In a deliberation dated September 21, 2011, the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”) issued a warning against the company LES PAGES JAUNES for having captured data contained in several profiles posted on social media websites, without of the knowledge of the data subjects.
In March 2010, LES PAGES JAUNES (France Telecom’s former subsidiary specialized in printed and online telephone directories) decided to add a “webcrawl” function to its website www.pagesjaunes.fr/pagesblanches. This function enabled to capture personal data contained in the profiles of web users who had opened an account on social media websites (Facebook, Copains d’avant, Viadéo, Linkedin, Twitter and Trombi) and to add such data to the search results provided by the directory. In total, almost 34 million profiles were captured through the “webcrawl” function of LES PAGES JAUNES’ website, some of which were profiles of minors or persons who had chosen not to include their phone number in the directory. Following complaints from individuals, the CNIL launched an investigation in June 2010. Waiting for the CNIL’s decision, the company decided to suspend the service in March 2011.
The captured data included not only the names and first names of the data subjects, but also their pseudonyms, photographs, the names of the schools they attended, the identity of their employer or else their geographical location.
The first issue was that the data subjects had not been informed in advance that their personal data were likely to be captured and put online on LES PAGES JAUNES’ website.
The question that consequently arose was whether it was up to LES PAGES JAUNES or to the relevant social media websites to inform the web users that the data contained in their public profiles were likely to be captured and subsequently used. LES PAGES JAUNES claimed that capturing such data was totally legal: since the web users themselves had chosen to disclose personal data on the social media websites and since they had full latitude to limit access to such data, they had in fact somehow accepted to have such data published on the Internet.
The CNIL dismissed the argument developed by LES PAGES JAUNES, considering that it was not because such data were public on the Internet that a third party was authorized to “massively, repetitively and indiscriminately collect such data without informing the data subjects”.
In addition, the company raised an exception to the rule claiming that the persons were already informed. Indeed, social media websites often use a general information clause on the use of information by search engines. However, and even though the general terms and conditions of use of some social media websites specify that personal data can be indexed by search engines, LES PAGES JAUNES cannot be considered as a search engine. Indeed, LES PAGES JAUNES’ business activity does not consist in implementing an application that enables to locate resources other than those registered in its databases. This is, for example, the case of Google that, as a search engine, can aggregate data available on the Internet and display non-protected profiles (without data subjects being always aware thereof!). On the other hand, this is definitively not the case of LES PAGES JAUNES that remains a telephone directories service provider.
As such, LES PAGES JAUNES was supposed to inform the data subjects before collecting their data and posting them on its website.
Right of opposition
Further, it was very difficult for data subjects to exercise their right of opposition. While it is true that the persons who did not want to appear on the directory listing could express their opposition, they could only do so a posteriori, by filling out a complicated form (indicating in particular the url address of the concerned profile) and sending an electronic copy of their ID card.
Web users had also to surmount a final difficulty: they had to fill out as many forms as there were profiles to be deleted.
The exercise of the right of opposition was not only long and burdensome but it could also be refused if any pieces of the required documentation had not been duly sent.
Obligation to update
More importantly, the update of profiles on social media websites was not effective on LES PAGES JAUNES’ directory listing. As underlined by the CNIL, “the modification or deletion of a profile on a social media website was not immediately reflected on the directory”.
The fact that the profiles were not automatically updated constitutes a real concern for the data subject’s right of correction. In practice, this means that the persons who had deleted their profile on Facebook could still see their photos published on LES PAGES JAUNES’s directory listing. According to the CNIL, 80% of the information captured from Facebook profiles had not been updated whereas a Facebook profile is usually modified many times a day. Similarly, during more than a year of service, the information captured from Twitter profiles and posted on LES PAGES JAUNES’s directory listing had not been updated.
The CNIL, therefore, held that the capture of personal data from social media websites was unfair and constituted a breach of the Law on Information Technology, Data Files and Civil Liberties. The persons’ rights enshrined in this Law had been violated on many aspects.
It consequently issued a public warning against LES PAGES JAUNES. Considering that almost 35 million data subjects, including minors, were victims of this practice, the “punitive” approach adopted by the CNIL seems too soft.
This case offers the opportunity to identify the progress that still needs to be made, both in respect of responsiveness to breaches of the Law on Information Technology, Data Files and Civil Liberties, and of the deterrent effect of the sanctions that the CNIL may impose.
In this situation, the operation of this “webcrawl” function during an entire year in clear violation of the data subjects’ rights has been highly prejudicial. We can easily imagine that an immediate and efficient sanction would have been more appropriate to preserve the rights of the data subjects and mitigate the adverse effects of the relevant “webcrawl” function.
In other words, the sanction imposed by the CNIL is insufficient. It merely issued a warning, several months after the website had been shutdown. Even if LES PAGES JAUNES has suspended the contentious service, it remains that such service has been operated for an entire year. Allegedly based on the circumstances of the case, i.e. the “the sensitive nature of the offered service” and “(the) number of persons affected by the contentious service”, it is absolutely not certain that the CNIL’s response matches up its ambitions in respect of personal data protection.
As a long-standing administrative authority, the CNIL was until recently only vested with the power to issue warnings to offending companies or to transmit a case to the public prosecution office. Yet, following the 2004 reform, it was granted a true power to impose sanctions, including financial penalties, on organizations that do not comply with their obligations. It could, therefore, have gone beyond the mere issuance of a warning.
In LES PAGES JAUNES case, LES PAGES JAUNES had interrupted the contentious service after a year of operation but several months before the CNIL’s decision. It may be the reason for the CNIL’s indulgence.