FRANCE: Facebook could face a 100 million euros class action suit for violating GDPR

On 8 November 2018, French NGO Internet Society France sent Facebook a formal notice listing seven areas where it has allegedly infringed GDPR. The social network has 4 months to respond. Failing that, the Internet Society France could launch the first class action suit for compensation since the entry into application of GDPR.

The French Chapter of the Internet Society, a global organization that notably defends the rights of Internet users, formally requested that Facebook explain seven failures to comply with GDPR. The notice is addressed to both Facebook France, Facebook Ireland Ltd. and Facebook Inc., acting respectively as controllers or joint controllers, and concern the social networks Facebook, Instagram and Whatsapp.


  1. The legal basis of Internet Society France action

This action is based on Article 43 ter of the French Data Protection Act, according to which, when several individuals who are in a similar situation suffer a loss resulting from a violation of GDPR or the French data protection law committed by a data controller or a data processor, a class action may be filed before a civil or administrative court having jurisdiction.

Such class action may only be brought by certain categories of organizations, including associations that have been duly registered for at least 5 years and whose statutory purpose is the protection of privacy and personal data, which is the case of the Internet Society France.

For additional information on the data protection class action in France, you can read our previous post here.

It is the first time that article 43 ter is used as a basis to launch a judicial class action for compensation. In this respect, it must be recalled that before the adoption of the new French data protection law in June 2018, data protection class actions could only seek injunctive relief; the class action could not be used to claim damages. However, since June 20, class action litigants are entitled to both seek injunctive relief and claim compensation for their material and moral losses, in accordance with GDPR (see our previous article here).


  1. Seven grievances: recurring violations of freedoms and privacy

The Internet Society France reproached Facebook for:

  • Failing to comply with its obligation to ensure the security of the personal data of its users, in relation with the breach of personal data that has impacted Facebook services in September 2018;
  • Failing to communicate the breach of personal data to the data subjects, notably for not having communicated the breach individually, using the contact details (email address and mobile phone number) provided by its users;
  • Failing to comply with the prohibition to process special categories of personal data, notably data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or concerning a person’s sex life or sexual orientation, without the data subject’s consent or any other acceptable legal basis;
  • Failing to comply with the notice, consent and legal basis requirements when installing DATR cookies or other tracking cookies and collecting personal data in a massive way;
  • Limiting its liability with respect to the processing of personal data in its terms of use;
  • Combining personal data of Whatsapp and Facebook users without their free, specific and informed consent and without an appropriate legal basis; and
  • Not providing users with a mechanism to exercise their right of objection to the processing of personal data.


  1. The Internet Society France’s demands

The NGO enjoins Facebook, within 4 months, to:

  • Secure its services against personal data breaches in order to ensure a level of security appropriate to the risks and in line with the state of the art;
  • Communicate effectively the breach of personal data to the data subjects, notably by sending an individual notice using the contact details provided by the users;
  • Cease any processing of special categories of personal data that is not justified by the data subject’s consent or another appropriate legal basis;
  • Properly inform data subjects about the processing relating to the DATR cookie or other tracking cookies, and cease combining Internet users, registered or not, connected or not, to the Facebook services, for advertising purposes without the users’ specific, free, informed and unambiguous consent;
  • Remove any liability limitation clauses from its terms of use;
  • Obtain the specific, free, informed and unambiguous consent of Whatsapp and Facebook users for combining their data;
  • Implement an effective tool allowing data subjects to exercise their right to object.

The Internet Society France also demands that the Internet giant compensate each data subject impacted by these violations by paying EUR 1000 per grievance, unless it can legally explain or justify them.


  1. What does Facebook risk?

If Facebook fails to respond within the allocated timeframe, the Internet Society France will file a judicial class action with the Paris High Court (tribunal de grande instance).

The NGO considers that “the grievances — if not refuted by Facebook — could represent damages that could be compensated by up to 1,000 euros per person. So if 100,000 people join this lawsuit, 100 million euros will be demanded of Facebook. In Europe, Facebook alone had 278 million users in the third quarter of 2018. The Internet Society France, French chapter of an international NGO that federates Internet users from more than 100 countries, believes that it is the opportunity to ensure that a European civil society voice be heard”.

If it moves forward, this action could indeed be the opportunity to send a strong signal to the international community that the protection of personal data matters to people and that they are ready to take control of their data, as promoted by the European legislator.

We will of course give you an update in 4 months!

For more information, please contact Denise Lebeau-Marianna or Caroline Chancé.