In a decision dated January 26, 2016, the French Data Protection Authority (CNIL) declared that the processing of personal data operated by Facebook Inc. and Facebook Ireland does not comply with French law and ordered said companies to take measures to comply accordingly. The CNIL clearly provided in its decision that each violation of French law would give rise to a formal notice as well as separate and cumulative penalties.
While this decision outlines the practices of the Facebook companies regarding data processing carried out (found to be illegal by the CNIL), the real change lies in the fact that the CNIL has, for the first time, declared itself competent to analyze and punish the processing of personal data operated by the Californian giant in accordance with French law, which the CNIL considered applicable to the facts at stake.
Until now, the CNIL had only sent simple letters to the Facebook companies. Indeed, the French Data Protection Authority took the view that to the extent that French law was not applicable, it could not impose any penalties if Facebook failed to respond or implement new measures. This situation has now changed.
By recognizing that French law applies to Facebook Inc. and Facebook Ireland, the CNIL endorses the recent <em>Google Spain</em> (C-131/12) and <em>Weltimmo</em> (C-230/14) decisions of the Court of Justice of the European Union which significantly expanded the definition of “establishment” which determines the application of the rules and regulations of a Member State to data processing operated by a data controller located outside the European Economic Area (in accordance with articles 4 of Directive 95/46/EC and 5 of the French Data Protection Act n°78-17 dated January 6, 1978).
Accordingly, when a non-EU data controller has an “establishment” located in a EU Member State – please note that an “establishment” does not necessarily comprise a registered company but any stable installation which, without directly processing data, intervenes within the scope of the data controller activities (by ensuring promotion and sale of advertising spaces for instance) – the national law of said state would apply.
The CNIL demonstrates, by applying the extension of the “establishment” standard and by declaring French law applicable to the case at hand, its intention to be positioned as a leader in the protection of personal data in Europe, in accordance with the European Commission<a href=”#_ftn1″ name=”_ftnref1″></a>’s strategy to hold the internet players located abroad liable.
This decision can be considered as the first compelling action of a personal data protection authority against a Web giant. It is therefore likely that foreign companies operating data processing in France will soon also face investigations by the CNIL and possible penalties should said companies fail to comply with the obligations provided by French law.
Given that a company’s image will undoubtedly be harmed by those penalties, and in view of the cumulative nature of the fines incurred, the data controllers who believed French law would not apply to their processing should now better think twice before setting up said data processing.
This is all the more true with the entry into force of the European regulation which provides that the regulatory authorities’ administrative fines may be calculated as a percentage of the data controller’s annual worldwide turnover (within a limit of 1,000,000 euros).
Companies’ compliance with EU law, and particularly French law, has now clearly become a priority. <a href=”#_ftnref1″ name=”_ftn1″></a> Indeed, the future European regulation provides that EU law shall apply to processing of personal data relating to those persons whose domicile is located within the EU when the processing activities are linked to the (i) supply of goods or services, or (ii) observation of their behavior