The California-based firm vowed to appeal the ruling amid increased efforts in Europe to boost privacy protections in a digital economy dominated by US giants.
Facebook must “stop following and recording internet use by people surfing in Belgium, until it complies with Belgian privacy laws”, the Brussels court said.
It based its verdict on a probe by Belgium’s privacy watchdog into Facebook’s use of pixels and cookies, tracking devices that follow a user’s internet activity.
The court warned Facebook it could face fines of 250,000 euros per day or a maximum of 100 million euros ($125 million) if it failed to heed the ruling.
“Facebook must also destroy all personal data obtained illegally,” the court ordered.
Finally, it said, the social network must publish the complete 84-page verdict on its own website and excerpts in Belgium’s Dutch-language and French-language newspapers.
The court said it “determined that Facebook does not respect Belgian privacy law”, basing its ruling on the investigation of Belgium’s privacy watchdog CPVP.
In 2015, the watchdog lodged a legal complaint over Facebook’s tracking of internet users when they visit pages on the site or click “like” or “share”, even if they are not members.
The court said Facebook used its cookies to track people not only on its own website but also on third-party websites.
It added that the investigation showed that “Facebook can still follow your surfing behavior”, even if you have never visited its website, through invisible pixels the firm has placed on 10,000 other websites.
Echoing the privacy watchdog’s conclusions, it said that the social network does not properly inform people about the fact it is gathering information about them.
Without obtaining the user’s “valid” consent, the court said, Facebook not only fails to say what kind of information it collects, but does not make clear how it uses it or how long it stores it.
The European Consumer Organisation (BEUC) welcomed the court verdict.
“This is a big win for internet users who don’t want tech companies to monitor every step they make online,” BEUC spokesman Johannes Kleis said in a statement.
“What Facebook is doing is against Europe’s data protection laws and should be stopped throughout the EU,” Kleis added.
Intend to Appeal
“We are disappointed with today’s verdict and intend to appeal,” Facebook said in a statement.
“We’ve built teams of people who focus on the protection of privacy — from engineers to designers — and tools that give people choice and control,” it said.
It said the cookies and pixels it uses are “industry standard technologies,” allowing hundreds of thousands of businesses to grow and reach customers across the bloc.
Facebook, it said, requires any business using its technologies to give “clear notice to end-users”.
People, it added, also have the right not to have data collected on sites and apps off Facebook being used for ads.
Facebook said it was making preparations for the General Data Protection Regulation (GDPR) — a new EU law designed to protect privacy online — to come into force on May 25.
“We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe,” Facebook said.
A consumer rights organisation said Monday that a German court had found Facebook is breaching data protection rules with privacy settings that over-share by default and by requiring users to give real names. (AFP)