Three EU countries – Belgium, France, and the Netherlands – have determined that Facebook is breaking their privacy laws, while Germany and Spain are still investigating the US company. The news was announced in a joint statement from the Contact Group of the data protection authorities (DPAs) of the Belgium, France, the Netherlands, Spain, and the German city of Hamburg. As a result, the French authorities have imposed a fine of €150,000 (about $166,000) on Facebook. The move comes hard on the heels of a €3 million fine (around $3.3 million) imposed by Italy on Facebook’s subsidiary WhatsApp last week over its handling of customer data.
According to France’s CNIL data protection authority:
“the Facebook group does not have a legal basis to combine of all the information it has on account holders to display targeted advertising. It also finds that the Facebook group engages in unlawful tracking, via the datr cookie, of internet users”
CNIL says that Facebook does not make it clear enough that the personal data of its users may be collected when they visit a third-party Web site that includes a social media plug-in. In a similar vein, the Belgian Privacy Commission considers that:
“Facebook continues to act in non-compliance with both Belgian and EU data protection law as regards the tracking of both users and non-users of Facebook through cookies, social plug-ins and pixels.”
The Belgian Privacy Commission says that the country’s legal requirements regarding consent, fairness, transparency and proportionality are not met, and that it is seeking judicial enforcement of its recommendations.
For its part, the Dutch DPA claims that Facebook breaches data protection law in the Netherlands by giving users insufficient information about the use of their personal data. Earlier this year it published a report about its investigation into the processing of personal data by the Facebook group, in which it listed no less than seven ways it said the US social network was breaking privacy laws.
Meanwhile, Spain has opened what it calls “infringement procedures” to investigate whether Facebook broke privacy laws in the country. In Germany, Hamburg’s Commissioner for Data Protection and Freedom of Information won an important victory against the company last month when his order to Facebook to stop collecting data from its new subsidiary WhatsApp was upheld by the courts.
Along with these individual actions, the Contact Group of the data protection authorities also noted the following:
“the DPAs united in the Contact Group conclude that their respective national data protection law applies to the processing of personal data of users and non-users by the Facebook Group in their respective countries and that each DPA has competence.”
This requirement to obey data protection laws in every EU country where it operates is something that Facebook has been fighting hard. In a statement released in response to the CNIL fine, Facebook emphasised that it believed it only needed to comply with Irish laws, since that is where its European headquarters are located:
“At Facebook, putting people in control of their privacy is at the heart of everything we do. Over recent years, we’ve simplified our policies further to help people understand how we use information to make Facebook better. We’ve built teams of people who focus on the protection of privacy – from engineers to designers – and tools that give people choice and control.
We take note of the CNIL’s decision with which we respectfully disagree. We value the opportunities we’ve had to engage with the CNIL and reinforce how seriously we take the privacy of people who use Facebook.
Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to work on these issues with the CNIL, as we prepare for the EU’s new data protection regulations in 2018.”
The EU’s “new data protection regulations” mentioned there refer to the General Data Protection Regulation (GDPR), which will come into force next May. As well as imposing more stringent requirements on companies that process the personal data of EU citizens, wherever those companies may be based, the other significant change is the size of the penalty that can be imposed if a company is found in breach. The maximum fine from next year will be 4% of annual global turnover or €20 million ($22 million), whichever is greater.
Last year, Facebook’s global turnover was $27.6 billion. Potentially, then, Facebook could face fines of up to $1.1 billion. That’s no empty threat: the EU has just fined Facebook €110 million (around $122 million) for providing misleading information over its purchase of WhatsApp; back in 2008, it imposed a $1.35 billion fine on Microsoft.
That’s a reminder that even though Facebook is a US company, it will need to ensure that it is fully compliant with EU privacy laws if it wants to avoid adding to its other problems in the region. Moreover, the same will apply to all the US Internet giants, as online privacy and data protection continue to gain in importance around the world.
Featured image by Facebook.