Protection of Personal Data : Warning from the CNIL towards Facebook

On 26 January 2016, the President of the CNIL (National Commission for Data Protection and Liberties) gave formal notice to Facebook to collect loyally surfers’ navigation data who do not have Facebook accounts. She also requested that users of this social network can raise against combination of all of their data for advertising purposes.

A statement from the CNIL dated February 8 specifies the terms of the formal notice and states that advertising of this measure has been decided.

Following the announcement by Facebook of privacy policy’s changes, a group of five European protection authorities which decided to conduct investigations (France, Belgium, Netherlands, Spain and the State of Hamburg) was created within the G29 (group of the European CNIL) in March 2015.

‍

In this context, the CNIL conducted on-site controls and online inspections to check the conformity of Facebook to the « loi Informatiques et Libertés » (Data Protection Act in France).

These audits have identified numerous breaches in this law :

• Facebook is able to track browsing of users without their knowledge, on third party sites even when they do not have a Facebook account
• The social network does not collect express consent of users in the collection and processing of data relating to their political opinions or religious, and sexual orientation
• No information is delivered to users about their rights and the use made of their data on the registration form to the service
• Cookies for advertising purposes are deposited on users’ computer, without having properly informed them
• To display targeted advertising to its members, Facebook conducts the combination of all personal data held on them
• Facebook does not provide mechanism for users allowing them to raise against combination of all of these data for advertising purposes, which infringes their fundamental rights and interests and undermines the respect of their privacy
• Facebook transfers personal data of its members in the United States based on the Safe Harbor, which is no longer possible since the decision of the Court of Justice of the European Union of 6 October 2015.

According to the Commission :

« The President of the CNIL decided to give formal notice to Facebook INC. and Facebook IRELAND to comply with the law within 3 months. The purpose of this formal notice is not to be a substitute of the social network in order to establish specific measures, but to drive it to come into compliance with the «loi Informatiques et Libertés» (Data Protection Act) without interfering with its business model or its innovative capacity ».

‍

If Facebook INC. and Facebook IRELAND do not comply with this formal notice within the given time, the President may appoint a rapporteur who will prepare a report in order to impose sanctions against companies.