France’s Data Protection Authority, the CNIL, has issued a fine of 150,000 euros on Facebook Inc and Facebook Ireland in an enforcement programme coordinated with four other Data Protection Authorities. The regulator says the company is in breach of the Data Protection Act due to ‘a massive compilation of personal data of Internet users in order to display targeted advertising.’ It also says that Facebook collected data with the help of a cookie on the browsing activity of Internet users. The collection took place without the individuals’ knowledge on third-party websites.
In 26 January 2016, the CNIL issued a formal notice to Facebook Inc. and Facebook Ireland to comply within three months with France’s Data Protection Act. The CNIL says that it received unsatisfactory responses provided by both companies, and that the companies have the following failings:
- They do not provide direct information to Internet users concerning their rights and the use that will be made of their data, in particular on the registration form.
- They collect users’ sensitive data without obtaining their explicit consent.
- By using the web browser settings, they do not allow users to validly oppose cookies placed on their terminal equipment.
- They do not demonstrate the need to retain users’ IP addresses.
The decision stems from cooperation by five Data Protection Authorities in France, Belgium, Hamburg, Spain and the Netherlands. In Belgium, the Privacy Commission is seeking judicial enforcement of its recommendations before the Court of First Instance of Brussels. Oral pleadings are set to take place on 12-13 October 2017. The Netherlands’ DPA is currently assessing whether the violations have stopped, and may issue a fine. In Spain, two infringement procedures have been opened.
In Italy, the country’s antitrust body has imposed a 3-million euro fine on WhatsApp. According to Reuters, WhatsApp had shared users’ personal data with its parent company Facebook. The EU DPAs addressed this issue last year as they had doubts over the validity of users’ consent.
All 28 European Union data protection authorities asked Whatsapp last year to stop sharing users’ data with Facebook due to doubts over the validity of users’ consent.
The Italian agency said the application led users to believe they would not have been able to continue using the service unless they agreed to terms including sharing personal data. Whatsapp did not immediately respond to an email asking for comment on the fine. The amount is lower than the maximum 5 million euros the agency could have levied.
When the investigation was opened six months ago, at the same time as the EU request, a Whatsapp spokeswoman said the company was working with data protection authorities to address their questions, and was committed to respecting the law.