CNIL, France’s data protection authority, on Monday formally gave Facebook three months notice to comply with the French Data Protection Act.
A working group comprised of regulators from France, Belgium, the Netherlands, Spain, and the German province of Hamburg recommended the action.
On-site and online inspections, along with a documentary audit, disclosed that Facebook had failed to meet the requirements of the French Data Protection Act, CNIL said.
What Facebook Must Do
The notice gave Facebook a laundry list of things to do within the next 90 days, including the following:
- Stop compiling the data of French account holders for advertising purposes without a legal basis;
- Stop processing data that’s irrelevant, excessive or inadequate with respect to the purposes pursued, and stop asking account holders to prove their identity by providing medical records;
- Obtain the explicit consent of account holders, based on specific information, for the collection and processing of their sensitive data — including religious and political views and sexual orientation;
- Inform account holders on the sign-up form and profile pages about the processing of their personal data, why data is transferred outside the EU — and to whom, and the level of protection offered by third countries;
- Fairly collect and process data of non-account holders with regard to data collected using the “datr cookie” and the “like” button; and
- Inform Internet users and obtain their prior consent for placing cookies on their terminal.
“The Europeans take a tough stance, and it makes sense,” commented Laura DiDio, a research director at Strategy Analytics.
Today, in a world where everything’s interconnected, the question about who owns the data becomes very muddy,” she told TechNewsWorld.
Facebook is “using illegal means of collecting data and a data transfer mechanism which was invalidated by the European Court of Justice last fall,” DiDio pointed out. “I think it’s pretty nervy that they collect the browsing activity of anybody who surfs the Web, even if they don’t have a Facebook account — and I laugh at their response, which is always, ‘We are willing to work with the European authorities.'”
Facebook did not respond to our request to provide further details.
Facebook “will likely try some sort of delaying tactic, whether legal or procedural remains to be seen,” surmised Mike Jude, a program manager at Stratecast/Frost & Sullivan.
However, Facebook has to be able to target advertising to continue being a going concern, and this order “would pretty much shut down French operations,” Jude told TechNewsWorld. The procedural fixes “will require rearchitecting its service for the French market.”
Faced last year with a similar order from Belgium, Facebook responded by banning nonmembers in the country from accessing any pages on its website. That resulted in complaints of blackmail, so it’s unlikely Facebook will try that tactic again.
Forget about going to court, said Rob Enderle, principal analyst at the Enderle Group.
France has “a very fast legal system,” he told TechNewsWorld. “Penalties could be assessed and reach nosebleed levels very quickly, and appeals are very limited.”
The Napoleonic legal system doesn’t embrace the concept of fairness, Enderle said.
Further, the French “are likely to make an example of the company if it doesn’t comply,” he suggested. “This could include criminal indictments for Zuckerberg and his senior staff, and there’s an extradition treaty between France and the U.S. The French take this stuff really seriously.”
Fallout From France’s Actions
More investigations are being conducted into Facebook by the various EU regulatory authorities, and India just last week banned the company’s Free Basics service.
“The Internet is being Balkanized by competing regulatory regimes,” Frost’s Jude said. “As countries move to impose their own regulations on the Web, the overall freedom people enjoy there will ultimately disappear.”
Expect repercussions against Google, Amazon, Twitter, YouTube, “and every other company doing business online that uses consumer data to tailor services,” Jude cautioned. “This is definitely a slippery slope.”