The Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued formal notice to FACEBOOK to fairly collect data concerning the browsing activity of Internet users who do not have a FACEBOOK account. FACEBOOK must also provide account holders with the means to object to the compiling of their data for advertising purposes.
In this context, the CNIL performed on site and online inspections, as well as a documentary audit, in order to verify that FACEBOOK was acting in compliance with the French Data Protection Act. This has revealed several failures:
- FACEBOOK collects, without prior information, data concerning the browsing activity of Internet users who do not have a FACEBOOK account. Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a FACEBOOK public page (e.g. page of a public event or of a friend). This cookie transmits to FACEBOOK information relating to third-party websites offering FACEBOOK plug-ins (e.g. Like button) that are visited by Internet users.
- The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders. In addition, Internet users are not informed on the sign up form with regard to their rights and the processing of their personal data.
- The website also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.
- FACEBOOK compiles all the information it has on account holders to display targeted advertising (information provided by the Internet users themselves, collected by the website and by other companies of the group, and transmitted by commercial partners). As it is, the company provides no tools for account holders to prevent such compilation, which thereby violates their fundamental rights and interests, including their right to respect for private life.
- FACEBOOK transfers personal data to the United States on the basis of Safe Harbor, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015.
The Chair of the French data protection authority therefore issued formal notice to FACEBOOK Inc. and FACEBOOK Ireland Limited to comply within three months with the French Data Protection Act.
The purpose of this notice is not to decide on the company’s behalf which practical measures must be implemented, but rather to ensure that it complies with the law, without such compliance having any negative impact on its business model or innovation capacity.
The formal notice is made public due to the seriousness of the violations and the number of individuals concerned by the FACEBOOK service (more than 30 million users in France).
This notice is not a sanction and the procedure will be publicly closed if the companies comply with the French data protection Act within the time limit.
On the contrary, if FACEBOOK Inc. and FACEBOOK Ireland Limited have not complied with the formal notice within the time limit, the Chair shall appoint a “rapporteur” who might refer the matter to the CNIL’s Select Committee with a view to deciding a sanction.
The investigations conducted by the Belgian, German (Land of Hamburg), Spanish and Dutch data protection authorities are ongoing at the national level and within an international administrative cooperation framework.