In a decision of 26 January 2016, the CNIL’s Chairwoman issued a formal notice to FACEBOOK INC. and FACEBOOK IRELAND to comply with the French Data Protection Act of 1978 within a limited period of three months. This crackdown on the social network follows on from the investigations carried out last spring by a delegation of five Data Protection regulators1 among the Article 29 Working Party.
- The absence of consent of Facebook’s users
Among the alleged facts, the authority reports that the social network collects - without any explicit consent – the sensitive data of its users, namely political opinions, religious beliefs and sexual orientation.
In addition, the CNIL pointed out that no prior consent is given either for the compiling of data aiming to display targeted advertisements. As there is no means for the users to prevent their personal data from being processed, it is “likely to be incompatible with the interests and fundamental privacy rights of account holders” according to the decision.
- The unfair collection of non-account holders’ data
By taking a public action, the CNIL aims to raise awareness of the 30 million French account holders, but not only them. Even non-account holders are concerned. In fact, when they visit a website that contains a Facebook plug-in, a cookie collects data on their browsing activity on the Internet. As the CNIL noted that this practice is conducted without the Internet users knowing, the purpose of security claimed by Facebook for the collection was considered insufficient.
- The illegal transfer of personal data outside the EU
Finally, the CNIL ordered the social network to cease transferring personal data between the EU and US under the “Safe Harbor” agreement as it has been judged unlawful by a resounding decision of the Court of Justice of the European Union in October 2015. Facebook will now have to comply with the upcoming framework “Privacy Shield”.
- What's next ?
If Facebook does not comply with the notice, the CNIL can impose a maximum fine of 150,000 euros but it might change in the near future as the draft of the European Union’s General Data Protection Regulationprovides a new cap of 20 million euros or 4% of the annual worldwide turnover of the undertaking.
The CNIL’s decision is not the only issue that the social network is facing in France. The Directorate General for Competition Policy, Consumer Affairs and Fraud Control also made an injunction against Facebook to remove the unfair conditions contained in its Privacy Data Policy.