Facebook just got a double hit from French regulation authorities. Both the Data Protection Authority (CNIL) and the Directorate-General for Competition, Consumer Affairs, and Prevention of Fraud (DGCCRF) recently publicly notified Facebook that it had failed to comply with French regulations.
The CNIL, on the other hand, criticized the way in which Facebook collects and processes personal data and, more specifically, the way Facebook:
- combines its users’ personal information without (according to the CNIL) any legal basis so that Facebook can offer targeted advertising;
- collects sensitive data, such as political or religious views and sexual orientation;
- is not transparent enough when it comes to the processing of personal data;
- uses a “cookie” that enables the network to track the website pages visited by its users and even non-users when said pages contain a “like” button;
- does not have a proper framework in place to transfer personal data to the U.S. following the invalidation of Safe Harbor.
Facebook now has three months to comply with data privacy regulations. If the CNIL decides to go before the civil tribunal for these violations, the fine could go up to €1.5 million.
TIP: These announcements are a reminder that French regulators are taking privacy representations and activities of foreign companies seriously.