Home / Publications / Official warning from the CNIL: Facebook's many breaches...

Official warning from the CNIL: Facebook's many breaches of the Data Protection Act

In a Decision 2016-007 dated 26 January 2016, the Chairman of the CNIL issued a formal notice to Facebook Inc. and Facebook Ireland Limited, requesting them to remedy to their numerous breaches of the French Data Protection Act of 6 January 1978.

The CNIL pointed out that, according to European case law (CJEU, 1 October 2015, C-230/14, Weltimmo; and CJEU, 13 May 2014, C-131/12, Costeja), the two companies are bound by the French Data Protection Act insofar as Facebook France must be considered an "establishment" of those two companies in the meaning of Directive 95/46/EC of 24 October 1995. The CNIL also said that the two companies are jointly liable insofar as they both determine why and how the data are processed.

It then went on to cite no fewer than nine breaches of the Data Protection Act committed by the two Facebook companies, concerning in particular:

  • the obligation to provide legal justification when combining data;
  • the principle of proportionality of the data collected;
  • the principle of the fairness of the collection and processing of personal data;
  • the obligation to determine a length of storage proportionate to the purpose of the processing;
  • the obligation to guarantee data security; and
  • the obligation to complete certain formalities prior to processing sensitive data.

The CNIL also accused the Facebook companies of failing in their duty to obtain consent from the owners of sensitive data (sexual, religious and political orientation).

It does not believe that the simple fact of users entering their sensitive data constitutes express consent in the meaning of Article 8 of the Data Protection Act. It adds that users must be able to give this consent by ticking a specific box, after having been told how this information will be used.

Likewise, the administrative body accuses the Facebook companies of having breached their duty to inform the people affected by its data processing. It points out that not only does the form for signing up to the social network not contain any information about personal data processing, but also that the companies do not inform users at the time of registration that cookies will be placed on their device. The CNIL views this as a violation of article 32 of the Data Protection Act.

Finally, the CNIL has identified a breach of the duty to have legal justification for the transfer of data to the U.S.A., pointing out that Safe Harbour no longer constitutes legal grounds for data transfers outside the European Union since it was invalidated on 6 October 2015 (CJEU, 6 October 2015, C-362/14, Schrems). It classifies this as a violation by the Facebook companies of article 68 of the Data Protection Act.

Facebook Inc. and Facebook Ireland Limited have been given three months from the date of the warning within which to comply with the Data Protection Act. They may be subject to imminent sanctions if the CNIL believes they have not made the necessary changes by this deadline.

At the same time, on 9 February 2016, the French Directorate-General for Competition, Consumer Affairs and Fraud (DGCCRF) gave Facebook Ireland and Facebook Payments International Ltd two months in which to delete or amend certain clauses in their Terms of Service that it believes are abusive. Just two weeks after these warnings, the election of forum clause contained in the Terms of Service granting jurisdiction to the courts of California was declared abusive by the Paris Court of Appeals, who ruled that the French courts have jurisdiction to hear any disputes between the social network and a French user (Paris Court of Appeals, 12 February 2016, no. 15/05624).

The year 2016 has not been off to a good start for Facebook.


Prudence Cadio