On February 8, 2016, the French Data Protection Authority (CNIL) publicly issued a formal notice to Facebook, following a joint investigation with four other EU regulators, asking the U.S. social network provider to comply with the French Data Protection Act within three months’ time. The notice (unofficial English translation available here), outlined several alleged violations of the law, including:
- collection of non-user data;
- collection of sensitive data (sexual orientation and political/religious views) without users’ “explicit consent” (i.e., a tick box);
- collection of “excessive” information to verify identities (e.g., requesting medical records when users replace their surname with that of a celebrity);
- failure to define and observe proportional data retention periods and failure to ensure data security (e.g., stronger password requirements);
- failure to obtain CNIL authorization for processing related to preventing fraud and banning users; and
- transfer of data to the U.S. under the invalidated U.S.-EU Safe Harbor (Safe Harbor) (alleged based on the company’s privacy statement).