France, Facebook, Harbor, Shield

French RoosterFACEBOOK: A High Profile Crackdown

France's data protection authority, CNIL has taken the first prominent enforcement action since Safe Harbor was struck down, and issued an injunction against Facebook. The action is notable for several reasons.

SAFE HARBOR was invalidated on October 6th but companies were given until the end of Jan 2016 before any enforcement action would be taken. With that deadline now expired, this action marks the first significant enforcement measure and indicates that companies still operating under Safe Harbor are fair game.

CNIL claims Facebook has compliance violations regarding its privacy policy as well as data transfers. The Facebook privacy policy page for France still included language about use of Safe Harbor to transfer data. CNIL also alleges that Facebook uses cookies to track the internet activity of non-Facebook users without consent.

The EU-U.S. PRIVACY SHIELD, hoped to be a solid replacement for Safe Harbor, is by no means finalized. Critics point out that the agreement is merely an “agreement to agree", buying time to develop an actual policy. The Privacy Shield is due for close scrutiny by EU officials who plan to publish an analysis by April 2016.

The action by France's CNIL against Facebook seems indicative of expectations on the viability of the Privacy Shield. And it highlights the fact that there is no official, extended grace period for data transfers despite the fact that Privacy Shield is not near to being finalized. The CNIL continues to recommend the use of alternative legal framework, such as EU Model Clauses or Binding Corporate Rules.

Another very significant development is the Bill for the Digital Republic, already passed by the French National Assembly January 26th, on its first reading, and now before the Senate. The Bill will bestow some serious sanctioning power on the CNIL.

This Bill would adopt several provisions of the General Data Protection Regulation (“GDPR”) well in advance of 2018 when it will come in to force.

The GDPR is the new, sweeping legislation that establishes one unified set of regulations for all of Europe, replacing the individual data protection directives in each country. It has been 4 years in the making, and will profoundly affect business around the globe.

The Bill for the Digital Republic amends current French law to align with specific provisions of the GDPR. In particular it empowers CNIL to impose fines for privacy violations in the same amounts as the GDPR will allow. They are very large amounts. 

For lesser infractions the penalty is 2% of gross revenue, or 10 million euros (about 11 million dollars), whatever is greater.  More serious violations can see a penalty of twice that:  4% of gross revenue, or 20 million euros (22 million dollars), whatever is greater. 

One final point of interest with the Bill for the Digital Republic - it is France's first Open Bill and used an open consultation to co-construct the bill.

First a six-month online consultation phase helped select the main topics to be covered by the text. The government then developed a draft bill, hosted on a dedicated platform, allowing any user to amend the government’s text, show support for an article or a revision and engage in an open discussion with other citizens. By the end of the process, 21,130 contributors had registered and 150,000 votes had been cast on the 8,500 amendments, proposals and arguments.  

It's part of the Open Government Partnership and you can read more about it here: www.opengovpartnership.org...digital-republic-bill-frances-first-open-bill