French DPA Warns Facebook Continued Reliance on Invalid US-EU Safe Harbor and Cookie Use May Violate Law | Practical Law

French DPA Warns Facebook Continued Reliance on Invalid US-EU Safe Harbor and Cookie Use May Violate Law | Practical Law

The French data protection authority has publicly issued a formal notice to Facebook Inc. and Facebook Ireland Limited that they have three months to comply with the French Data Protection Act, including by no longer transferring data to the US, pursuant to the recently invalidated US-EU Safe Harbor Framework.

French DPA Warns Facebook Continued Reliance on Invalid US-EU Safe Harbor and Cookie Use May Violate Law

by Practical Law Intellectual Property & Technology
Published on 09 Feb 2016France
The French data protection authority has publicly issued a formal notice to Facebook Inc. and Facebook Ireland Limited that they have three months to comply with the French Data Protection Act, including by no longer transferring data to the US, pursuant to the recently invalidated US-EU Safe Harbor Framework.
On February 8, 2016, the French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), publicly revealed it issued a formal notice to Facebook Inc. and Facebook Ireland Limited (Facebook) on January 26, 2016, advising the company that it has three months to comply with the French Data Protection Act (Act 78-17), or risk sanctions. CNIL made the notice public because it was concerned about the seriousness of the violations and the number of affected individuals.
CNIL found that Facebook:
  • Transfers personal data to the US on the basis of the US-EU Safe Harbor Framework, which the Court of Justice of the European Union declared invalid on October 6, 2015.
  • Collects the browsing activity of non-Facebook account holders without their prior consent by placing cookies on the computers of public Facebook page visitors that sends information about that visitor's browsing activity on any third-party website using a Facebook plug-in back to Facebook, without asking for their explicit consent.
  • Sets advertising cookies without properly informing and obtaining the consent of Internet users.
  • Collects data concerning users' sexual orientation and their religious and political views with only their implicit consent, instead of obtaining explicit consent. Further, when signing up for a Facebook account, Facebook gives insufficient information regarding users' rights and how Facebook will process their personal data.
  • Compiles all the information it has on account holders to display targeted advertising, without providing a tool for account holders to prevent such compilation.
CNIL stated that each of these actions violate the French data protection act. It issued formal notice that Facebook must:
  • Cease transferring personal data from France to the US on the basis of US-EU Safe Harbor.
  • Cease compiling the data of account holders for advertising purposes without a legal basis.
  • Cease processing data that is irrelevant, excessive, or inadequate with respect to the purposes pursued. In particular, Facebook must cease asking account holders to prove their identity by providing medical records.
  • Obtain the explicit consent of account holders for the collection and processing of "sensitive" data such as political or religious views and sexual orientation by, for example, including a check box where such information is entered.
  • Comply with the provisions of Article 32 of the French data protection act by informing account holders about:
    • how Facebook processes their personal data directly on the sign up form and pages where account holders can complete their profile; and
    • the purpose of any data transfer outside the European Union, the recipients of such data, and the level of protection offered by the country where the data is transferred.
  • Fairly collect and process data of non-account holders with regard to data collected using cookies and other collection tools.
  • Obtain consent and inform users when placing cookies on their devices. To comply with this decision, Facebook should provide information to Internet users in a clear and thorough manner on the banner on its website regarding:
    • the purposes of all cookies requiring consent; and
    • the fact that users have the option to change cookie settings by clicking the link in the banner, which must redirect to a page that presents adequate solutions for accepting or blocking cookies.
  • Cease retaining personal data beyond the length of time required for the purposes for which it was collected and processed. In particular, Facebook should delete account holders' IP addresses used to connect to their accounts after six months.
  • Take all measures necessary to ensure the security of account holder personal data, including by increasing the complexity of account passwords. Facebook should require that passwords be composed of at least eight characters of three different types from the following list:
    • digits;
    • uppercase letters;
    • lowercase letters; and
    • special characters.
  • Complete formalities applicable to processing, and in particular, issue an authorization request for all data processing with the purpose of preventing fraud and potentially banning users.
  • Demonstrate to CNIL that all the aforementioned requests have been complied with, within the next three months.
If Facebook complies with these requirements, the proceedings will be closed. If it does not, CNIL may appoint a reporting judge to determine the applicability of monetary sanctions.