FACEBOOK sanctioned for several breaches of the French Data Protection Act
May 2017 by CNIL
The Restricted Committee of the CNIL imposed a sanction of 150,000 € against FACEBOOK INC and FACEBOOK IRELAND.
These actions are part of a European approach which involves five data protection authorities having also decided to carry out investigations (France, Belgium, the Netherlands, Spain and Hamburg) on FACEBOOK.
The investigations conducted by the CNIL have revealed several failures. In particular it has been observed that FACEBOOK proceeded to a massive compilation of personal data of Internet users in order to display targeted advertising. It has also been noticed that FACEBOOK collected data on browsing activity of internet users on third-party websites, via the “datr” cookie, without their knowledge.
Considering the failures stated, the Chair of the CNIL issued, the 26 January 2016, a formal notice to FACEBOOK Inc. and FACEBOOK Ireland to comply within three months with the French Data Protection Act. The formal notice was renewed once at the request of FACEBOOK.
Considering unsatisfactory responses provided by both companies to the formal notice, the Chair decided to appoint a rapporteur in order to refer the matter to the Restricted Committee of the CNIL with a view to deciding a sanction.
Following a hearing on 23 March 2017, the Restricted Committee has considered that FACEBOOK Inc. and FACEBOOK Ireland:
Proceed to a compilation of all the information it has on account holders to display targeted advertising without having a legal bases. If the users have means to control the display of targeted advertising, they do not consent to the massive compilation of their data and cannot object to this compilation when creating account or a posteriori.
Proceed to an unfair tracking of internet users via the “datr,” cookie. The cookie banner and the mention of information collected "on and outside Facebook” does not allow them to clearly understand that their data are systematically collected as soon as they navigate on a third site including a social plug in. Therefore, the massive data collection carried out via the “datr” cookie, is unfair due to the lack of clear and precise information.
Concerning other infringements, the Restricted Committee considers that the companies:
Do not provide direct information to internet users concerning their rights and the use that will be made of their data, in particular on registration form ;
Collect sensitive data of the users without obtaining their explicit consent. Indeed, no specific information on the sensitive nature of the data is provided to users when they complete their profiles with such data ;
By using the web browser settings, do not allow users to validly oppose to cookies placed on their terminal equipment ;
Do not demonstrate the need to retain the entirety of IP addresses of users all along the life of their account.
As a result the Restricted Committee has decided to pronounce a public sanction of 150,000 euros against FACEBOOK INC and FACEBOOK IRELAND.
Considering the significant number of users in France (33 millions), the seriousness and the numbers of infringements (in total 6), the publicity and amount and of this sanction are justified.
The decision of the Restricted Committee follows the work carried out with the data protection authorities of Belgium, Hamburg, Spain and the Netherlands in a collaborative manner. Several statements are shared even if the scope of the procedures are different and the schedules specific
Link to the common statement https://www.cnil.fr/fr/node/23602