Facebook faces enforcement in France as the President of the French data protection authority (the “CNIL”), Isabelle Falque-Pierrotin, issues a formal notice to the social network, ordering it to comply with French data protection law within 3 months.

A year after Facebook’s roll out of its new Data Use Policy and Terms of Service, and a multi-pronged investigation initiated by several of the EU’s data protection authorities (see our previous post here), including on-site and online inspections, the CNIL issued a formal notice to Facebook, Inc. and its Irish offshoot, Facebook Ireland Ltd., on January 26, 2016, listing the following violations of French data protection law:

  • Facebook combines the data of its users for advertising purposes without providing any mechanism allowing users to object to such processing of their personal data, violating users’ fundamental rights and interests;
  • Users may be required to provide Facebook with a proof of identity, such as a medical record, which is excessive in view of the purposes for which data is collected;
  • Facebook does not request the users’ express consent prior to collecting and processing sensitive personal data such as political opinions, religious beliefs and their sexual orientation. For the CNIL, the fact that users provide this information voluntarily cannot be considered express consent, and there should be a dedicated opt-in check-box;
  • Users are not properly informed about the processing of their personal data by the social network. In particular, the registration form does not contain processing information. Moreover, the Facebook privacy policy does not provide all the information required regarding transfers of data outside the EU;
  • The social network collects, without prior notice, data concerning the browsing activity of Internet users who do not have a Facebook account, by storing cookies on their device when they visit a Facebook page. These cookies then share with Facebook information relating to third-party websites with Facebook plug-ins visited by Internet users. Such processing is unfair and unlawful;
  • Facebook sets advertising cookies on Internet users’ devices without prior informing them and obtaining their consent;
  • Users’ IP addresses used to log onto their Facebook accounts are retained for longer than 6 months, which is excessive, even for security purposes;
  • Facebook has failed to implement proper measures to ensure the security and confidentiality of its users’ data, by allowing its users to choose very weak passwords;
  • Facebook has failed to comply with the obligation to undertake formalities with the CNIL prior to implementing processing that can exclude users or combat fraud, and should have asked for the CNIL’s authorization; and
  • Facebook continues transferring personal data outside the EU to the US on the basis of the Safe Harbor, even though the framework was invalidated in October 2015 by the European Court of Justice.

Facebook now has 3 months from the notification of the CNIL’s decision to find appropriate solutions and to give to the 30+ million users in France greater control over their data. If Facebook fails to comply with this formal notice, it could face CNIL administrative sanctions, as well as criminal prosecution.