A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 3 March 2016
By way of its Decision No. 2016-007 on 26 January 2016, the French Data Protection Authority (the CNIL) has publicly ordered Facebook Inc. and Facebook Ireland Limited, considered as joint controllers, (Facebook) to correct a number of breaches to the Law No. 78-17 (6 January 1978) on Information Technology, Data Files and Civil Liberties (the Act). Such breaches shall be remedied within 3 months of the notification of the CNIL’s decision.
According to the CNIL, the following practices of Facebook constitute a breach of the Act:
After noticing that Facebook carries out the interconnection of various user data for advertising purposes, the CNIL reminds that such data processing must have a valid legal basis under the Act, and in particular, it must have received the consent of the data subject or fulfil one of the limited exceptions contained under Article 7.
The exceptions considered by the CNIL in the present case are: (i) the execution of a contract to which the data subject is a party; and (ii) the legitimate interests of the data controller. According to the CNIL, Facebook is in breach of Article 7 of the Act because:
Sometimes, in order to prove the identity of the users, Facebook can require them to submit a number of documents, including medical records. According to the CNIL, in order to be compliant with some of the provisions of Article 6 of the Act, Facebook shall only accept documents which are adequate, relevant and not excessive with respect to this purpose (which is not the case for medical records as other less sensitive documents can be used instead).
Facebook users can specify a number of details categorised as sensitive data on their personal page (e.g. political and religious beliefs and sexual orientation). The CNIL considered that such specifications by the data subject are insufficient to be considered as an “explicit consent” to the processing of sensitive data. Instead the users need to be fully informed of the use of such data. Explicit consent could be obtained by ticking a box, for example.
The CNIL considers Facebook to be in breach of the following articles of the Act:
The CNIL considered Facebook to be in breach of Article 32 because:
The CNIL considered Facebook to be in breach of Article 34 because Facebook requires its users to set a password containing a minimum of 6 characters (including only letters and numbers) whereas it should require a password containing at least 8 characters of 3 different types (including upper-case and lower-case letters, numbers and special characters) in order to fulfil its data security related obligations under the Act.
The CNIL considered Facebook to be in breach of Article 32 (provision of information related to data controller’s identity, the purposes of the data processing and the rights of the data subjects) because this information is not provided to users at the moment of their registration on Facebook and is not included in the data collection form.
Additionally, the CNIL has warned Facebook that it should not:
Facebook has to remedy the aforementioned breaches of the Act before 26 April 2016.
If Facebook fails to remedy the breaches, a fine of up to EUR 150,000 can be pronounced by the CNIL. Where the breaches are ones subject to criminal sanctions (e.g. processing of personal data without an express consent, not respecting the appropriate security measures, or processing personal data without the appropriate declarative formalities) Facebook could be subject to court proceedings and face criminal sanctions of up to EUR 1,500,000.
To view the decision of the CNIL, please click here (French).
Article submitted by Thierry Dor (Partner) and Dane Rimsevica (Associate) of the IP/TMT department of Gide Loyrette Nouel – Paris, France.
This is one of the most important and informative decisions recently given by the CNIL.
One of the first points to take away from this decision is the CNIL’s explicit recognition of the concept of “joint controllers”, contained under the 95 Directive that has not been transposed under the Act.
With respect to the various breaches identified by the CNIL, the main elements that organisations with a presence in France should focus its attention on are:
Return to main page.
London - Walbrook
+44 (0)20 7894 6577
Nick Chronias, Ceri Fuller, Hilary Larter
Nick Chronias, Joanne Bell
Joanne Bell, Nick Chronias
Neil Bhan, Joanna Taylor
Zoë Wigan, Ceri Fuller, Hilary Larter
Ceri Fuller, Zoë Wigan
Barry Reynolds, Jenny Wakely
Zoë Wigan, Ceri Fuller
Joanne Bell, Deborah Hely
Joanne Bell, Alex Lock
Ceri Fuller, Joanne Bell