French Data Protection Authority Clamps Down on Facebook’s Privacy Violations

On Monday, the 8th of January 2016, the French data protection authority, Commission Nationale de l’Informatique et des Libertes (CNIL), issued a formal notice to Facebook for it to comply with the French Data Protection Act. This follows a decision issued by the CNIL on the 26th January 2016, which gave Facebook 3 months within which to fall in line with all the necessary requirements. CNIL revealed several failures which occurred on the part of Facebook. The following violations were discovered:

• No legal basis for the processing of data – although users of the website have the option of disabling targeted advertising, and stopping this function from being applied to them, the users cannot stop their personal data from being compiled;
• A lack of compliance with the obligation to ensure the adequacy, relevance and non-excessive nature of the data collected – Facebook asks its users to submit proof of identity in various different forms, including through medical records. CNIL held that this type of documentation includes information which could infringe upon the privacy of the individuals in question;
• A lack of compliance with the obligation to acquire consent of data subjects for the processing of sensitive data concerning political or religious views and sexual lifestyle – consent is deemed to be explicit if it is given with full knowledge of the manner in which the data will be used. CNIL held that although users enter their sensitive data themselves does not equal explicit consent, as the users are not authorizing the use of their sensitive personal information;
• A lack of compliance with the obligation to inform individuals – the delegation stated that the account holders are not informed of the nature of the data transferred, the purpose of the transfer, the kinds of data recipients, and the level of protection provided by third countries;
• The obligation to fairly collect and process data was not observed – Facebook collects the data browsing activity of internet users who do not have a Facebook account. This allows the company to know the majority of the last 10 days of browsing activity of noon-account holders without them having any knowledge of this;
• Failure to comply with the obligation to obtain prior consent before placing cookies on an individual’s device or accessing such information. Cookies for the purpose of advertising cannot be used without the consent of the individual concerned;
• Failure to define and observe a retention period in proportion to the purposes of the processing of the information. It was observed that the data was held for a longer period than the legal limit of 6 months. This, according to the CNIL, is punishable by a fine of up to €1,500,000;
• Failure to comply with the obligation to ensure data security – the level of complexity of passwords which are required is low and thus Facebook cannot guarantee the safety of the data collected;
• No legal basis for the transferring of personal data outside the US – Facebook is still relying on the Safe Harbour Agreement which was deemed invalid by the European Court of Justice.

If Facebook Inc. US and Facebook Ireland Ltd. fail to comply with the French data protection provisions within 3 months from the date of this decision, the Chair of the CNIL has warned Facebook that it will proceed to appoint a “rapporteur” who may refer the matter the CNIL’s Select Committee so as to decide an appropriate sanction. Facebook is also being investigated by Belgian, Spanish, Dutch and German data protection authorities. A working group of five DPAs was formed in March 2015 in order to investigate its new privacy policy.

For further information about how GVZH can help you with your Data Protection legal requirements, please contact us here.