Facebook hit with maximum fine for breaking French privacy law

The French data protection watchdog has imposed its harshest penalty on Facebook for six breaches of French privacy law.

The breaches include tracking users across websites other than Facebook.com without their knowledge, and compiling a massive database of personal information in order to target advertising.

The French National Commission on Computing and Liberty (CNIL) began its investigation of Facebook and its European subsidiary, Facebook ireland, after the company made changes to its terms and conditions outlining the practices in January 2015.

CNIL wasn't the only organization concerned by Facebook's changes: data protection authorities in Belgium, the Netherlands, Spain and Hamburg, Germany also began investigations around the same time.

After a year's digging, including visits to Facebook offices, CNIL sent the company a formal notice giving it three months to comply with the French Data Protection Act. Facebook asked for, and was granted, an extension, in order to respond.

Facebook's response, when it eventually came, did not satisfy CNIL, which has now decided to impose a fine -- the largest it can under French law -- of €150,000 (US$166,000).

That might be enough to persuade smaller businesses to change their behavior, but for Facebook it's just 25 minutes' profit, based on last year's financial results.

In future, though, similar infringements could result in much stiffer penalties. Today, businesses operating across the European Union must deal with privacy laws on a country-by-country basis, answering to each of the national regulators, few of which are able to impose dissuasive fines.

From May 25, 2018, though, the General Data Protection Regulation (GDPR) will introduce a single set of privacy rules across the EU's 28 member states, and raise the fines to €20 million ($22 million) or 4 percent of worldwide revenue.

Companies wishing to avoid the same fate should avoid the faux pas for which Facebook was fined:

- Combining all the information it has on account holders to display targeted advertising without a legal justification for the process: While users may control the display of targeted advertising, they cannot opt out of the data collection and combination behind it, CNIL noted;
- Tracking internet users via the “datr,” cookie planted by third-party sites using a Facebook plug-in, without giving clear and precise information about the tracking;
- Not providing clear information to internet users signing up for the service about their rights and the use that will be made of their data;
- Collecting sensitive personal information without explicit consent;
- Preventing users from blocking the storage of cookies on their phones and computers, and
- Storing, without good reason, all the IP addresses from which users have ever accessed their account.