The CNIL has imposed a penalty of 150,000 € made public against the companies FACEBOOK INC and FACEBOOK IRELAND.
According to the authority, the amount and the publicity of this sanction are justified by the number of breaches (6 in total), their seriousness and the large number of users in France (33 million).
Following the change in Facebook’s privacy policy in 2015, the CNIL, in cooperation with other European authorities (France, Belgium, the Netherlands, Spain and the Land of Hamburg) decided to carry out checks on-site and online.
1.In particular, the CNIL sanctionned the following breaches:
- Massive combination of personal data for advertising targeting: Internet users may oppose targeting advertising but can not agree or oppose at a later stage the massive combination of their data.
- Unauthorized tracing of Internet users (with or without accounts) on third party sites via a cookie (“datr”): the information on the cookie header does not make it possible to understand that the data are systematically collected when the users navigate On a third party site with a social module.
The CNIL had issued a notice to Facebook Ireland and Facebook France to comply with the French data protection. Given the unsatisfactory replies, the CNIL has decided to impose an administrative fine of 150,000 euros on Facebook, that is the maximum fine provided for by law applicable at the time of the breaches – the maximum amount is now 3 million euros and will be 4% of the global annual turnover from May 2017.
2. Other breaches sanctionned by the Cnil
The CNIL also noted the following shortcomings:
- No immediate information to the Internet users about their rights and the use that will be made of their data, in particular on the registration form for the service.
- No express consent of Internet users when they provide sensitive information in their profiles (eg, political opinions, religious opinions or sexual orientation).
- By referring to the browser settings, companies do not allow users to validly oppose cookies placed on their terminal equipment.
- The companies do not demonstrate how it is necessary to keep all Internet users’ IP addresses for the entire life of their accounts.
The other European authorities should also sanction Facebook on the basis of similar findings.
