Out-Law News 2 min. read
06 Jan 2015, 5:15 pm
The CBP told Out-Law.com that it had concerns about whether Facebook was being sufficiently transparent with users about how their personal data would be used under the new policy.
"We want to know what consequences the new policy has for Dutch Facebook users," a spokesperson for the CBP said.
The spokesperson said the CBP believes it has the authority to undertake its investigation, pointing to two earlier court rulings in Germany and Spain as providing the basis for those claims. In the rulings, the courts ruled that Facebook and Google were subject to German and Spanish data protection rules respectively.
In the German case, Facebook had claimed that its personal data processing was controlled from Ireland, where its EU headquarters is. However, the court ruled that Facebook's US-based business was responsible for the processing.
"The EU Data Protection Directive states that the individual national regimes that implement the Directive can be applied even where businesses' personal data processing is carried out outside of the EU," Munich-based data protection specialist Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said at the time of the Berlin court ruling. "Where a data controller is based outside of the EU but uses 'equipment' situated within an EU country to process personal data, the national data protection laws of that EU country can be applied to it."
"The Berlin court ruled that Facebook had made use of 'equipment' in Germany when it set cookies on the devices of German users and that Facebook's US business, and not its business in Ireland, had arranged this processing," Wolgast said. "Facebook claimed that the processing was controlled from Ireland and that therefore Irish data protection rules applied to it. However, the Berlin court said Facebook had not proven that the processing was controlled from Ireland."
In a statement it issued last month on the issue, Facebook said it was "surprised and disappointed to learn about the CBP’s inquiry". It said it "routinely review[s] product and policy updates with our regulator, the Irish data protection commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law", according to a report by the New York Times.