On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook.
The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the grounds of consumer protection for France
The DGCCRF issued an injunction to Facebook requiring either revising or removing certain clauses of its Terms and Conditions which would be considered as unfair and “abusive” terms under French consumer law. This concerns in particular provisions granting Facebook the right, in its sole discretion, to remove any content or information posted by Facebook users, or to update its Payment Terms at any time without informing the users beforehand. The DGCCRF required Facebook to take appropriate action within 60 days. Otherwise, Facebook can be sued before the French courts.
Broad worldwide Terms and Conditions face hard times ahead
One can recall that on March 5, 2015, the Paris Court of First Instance had ruled that, despite a clause giving exclusive jurisdiction to the U.S. courts, a French Facebook user could validly file a claim against Facebook in France. This important ruling ruled that the U.S. jurisdiction clause contained in Facebook’s Terms and Conditions was null and void, but did not preclude Facebook from maintaining its Terms and Conditions.
What the DGCCRF now requires is an adaptation to French law of these Terms and Conditions, which will require a separate compliance exercise.
One day before the DGCCRF, the CNIL had publicly addressed a notice to Facebook concerning several nonconformities, such as:
- Collecting sensitive data such as data related to political and religious opinions, or which concern sexual life, without obtaining the prior consent of users as required by the French data protection law.
- Not allowing the users a proper right to object to the processing of users’ data for commercial purposes.
- Finally, the CNIL acknowledged that Facebook had not set up an adequate legal framework for their data transfers, as no alternative framework to the Safe Harbor that Facebook was relying on had been filed with the CNIL. Since the Safe Harbor invalidation by the Court of Justice of the European Union’s judgement on October 6, 2015, companies have been required to put in place another legal framework for transferring personal data to the United States. All Working Party 29 members, in particular the CNIL, had stressed that enforcement actions would be taken after January 31, 2016. This is therefore the first and strong enforcement measure undertaken by the CNIL.
The CNIL, which acts jointly on this with the Belgian, Spanish, and Dutch DPAs, as well as with the State DPA of the Land of Hamburg in Germany, gave Facebook three months to take corrective actions. In case of persisting non-compliance, Facebook risks sanctions up to a five-year imprisonment and a fine up to €300.000.
Concerning the data transfer issue, only the Binding Corporate Rules (BCRs) would in practice allow Facebook to implement the legal framework required by the CNIL as a data transfer agreement with all Facebook users is not practicable. Given the time required to set up such a scheme (it can take 9 to 18 months in general), it is foreseeable that the CNIL expects Facebook launch the adoption of BCRs and probably also to be the monitoring regulator of this process.
However, the combined action of these two French authorities shows that they will not wait until any European regulation is adopted, in particular concerning data protection, and that 2016 seems to constitute a turning point in a coordinated approach of French regulators toward internationally operating organizations.