On January 26, 2016, the French Data Protection Agency (Commission Nationale de l'Informatique et des Libertés, CNIL) issued a formal notice against Facebook Inc. and Facebook Ireland ("Facebook") because it held that Facebook does not fairly collect the browsing data of the web users (i.e., not Facebook's registered members) and does not allow its registered members to oppose the combination of their personal data for advertising purposes. The CNIL further elected to emphasize its decision by publishing this formal notice on its website in February 2016.

Further to Facebook's public announcement of the change to its Privacy Policy, a group, comprising members of five EU data protection agencies among the Article 29 Data Protection Working Party1 (France, Belgium, Netherlands, Spain and the Land of Hamburg), was put in place in March 2015.

It is in this context that the CNIL carried out on-site and online investigations in order to ensure that Facebook does comply with the French Data Protection Act.

These investigations led to the notice, by the CNIL, of several violations committed by Facebook.

  • Facebook's website (the "Website") is able to track/follow the browsing of the web users (who are not Facebook's registered members) on third parties websites, without informing them. Indeed, the Website stores cookies on the devices of the web users who visit a public Facebook page (e.g., a page of a public event), without securing their consent. These cookies then allow Facebook to identify all websites, containing a Facebook button "I like" or "Connect," that have been visited by the web-users;
  • Facebook does not secure the express consent of the registering member when it collects, through the Website, data concerning the political or religious opinions, or the sexual preference of the registering member. In addition, the registration form of the Website does not contain any information of the rights of the registered member, nor of the contemplated use of the data collected through the Website;
  • The Website stores advertising cookies on the registered members' devices without having first informed them, nor obtained their prior consent;
  • In order to provide targeted ads to its registered members, the Website proceeds with a combination of all data of these registered members (data been voluntarily provided by the registered members, but also the data collected by the Website, or by other companies of the group, or data transmitted by commercial partners). But the Website does not offer any way to oppose such a combination carried out for advertising purposes;
  • Facebook transfers its registered members' personal data to the USA, on the ground of the Safe Harbor principles, which, however, no longer apply since the decision handed down by the European Court of Justice on October 6, 2015.

The President of the CNIL2 thus decided to issue a formal notice requiring Facebook to stop, within three months, violating the law as described above.

The purpose of this formal notice is to lead Facebook to adopt pragmatic solutions to comply with the law, without altering its business model and creativity.

The CNIL decided to publish its formal notice in light of (i) the serious breaches that have been noted and also (ii) the vast number of individuals concerned (more than 30 million registered members in France).

But this formal notice is not a sanction. If Facebook complies within three months, the case will be closed.

If Facebook fails to comply with the requests contained in this formal notice, it will not be automatically sanctioned. However, in that case, the President of the CNIL is entitled to appoint a reporting adviser ("rapporteur") who is then empowered to draw a report inviting the CNIL, through its restricted format committee ("formation restreinte), to impose sanctions on Facebook.

In particular, the CNIL is entitled by law to sanction Facebook to pay a civil penalty in an amount of 150,000 Euros (300,000 Euros in the event of a repeated breach) and to have such a decision published on its website3.

Moreover, in the event of serious violations of the rights and the liberty of the data subjects, the CNIL can also request the French Public Prosecutor to start criminal prosecutions against Facebook, which could be ordered to pay fines, whose amount can reach, for legal entities, 1,500,000 Euros per offence.

The other aforementioned EU data protection agencies are currently continuing their investigations concerning Facebook in their respective countries, and it is likely that the same violation be addressed in these countries.

Footnotes

1.The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It has advisory status and acts independently.

2.Isabelle Falque-Pierrotin has been leading the CNIL for 5 years and a half. On February 2, 2016, her mandate, as the President of the Article 29 Data Protection Working Party, has been renewed for two years.
3.With the new General Data Protection Regulation recently passed, the level of the sanctions will be considerably greater.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.