CNIL Sanctions FACEBOOK
May 16, 2017
The Restricted Committee of the CNIL imposed a sanction of 150,000 €
against FACEBOOK INC and FACEBOOK IRELAND.
Following FACEBOOK statement regarding the amendment of its privacy
policy in 2015, the CNIL performed on site and online inspections, as
well as a documentary audit, in order to verify that FACEBOOK was acting
in compliance with the French Data Protection Act.
These actions are part of a European approach which involves five data
protection authorities having also decided to carry out investigations
(France, Belgium, the Netherlands, Spain and Hamburg) on FACEBOOK.
The investigations conducted by the CNIL have revealed several failures.
In particular it has been observed that FACEBOOK proceeded to a massive
compilation of personal data of Internet users in order to display
targeted advertising. It has also been noticed that FACEBOOK collected
data on browsing activity of internet users on third-party websites, via
the “datr” cookie, without their knowledge.
Considering the failures stated, the Chair of the CNIL issued, the 26
January 2016, a formal notice to FACEBOOK Inc. and FACEBOOK Ireland to
comply within three months with the French Data Protection Act. The
formal notice was renewed once at the request of FACEBOOK.
Considering unsatisfactory responses provided by both companies to the
formal notice, the Chair decided to appoint a rapporteur in order to
refer the matter to the Restricted Committee of the CNIL with a view to
deciding a sanction.
Following a hearing on 23 March 2017, the Restricted Committee
has considered that FACEBOOK Inc. and FACEBOOK Ireland:
- Proceed to a compilation of all the information it has
on account holders to display targeted advertising without
having a legal bases. If the users have means to control the
display of targeted advertising, they do not consent to the
massive compilation of their data and cannot object to this
compilation when creating account or
- Proceed to an unfair tracking of
internet users via the
“datr,” cookie. The
cookie banner and the mention of information collected "on
and outside Facebook” does not allow them to clearly
understand that their data are systematically collected as
soon as they navigate on a third site including a social
plug in. Therefore, the massive data collection carried out
via the “datr”
cookie, is unfair due to the lack of clear and precise
Concerning other infringements, the Restricted Committee
considers that the companies:
- Do not provide direct information to internet users
concerning their rights and the use that will be made of
their data, in particular on registration form ;
- Collect sensitive data of the
users without obtaining their explicit consent. Indeed, no
specific information on the sensitive nature of the data is
provided to users when they complete their profiles with
such data ;
- By using the web browser settings,
do not allow users to validly oppose to cookies placed on
their terminal equipment ;
- Do not demonstrate the need to
retain the entirety of IP addresses of users all along the
life of their account.
As a result the Restricted Committee
has decided to pronounce a public sanction of 150,000 euros against
FACEBOOK INC and FACEBOOK IRELAND.
Considering the significant number of users in France (33 millions), the
seriousness and the numbers of infringements (in total 6), the publicity
and amount and of this sanction are justified.
The decision of the Restricted Committee follows the work carried out
with the data protection authorities of Belgium, Hamburg, Spain and the
Netherlands in a collaborative manner.