Facebook: Belgium tells web designers how to do their jobs

You may have seen the news this week where Belgium’s data protection authority declared that Facebook “tramples on European and Belgian privacy laws“. In other news, the Pope was found to be Catholic and a bear was spotted having his morning constitutional in the woods.

Focusing particular attention to social sharing plugins, the unusually strongly worded report (.pdf, 460kb) announced “it’s make or break time” for Facebook to comply with EU data protection norms. Belgium ordered Facebook to stop tracking the internet activities of people who have not registered with the site or have logged out. The fact that Facebook tracks non-users has been known for five years, but has received a curious amount of publicity recently, possibly as leverage for the Schrems case.

Within its report the Belgian data authority offered specific guidance for webmasters and web site owners regarding social sharing buttons, which are seen to be the means by which Facebook conducts some its worst abuses of privacy:

To Website Owners
Relating to website owners or webmasters who wish to use the social plug-ins offered by Facebook, the Privacy Commission refers to its own-initiative recommendation on the use of cookies, in which it stipulates that owners must properly inform visitors of their website and obtain the latter’s specific consent for cookies and other meta files of which they may not control re-use. In this context, the Privacy Commission refers to social networks, among others, and recommends that social network buttons are not activated until users have given their specific consent. The current integration possibilities of social plug-ins offered by Facebook, however, do not meet these criteria yet. For the time being, the Privacy Commission therefore recommends to use tools such as “Social Share Privacy” (http://panzi.github.io/SocialSharePrivacy/) as a way to obtain user consent. By using a tool such as “Social Share Privacy”, third-party plug-ins do not connect to third-party servers (and consequently data are not sent to third parties) until users have clicked on the social plug-in.

This should give any web site owner, webmaster, or developer pause. We have now gone from one extreme – the initial implementation of the cookie law, where people who have never written a line of code in their lives told you how to reprogram your web sites – to the other extreme, where a government has requested use of a specific plugin. True, it’s an open source plugin, so no provider – unlike certain other web laws – has a financial interest here, but it is a big ask to rest a nation’s data security in the hands of a forked side project. Indeed, what if you don’t add that particular plugin, or lack the technical nous to do it yourself? Will Belgium’s privacy watchdog label you guilty by association?

The 99.9% of web site owners and webmasters who are doing absolutely nothing wrong are, once again, at risk of being seen to condone Facebook’s contempt for privacy for merely activating Jetpack. Regardless of the two-step plugin’s merits, or any successful outcomes it might help to bring about, this is wrong.

Additionally, with all due respect to Belgium, it is one small member state within a highly mobile and interconnected continent. As the suggestions are only applicable to Belgian web sites, total national compliance could only ever be a drop of water in an ocean.

Facebook is absolutely in the wrong but this is not the way to make it right. Belgium’s ruling is yet another example of the entire web community being punished for the misconduct of a few. We should not have to be compelled to patch in fixes, workarounds, and hacks to get around one particular company‘s contemptuous relationship with privacy. It really is time for Facebook to clean up their own mess.

World Cup 2014 souvenir graphic
World Cup 2014 souvenir viral graphic

3 thoughts on “Facebook: Belgium tells web designers how to do their jobs

  1. Well, while I think cookies are best to be controlled by browser settings, I’d like to point out that from what I read Belgian Privacy Commissions statement is in line with Working Party 29 recommendations on consent and cookies, so it’s in line with opinions of data protection authorities from all the rest of EU (so Belgium is not alone in this). Further, Belgian Privacy Commission recommends to use that tool – it’s not a request or obligation – site designers and developers are still free to choose how to implement requirements. But such solutions have to comply with legal requirements.

  2. Thanks for the comments.

    We live above a flat which in UK law is known as an illegal HMO (house of multiple occupancy.) We have no idea how many people really live in it – as opposed to how many officially live in it – but it’s a lot. They do things like throw used condoms, soiled toilet paper, and homemade bongs out the windows; they vomit in the communal stairwell and leave it for us to clean up; they smoke so much hash that we’ve had to open the windows wide in the middle of winter; they leave graffiti on the walls and we clean that up too. The local authority refuses to help. The residents of the 7 law-abiding flats within the communal stairwell are getting pretty damn tired of having to clean up the messes caused by people living illegally who have no regard for the law, much less community, and certainly not civic duty. At some point, we’re just going to leave the vomit there.

    To me, that is what this case is like. Everyone else has to scramble around, year in and year out, to clean up Facebook’s dirty toilet paper and graffiti. The solution is not for the rest of us to clean harder and more often.

    The entirely correct legal arguments you put forth are the noise to Facebook’s signal. Regardless of their validity, my point remains: until Facebook makes a genuine commitment to compliance with national and EU law, the rest of us should not have to lift a finger.

    • Yes, I agree that Facebook has to make it right and because FB haven’t it puts others under risk (my comment wasn’t about that). Still I am sure it’s not just FB who isn’t compliant – I am pretty sure it’s some 99% of websites (and here I disagree that ‘rest of us should not have to lift a finger’). It’s pretty hard to make it perfect (and not annoy visitors) – and especially because of third party cookies like FB.

Comments are closed.