BRUSSELS—Belgium’s privacy watchdog ripped into Facebook Inc.
for treating the personal data of Internet users “with contempt” and failing to cooperate with its inquiries, stoking a dispute between the company and European regulators that could result in heavy fines and orders to change its business practices.
The Belgian report, which was released Friday, is part of a broader effort by privacy regulators in several European countries to examine new privacy policies Facebook implemented this year for use of data from its services, which include Instagram and WhatsApp, to target advertising. The review is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany.
Belgium’s Privacy Commission, in its 28-page report, said Facebook processes the personal data of its members as well as other Internet users “in secret,” without asking for consent or adequately explaining how the data would be used.
“The way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action,” said Willem Debeuckelaere, the commission’s president.
“It’s make or break time” for Facebook, he said.
While it has no sanctioning powers, the regulator at some point could send the dossier to the Belgian prosecutor’s office, which would decide whether to take up the case.
At issue is how Facebook tracks Internet users on external websites through the use of “like” and “share” buttons, gleaning data that could be used for targeted advertising, for instance.
The Belgian regulator said the way Facebook uses these so-called social plug-ins is “intrusive.” The company is “in a unique position, since it can easily link its users’ surfing behavior to their real identity, social network interactions and sensitive data such as medical information and religious, sexual and political preferences,” the report said.
Facebook says it only has to answer to the regulator in Ireland, home to its European headquarters. “The applicability of the [Belgian regulator’s] efforts is unclear,” a spokeswoman for the California-based company said. “But we will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner.”
“There is not a shadow of doubt on the applicability of the Belgian privacy legislation,” the report said.
European officials say they hope to complete legislation for European Union data-protection rules by the end of this year. The rules are expected to focus on strict protection for European consumers, and to clarify whether a single national regulator could be given sole jurisdiction for firms that operate across Europe, an increasing point of friction between Europe and U.S. tech giants.
In its recommendations, the Belgian regulator said Facebook should stop collecting Internet users’ data through social network buttons unless it obtains specific consent to do so, and should refrain from “systematically” tracking nonusers of Facebook.
It said such social network buttons must not immediately transfer information to Facebook, but should require an additional mouse click to show that users are opting in.
The recommendations were based on an academic report commissioned by the Belgian regulator that identified a slew of potential privacy issues. The researchers found, for example, that Facebook was tracking people who hadn’t signed up for the service. Facebook said that was a bug and was being fixed.
Stephen Deadman, a Facebook privacy executive, said the investigations pose risks for growing businesses and paint “a grim portrait of the future.”
“For companies of our size and scale, we can manage this complexity, even if it means delaying or not launching services in particular markets,” Mr. Deadman wrote in a blog post Thursday. “But for smaller businesses and startups, it represents a major barrier to even getting off the ground: a huge setback for Europe’s digital ambitions.”
The Belgian watchdog also criticized Facebook for being “stingy in giving precise answers” to the questions of European regulators, and said the company had “refused to agree to requests to postpone the application” of its new privacy terms.
“Facebook continues to refuse to recognize the application of Belgian law as well as the Belgian Privacy Commission,” the watchdog said.
The regulator plans to address further issues around Facebook’s privacy controls in a second recommendation to be published later this year.
—Sam Schechner contributed to this article.