In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
146
STATEMENT OF RECENT DECISION pursuant to Civil Local Rule 7-3.d filed byPerrin Aikens Davis, Brian K. Lentz, Cynthia D. Quinn, Matthew J. Vickery. (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C)(Straite, David) (Filed on 5/16/2017)
Exhibit C
FACEBOOK sanctioned for several breaches of the French Data Protecti...
1 of 2
https://www.cnil.fr/en/facebook-sanctioned-several-breaches-french-data...
16 May 2017
The Restricted Committee of the CNIL imposed a sanction of 150,000 € against FACEBOOK INC and
FACEBOOK IRELAND.
Following FACEBOOK statement regarding the amendment of its privacy policy in 2015, the CNIL performed on site and
online inspections, as well as a documentary audit, in order to verify that FACEBOOK was acting in compliance with the
French Data Protection Act.
These actions are part of a European approach which involves five data protection authorities having also decided to carry out
investigations (France, Belgium, the Netherlands, Spain and Hamburg) on FACEBOOK.
The investigations conducted by the CNIL have revealed several failures. In particular it has been observed that FACEBOOK
proceeded to a massive compilation of personal data of Internet users in order to display targeted advertising. It has also been
noticed that FACEBOOK collected data on browsing activity of internet users on third-party websites, via the “datr” cookie,
without their knowledge.
Considering the failures stated, the Chair of the CNIL issued, the 26 January 2016, a formal notice to FACEBOOK Inc. and
FACEBOOK Ireland to comply within three months with the French Data Protection Act. The formal notice was renewed once
at the request of FACEBOOK.
Considering unsatisfactory responses provided by both companies to the formal notice, the Chair decided to appoint a
rapporteur in order to refer the matter to the Restricted Committee of the CNIL with a view to deciding a sanction.
Following a hearing on 23 March 2017, the Restricted Committee has considered that FACEBOOK Inc. and FACEBOOK
Ireland:
Proceed to a compilation of all the information it has on account holders to display targeted advertising without
having a legal bases. If the users have means to control the display of targeted advertising, they do not consent to the
massive compilation of their data and cannot object to this compilation when creating account or a posteriori.
Proceed to an unfair tracking of internet users via the “datr,” cookie. The cookie banner and the mention of
information collected "on and outside Facebook” does not allow them to clearly understand that their data are
systematically collected as soon as they navigate on a third site including a social plug in. Therefore, the massive data
collection carried out via the “datr” cookie, is unfair due to the lack of clear and precise information.
Concerning other infringements, the Restricted Committee considers that the companies:
Do not provide direct information to internet users concerning their rights and the use that will be made of their data,
in particular on registration form ;
Collect sensitive data of the users without obtaining their explicit consent. Indeed, no specific information on the
sensitive nature of the data is provided to users when they complete their profiles with such data ;
By using the web browser settings, do not allow users to validly oppose to cookies placed on their terminal equipment
;
Do not demonstrate the need to retain the entirety of IP addresses of users all along the life of their account.
As a result the Restricted Committee has decided to pronounce a public sanction of 150,000 euros against FACEBOOK INC
and FACEBOOK IRELAND.
5/16/17, 2:31 PM
FACEBOOK sanctioned for several breaches of the French Data Protecti...
2 of 2
https://www.cnil.fr/en/facebook-sanctioned-several-breaches-french-data...
Considering the significant number of users in France (33 millions), the seriousness and the numbers of infringements (in total
6), the publicity and amount and of this sanction are justified.
The decision of the Restricted Committee follows the work carried out with the data protection authorities of Belgium,
Hamburg, Spain and the Netherlands in a collaborative manner. Several statements are shared even if the scope of the
procedures are different and the schedules specific
5/16/17, 2:31 PM
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?