The bug led to people who hadn’t signed up for Facebook being
tracked – through code stored in their browsers – while visiting
web pages that integrated certain Facebook technology. The
report on the problem was first published in
February and came to light a month later
On Thursday, Facebook’s European policy chief, Richard Allan,
acknowledged in a blog post that the Belgian “researchers did
find a bug that may have sent cookies to some people when they
weren’t on Facebook.
“This was not our intention – a fix for this is already under
way,” he stressed, adding that the violations were few and
they’re to be addressed on case by case basis.
But Allan criticized the rest of the report, which found that
31 don’t comply with European consumer protection law in a number
The paper, entitled ‘From Social Media Service to Advertising
Network’, was prepared by the researchers at the Universities of
Leuven and Brussels on the request of the government watchdog,
Belgian Privacy Commission.
The authors of the report claimed that Facebook gave its European
users only a “false sense of control” over their personal
Among other things, the company was blamed for denying its
clients a “meaningful choice” on how their data was
collected and used for advertising purposes; for absence of
“legally valid consent” for detailed user profiling,
achieved by Facebook through combining information from own
services like Whatsapp and Instagram; for forcing advertising on
people and only allowing them to opt out of certain profiling.
Facebook says that it follows all the relevant laws and regularly
publishes audits by its European privacy regulator, the Irish
Data Protection Commissioner.
As for the promotional material on the social networks, “we
provide multiple ways to learn how ads work on Facebook,”
“Unlike many companies, we explain how we will use this
information and the controls we honor and offer. And we apply the
choices people make before using information for behavioral
ads,” he added.
However, the Belgian scholars weren’t satisfied by comments from
Facebook, with the report’s co-author, Brendan Van Alsenoy of the
Leuven University, saying that he stands by all the conclusions
made in the paper.
“[Facebook] are unfairly attributing statements to us that we
simply did not make,” Van Alsenoy is cited by the Wall
A Facebook spokeswoman then commented that Allan’s blog post was
not a comprehensive response to the Belgian report, but only an
attempt to provide a more detailed account of the tech giant’s
The Belgian Privacy Commission does not have the power to
directly sanction Facebook.
But the company may well face liability as a result of a class
action lawsuit from 25,000 users, which an Austrian court began
hearing on Thursday.
The suit is brought in by law student, Max Schrems, for
Facebook’s participation in the NSA’s PRISM surveillance program
and other alleged data protection violations.
Schrems, who is claiming €500 in damages to each affected user,
said that he believes his lawsuit “can heighten data
protection” in Europe.
During the first day of hearings, Facebook’s lawyers attempted to
the judge of the Vienna court not to admit the suit.
“The lawsuit is inadmissible on the procedural level – the
court is not responsible. It is unjustified in terms of
content,” Nikolaus Pitkowitz, Facebook’s lawyer, is cited by
The judge ruled that a written decision on whether the court can
handle the case will arrive by the end of spring.
Schrems accused the US tech giant of applying delaying tactics,
which is “a typical strategy, because most consumers will run
out of time and money.”
However, it’s unlikely to work as legal costs in the case are
being borne by Austrian law firm Roland ProzessFinanz AG in
exchange for 20 percent of any winnings, he said.
The Austrian suit is the latest of several legal challenges in
Europe and the US over the way Facebook uses the personal data of
its users, sharing it with businesses and governments.
EU legislators have also proposed a law, which may see tech
companies fined up to 5 percent of their annual revenue or €100
million for violating regulations about personal information.