by Lauren Reynolds and Daniel Gauthier, who are focused on cybersecurity and privacy issues
In January 2016, the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s data protection watchdog, notified Facebook that it was violating the French Data Protection Act and gave the social media giant three months to revise its data collection policies. Facebook provided “unsatisfactory responses,” and the CNIL referred the matter to a committee to determine an appropriate sanction.
The committee found Facebook unlawfully collects user data without explicit consent, provides insufficient notice to users regarding their rights and the use of the data, and provides an insufficient opt-out for cookies used on third-party websites. Facebook issued a statement in which they “respectfully disagree” with the findings. Facebook has argued that only the Irish data protection authority, not the French, have authority to issue sanctions because its European headquarters are in Dublin, Ireland.
Despite its arguments, the CNIL fined Facebook €150,000 last week. CNIL stated its action is part of a larger investigation by France, Belgium, Germany, the Netherlands and Spain.
This sanction is a warning shot to businesses that collect data in the European Union (EU). Many European countries have rigorous data protection laws which apply to businesses collecting data on their citizens, regardless of where the businesses are headquartered. This is particularly relevant to businesses which function primarily on the Internet.
The CNIL may now issue sanctions up to €3 million. Starting in 2018, a new EU data protection law authorizes fines up to four percent of total revenue for violation of the regulation. Businesses that collect online user data should implement clearly defined cyber procedures to avoid running afoul of the many applicable international data protection laws.