What does this cover?

By way of its Decision No. 2016-007 on 26 January 2016, the French Data Protection Authority (the CNIL) has publicly ordered Facebook Inc. and Facebook Ireland Limited, considered as joint controllers, (Facebook) to correct a number of breaches to the Law No. 78-17 (6 January 1978) on Information Technology, Data Files and Civil Liberties (the Act). Such breaches shall be remedied within 3 months of the notification of the CNIL’s decision.

According to the CNIL, the following practices of Facebook constitute a breach of the Act:

1. Interconnection of users’ data for advertising purposes without a valid legal basis

After noticing that Facebook carries out the interconnection of various user data for advertising purposes, the CNIL reminds that such data processing must have a valid legal basis under the Act, and in particular, it must have received the consent of the data subject or fulfil one of the limited exceptions contained under Article 7.

The exceptions considered by the CNIL in the present case are: (i) the execution of a contract to which the data subject is a party; and (ii) the legitimate interests of the data controller. According to the CNIL, Facebook is in breach of Article 7 of the Act because:

  • the contract between Facebook and its users is not a sufficient legal basis for such data processing, as the interconnection of data is not necessary for the performance of the contract but is rather an accessory (this is confirmed by the fact that users are allowed to block ads); and
  • Facebook’s legitimate interest in improving its advertising mechanisms cannot be considered as a valid legal basis, as it is not proportionate to the rights and freedom of the data subjects. The balance between the two interests can only be achieved by giving users an adequate control over the interconnection of their data, and currently, Facebook does not provide for an effective tool allowing the individuals to oppose to such interconnection of data (they can only block ads or delete their preferences).

2. Disproportionate requirement to provide medical records for user identification

Sometimes, in order to prove the identity of the users, Facebook can require them to submit a number of documents, including medical records. According to the CNIL, in order to be compliant with some of the provisions of Article 6 of the Act, Facebook shall only accept documents which are adequate, relevant and not excessive with respect to this purpose (which is not the case for medical records as other less sensitive documents can be used instead).

3. Sensitive data processing without the explicit consent of the data subjects

Facebook users can specify a number of details categorised as sensitive data on their personal page (e.g. political and religious beliefs and sexual orientation). The CNIL considered that such specifications by the data subject are insufficient to be considered as an “explicit consent” to the processing of sensitive data. Instead the users need to be fully informed of the use of such data. Explicit consent could be obtained by ticking a box, for example.

4. Data transfers to the United States without a legal basis and without providing clear information to users

The CNIL considers Facebook to be in breach of the following articles of the Act:

  • Article 32 (transfer of their personal data outside the EEA) because users are not informed about the nature of the data transferred, the purposes of the transfer, the categories of recipients or the level of protection provided by the recipient country; and
  • Article 68 (prohibition of personal data transfers to countries outside the EEA or to countries not providing an adequate level of protection) as the Safe Harbor mechanism Facebook relied upon no longer constitutes a valid legal basis for data transfers to the US.

5. Use of cookies without providing sufficient information or collecting valid consent of users

The CNIL considered Facebook to be in breach of Article 32 because:

  • it uses cookies to track any website displaying a “Like” or “Connect” button, thus tracking any Internet user (even those not registered on Facebook) that has previously visited a public Facebook page without providing any information on such cookies and without collecting the consent of the data subjects; and
  • Facebook should inform data subjects about the purpose of each of the cookies used that require user consent (e.g. advertising) and allow them to object to such use directly via the Facebook website and not through browser settings, with such information being provided in the cookie banner.

6. Insufficient security measures for its password policy

The CNIL considered Facebook to be in breach of Article 34 because Facebook requires its users to set a password containing a minimum of 6 characters (including only letters and numbers) whereas it should require a password containing at least 8 characters of 3 different types (including upper-case and lower-case letters, numbers and special characters) in order to fulfil its data security related obligations under the Act.

7. Absence of information notice related to the data collection form

The CNIL considered Facebook to be in breach of Article 32 (provision of information related to data controller’s identity, the purposes of the data processing and the rights of the data subjects) because this information is not provided to users at the moment of their registration on Facebook and is not included in the data collection form.

8. Other breaches to the Act

Additionally, the CNIL has warned Facebook that it should not:

  • keep personal data longer than necessary, in particular IP addresses which should not be kept longer than 6 months for the purpose of preventing identity theft; and
  • process data for the purposes of fraud prevention without prior authorization from the CNIL.

Facebook has to remedy the aforementioned breaches of the Act before 26 April 2016.

If Facebook fails to remedy the breaches, a fine of up to EUR 150,000 can be pronounced by the CNIL. Where the breaches are ones subject to criminal sanctions (e.g. processing of personal data without an express consent, not respecting the appropriate security measures, or processing personal data without the appropriate declarative formalities) Facebook could be subject to court proceedings and face criminal sanctions of up to EUR 1,500,000.

To view the decision of the CNIL, please click here (French).

What action could be taken to manage risks that may arise from this development?

This is one of the most important and informative decisions recently given by the CNIL.

One of the first points to take away from this decision is the CNIL’s explicit recognition of the concept of “joint controllers”, contained under the 95 Directive that has not been transposed under the Act.

With respect to the various breaches identified by the CNIL, the main elements that organisations with a presence in France should focus its attention on are:

  • where data processing is based on one or more of the limited exceptions available, ensure the interpretation and the scope of these exceptions is sufficient;
  • as far as possible, ensure that only adequate, relevant and not excessive data is processed with respect to the purpose of such processing;
  • ensure there is a “valid” explicit consent to process sensitive data (data subjects voluntarily providing such data might not be sufficient), and evaluate if additional measures to collect such consent need to be put in place (e.g. providing a box to tick);
  • ensure data subjects are sufficiently informed of the transfer of their data to countries outside the EEA;
  • for cookies requiring data subjects' consent, ensure the cookie banner effectively informs the data subjects of the purpose of each cookie used and provides for the possibility to change the cookie settings or object to the use of cookies by clicking on a hyperlink; and
  • ensure that password security is in line with the CNIL’s recommendations (i.e. passwords should contain at least 8 characters of 3 different types).

Article submitted by Thierry Dor (Partner) and Dane Rimsevica (Associate) of the IP/TMT department of Gide Loyrette Nouel – Paris, France, in partnership with DAC Beachcroft LLP.