, a high level of trust will be required.

I mentioned earlier that I had general concerns about media plurality and independence. I should elaborate.

Yes, consent is a vital part of data protection, but consent must be achieved in a way that does not cripple a free, responsive and diverse media. That’s something we all have a legitimate interest in, and it’s a goal that the new law should reflect.

Some of this will be obvious, but I’ll say it anyway. Expressed simplistically, the Internet has reduced entry barriers for information providers, such as news organizations and commentators. Even taking into account the explosion of self-publishing after the creation of the printing press, it’s doubtful there have ever been so many new (and often financially viable) media enterprises. Think of TechCrunch, Huffington Post, Buzzfeed and so on, It has also never been so cheap and so easy to have access to such a pool of quality journalism and other information (please avoid an explosion of laughter if you’re in the media field).

There are many reasons for this proliferation, including reduced cost, accessibility, interoperability, language translation, transparency and (partial) accountability of sources.

But of course for every advantage the Internet provides for increased free expression, there are at least an equal number of threats. All rights advocate are constantly vigilant about the creeping constraints on media and free speech. In many parts of the world there’s a ‘death from a thousand cuts’ taking place.

I’ve laboured endlessly on these pages over the years about many of these encroachments, from data retention and surveillance through to site registration and filtering, but with regard to the present Facebook and cookie situation I wanted to focus on the compliance and economic aspects.

In a recent article here I expressed my worry that the current (and evolving) EU consent framework will provide the mega platforms such as Facebook and Google with even more power and leverage. It is they who are in a position to comply with present consent requirements, while smaller players suffer increased pressure, cost and uncertainty. If we want a free and diverse media, this gravitational pull of the big platforms must be resisted. The Belgian judgement has just accelerated that pull – and Parliament must push back against that trend.

How, for example,  does it help the Privacy Surgeon or Amnesty International or Human Rights Watch if the present conditions mean that the only people who can view their Facebook content are other Facebook users who happen to be logged in? How does it help a maverick campaigner for, say, asylum rights or local government reform if viewing of content is restricted to a small proportion of logged-in account holders on the platform where the material is published?

This is even before we start considering the impact of the consent provisions on small publishers who rely on third party advertising.

As we reach the concluding phase of the GDPR negotiations, all parties should be vitally aware of these implications. Yes, consent is a vital part of data protection, but consent must be achieved in a way that does not cripple a free, responsive and diverse media. That’s something we all have a legitimate interest in, and it’s a goal that the new law should reflect.