On February 8, 2016, the French Data Protection Authority (CNIL) issued a formal notice to Facebook to comply within three months with the French Data Protection Act.
According to CNIL, among other violations, Facebook is breaching French Data Protection Laws by transferring “personal data to the United States on the basis of Safe Harbour, although the Court of Justice of the European Union, in its ruling of October 6, 2015” (see here and here for more information), declared invalid the Safe Harbor and therefore outlawed any data transfer based on that.
The CNIL warned Facebook of the need to fix several other shortcoming, such as the practice of:
- collecting data concerning the browsing activity of Internet users who do not have a Facebook account without providing prior information. A similar issue was recently addressed by the Belgian courts (see here);
- collecting data concerning sexual orientation, religious and political views without explicit consent;
- placing cookies with advertising purposes without users’ consent;
- compiling account holders’ information to display targeted advertising, without providing users with tools to prevent such compilation.
The procedure will be closed if Facebook complies with the notice within the deadline. However, if the company does not comply, the CNIL’s Chair shall appoint a “rapporteur” who might refer the matter to the authority’s Select Committee with a view to deciding a sanction.
The matters listed above, have been examined by a working group composed of the five data protection authorities (in France, Belgium, The Netherlands, Spain and Hamburg) that are investigating the issues at national levels “within an international administrative cooperation framework”.
In December 2015, Mr. Schrems filed complaints concerning the mentioned issues with the Irish, Belgian, and German Data Protection Authorities.
CNIL’s formal notice is available at http://www.cnil.fr…
For more information, Francesca Giannoni-Crystal