Skip to main content

Facebook is still violating user privacy, Dutch and French regulators say

Facebook is still violating user privacy, Dutch and French regulators say

/

Social network fined $166,400 in France for failing to inform users of how their data is used

Share this story

Facebook stock image

Facebook has been fined €150,000 ($166,400) by France’s privacy watchdog for violating the country’s data protection rules. In a statement released Tuesday, the Commission Nationale de l’Informatique et des Libertés (CNIL) said Facebook has failed to properly inform users of how their personal data is tracked and shared with advertisers, though it stopped short of ordering the company to change its practices.

The CNIL’s decision is part of a broader European effort to evaluate changes to Facebook’s privacy policy that were implemented in 2014. The Dutch Data Protection Authority (DPA) also said Tuesday that the social network provides users with “insufficient information about the use of their personal data,” in violation of Dutch data protection law, and parallel investigations are underway in Germany and Spain. The DPA did not fine Facebook, but said in a statement that it “may decide to issue a sanction” if the violations continue.

Last year, the CNIL gave Facebook three months to stop tracking the online activity of non-users, and ordered the company to halt data transfers to the US after the trans-Atlantic Safe Harbor pact was invalidated amid privacy concerns. A new data transfer agreement, the EU-US Privacy Shield, went into effect in July 2016, though it may still face legal challenges.

“We take note of the CNIL’s decision with which we respectfully disagree.”

In its decision Tuesday, the CNIL said that Facebook has continued to “collect sensitive data of the users without obtaining their explicit consent,” and that it used cookies to track activity on third-party sites without providing “clear and precise information” to users. The watchdog also said the company did “not demonstrate the need” to retain user IP addresses “all along the life of their account.”

Facebook has argued that its privacy policies are in line with European law, and has previously said that it should be subject to rulings from Ireland’s data protection authority, since its European headquarters are in Dublin. The company has not said whether it will appeal the CNIL’s decision.

“We take note of the CNIL’s decision with which we respectfully disagree," a Facebook spokesperson said in an email statement. “At Facebook, putting people in control of their privacy is at the heart of everything we do. Over recent years, we've simplified our policies further to help people understand how we use information to make Facebook better.” 

The €150,000 fine handed down by the CNIL is the maximum that was allowed at the time its investigation began, though the watchdog can now issue fines of up to €3 million under a law passed last year. European regulations set to go into effect in 2018 will allow privacy regulators to fine companies up to 4 percent of their global turnover. Facebook earned $27.6 billion in revenue last year.