Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Dutch data protection laws apply to Facebook, says watchdog

Facebook must comply with data protection laws in the Netherlands, the Dutch data protection authority has said.

The watchdog has opened an investigation into the social networking giant after Facebook implemented changes to its privacy policy on 1 January, despite being asked by the Dutch data protection authority (the CBP) to postpone the changes until the authority had had a chance to complete a review of the new policy.

The CBP told Out-Law.com that it had concerns about whether Facebook was being sufficiently transparent with users about how their personal data would be used under the new policy.

"We want to know what consequences the new policy has for Dutch Facebook users," a spokesperson for the CBP said.

The spokesperson said the CBP believes it has the authority to undertake its investigation, pointing to two earlier court rulings in Germany and Spain as providing the basis for those claims. In the rulings, the courts ruled that Facebook and Google were subject to German and Spanish data protection rules respectively.

In the German case, Facebook had claimed that its personal data processing was controlled from Ireland, where its EU headquarters is. However, the court ruled that Facebook's US-based business was responsible for the processing.

"The EU Data Protection Directive states that the individual national regimes that implement the Directive can be applied even where businesses' personal data processing is carried out outside of the EU," Munich-based data protection specialist Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said at the time of the Berlin court ruling. "Where a data controller is based outside of the EU but uses 'equipment' situated within an EU country to process personal data, the national data protection laws of that EU country can be applied to it."

"The Berlin court ruled that Facebook had made use of 'equipment' in Germany when it set cookies on the devices of German users and that Facebook's US business, and not its business in Ireland, had arranged this processing," Wolgast said. "Facebook claimed that the processing was controlled from Ireland and that therefore Irish data protection rules applied to it. However, the Berlin court said Facebook had not proven that the processing was controlled from Ireland."

Out-Law.com did not receive an answer when it asked Facebook whether it stands by its privacy policy changes, whether it intends to engage with the CBP's investigation and whether it accepts the Dutch watchdog's view that it has jurisdiction to carry out its probe.

In a statement it issued last month on the issue, Facebook said it was "surprised and disappointed to learn about the CBP’s inquiry". It said it "routinely review[s] product and policy updates with our regulator, the Irish data protection commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law", according to a report by the New York Times.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.