Facebook Faces Privacy Attack from French Regulators

Facebook just got a double hit from French regulation authorities. Both the Data Protection Authority (CNIL) and the Directorate-General for Competition, Consumer Affairs, and Prevention of Fraud (DGCCRF) recently publicly notified Facebook that it had failed to comply with French regulations.

According to the DGCCRF, Facebook’s terms and conditions contain abusive provisions considered illegal under French law. More specifically, Facebook’s discretionary power to delete content and to unilaterally modify its terms of use was targeted by the DGCCRF. The DGCCRF gave Facebook 60 days to modify its terms and conditions in order to comply with the applicable legislation. The incurred fines could go up to 10% of the annual turnover.

The CNIL, on the other hand, criticized the way in which Facebook collects and processes personal data and, more specifically, the way Facebook:

1. combines its users’ personal information without (according to the CNIL) any legal basis so that Facebook can offer targeted advertising;
2. collects sensitive data, such as political or religious views and sexual orientation;
3. is not transparent enough when it comes to the processing of personal data;
4. uses a “cookie” that enables the network to track the website pages visited by its users and even non-users when said pages contain a “like” button;
5. does not have a proper framework in place to transfer personal data to the U.S. following the invalidation of Safe Harbor.

Facebook now has three months to comply with data privacy regulations. If the CNIL decides to go before the civil tribunal for these violations, the fine could go up to €1.5 million.

TIP: These announcements are a reminder that French regulators are taking privacy representations and activities of foreign companies seriously.