Robin B. Campbell

On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:

  1. collection of non-user data;
  2. collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
  3. collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
  4. use of cookies without notice or consent;
  5. failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
  6. failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
  7. transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).

Although the order relates to several alleged violations, the one which caught the attention of Europeans and U.S. media is the alleged violation related to continued reliance on Safe Harbor to validate data transfers from the European Union (EU) to the U.S. While many U.S. companies who relied on Safe Harbor before its invalidation left Safe Harbor compliance statements in their public privacy statements, this formal notice from the CNIL raises the question: should all U.S. companies race to remove their Safe Harbor affirmative statements from their privacy statements or face potential enforcement action?

In its allegation that Facebook continued use of Safe Harbor after its invalidation, the CNIL sited only the fact that Facebook retained a Safe Harbor affirmative statement in its privacy statement after the Safe Harbor invalidation (i.e., “Facebook, Inc. complies with the [Safe Harbor framework]” and, “Standard Contractual Clauses and the Safe Harbor program . . . are amongst the means by which Facebook Ireland ensures such exports are [lawful and adequate].”). The CNIL has announced possible sanctions according to Article 45 of the French Data Protection Act if Facebook fails to comply with its order to remedy the alleged violations within three months.

Given this allegation, now may be the time to remove references to Safe Harbor – and of course ensure that the company has an alternative data transfer mechanism in place. Otherwise, companies may be hit with EU data protection authority investigations or enforcement actions based on privacy statements that mention Safe Harbor, regardless of whether the company has technically stopped relying on Safe Harbor and moved to the alternative transfer mechanisms (such as EU approved model clauses).

Companies that transfer data from the EU to the U.S. should continue to follow the enforcement activities already announced by some EU data protection authorities in the aftermath of the announcement of the Privacy Shield and review the press statement of the data protection authorities’ Article 29 Working Party with regard to the validity of other transfer mechanisms.