Facebook fined €150,000 by France’s DPA and WhatsApp €3 million by Italy’s antitrust body
France’s Data Protection Authority, the CNIL, has today issued a fine of 150,000 euros on Facebook Inc and Facebook Ireland in an enforcement programme coordinated with four other Data Protection Authorities. The regulator says the company is in breach of the Data Protection Act due to ‘a massive compilation of personal data of Internet users in order to display targeted advertising.’ It also says that Facebook collected data with the help of a cookie on the browsing activity of Internet users. The collection took place without the individuals’ knowledge on third-party websites.
In 26 January 2016, the CNIL issued a formal notice to Facebook Inc. and Facebook Ireland to comply within three months with France’s Data Protection Act. The CNIL says that it received unsatisfactory responses provided by both companies, and that the companies have the following failings:
- They do not provide direct information to Internet users concerning their rights and the use that will be made of their data, in particular on the registration form.
- They collect users’ sensitive data without obtaining their explicit consent.
- By using the web browser settings, they do not allow users to validly oppose cookies placed on their terminal equipment.
- They do not demonstrate the need to retain users’ IP addresses.
The decision stems from cooperation by five Data Protection Authorities in France, Belgium, Hamburg, Spain and the Netherlands. In Belgium, the Privacy Commission is seeking judicial enforcement of its recommendations before the Court of First Instance of Brussels. Oral pleadings are set to take place on 12-13 October 2017. The Netherlands’ DPA is currently assessing whether the violations have stopped, and may issue a fine. In Spain, two infringement procedures have been opened.
In Italy, the country’s antitrust body has imposed a 3-million euro fine on WhatsApp. According to Reuters, WhatsApp had shared users’ personal data with its parent company Facebook. The EU DPAs addressed this issue last year as they had doubts over the validity of users' consent.
See the common statement on Facebook by the DPAs’ Contact Group of Netherlands, France, Spain, Hamburg and Belgium, published today.