Further to a number of similar controls by the French Data Protection Authority (the "CNIL”), the CNIL publicly issued a formal notice on 26 January 2016 ordering Facebook to correct a number of breaches to the Law n°78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (“French Data Protection Act”).

On 27 April 2017, the CNIL confirmed the existence of a number of persisting breaches to the French Data Protection Act and pronounced a public sanction of €150,000 against Facebook Inc. and Facebook Ireland Limited on the grounds that:

  1. Facebook collects information about users for advertising purposes, without having an appropriate legal ground. It compiles the information it has on account holders and uses it to display targeted advertisements without the users consent, and users cannot object to this when creating an account.
  2. Facebook unfairly tracks internet users via cookies as Facebook uses these cookies to track any website displaying a “Like” plugin button, thus tracking even the non-members of Facebook. The CNIL considers that the cookie banner and the information provided in Facebook’s privacy policy does not clearly explain to users how their data is collected when they navigate on a third party website including a Facebook plug in.
  3. Facebook does not allow users to validly oppose cookies placed on their terminal devices as it requires the modification of their web browser settings to object the cookies. The CNIL considers that Facebook should inform its users about the purpose of each cookie and allow them to object on the Facebook website to the use of each cookie.
  4. Facebook does not provide its users with sufficient information (neither in the registration form nor in its data policy) with respect to their rights and the use that will be made of their personal data, especially the transfers of data to the US.
  5. Facebook collects sensitive data without obtaining the explicit consent of the users. Indeed, Facebook users may specify on their personal page their sexual orientation and their political and religious beliefs but no specific information on the sensitive nature of this data is provided by Facebook to its users.
  6. Facebook keeps personal data longer than required as it retains the entirety of IP addresses of its users all along the life of their account, without demonstrating the need to keep them.

The CNIL considers the publicity given to and the amount of its sanction imposed on Facebook to be justified by: i) the significant number of Facebook users in France (C.33 million), the seriousness of the breaches, and the number of breaches committed.

French organisations should consider the following:

  1. Take precautions when using the contract with a data subject as the legal basis for processing, because it might not always be considered necessary for performance of the contract.
  2. Where processing is based on an organisation's legitimate business interest, adequate control over processing should be given to data subjects.
  3. When gathering consent an organisation must verify that the consent obtained is informed, specific and free.
  4. A data subject consciously providing such data is not enough for explicit consent.
  5. Where possible, information about the processing should be provided in the registration form.

Data subjects should have the option to object to the use of cookies for each of the purposes for which cookies are used, and by other means than changing browser settings (except where the service cannot be properly provided without using cookies or where the cookies used do not require consent).

The CNIL’s decision can be found here (French).

Submitted by Thierry Dor, Partner and Dane Rimsevica, Associate of Gide Loyrette Nouel – Paris, France in partnership with DAC Beachcroft LLP