CNIL, the French data protection authority, on Monday cracked down on Facebook, giving it three months to stop tracking non-users’ web activity without their consent.
It also ordered Facebook to stop some transfers of European citizens’ personal data to the US on the basis of the transatlantic Safe Harbor agreement, which the European Union’s highest court declared invalid in October.
When the EU struck down Safe Harbor, it gave companies three months to set up alternative ways to transfer data.
That deadline expired last week.
The CNIL’s order, posted here, marks the first significant action to be taken against a company transferring Europeans’ data to the US since Safe Harbor was struck down.
Safe Harbor had served as a way for thousands of companies – including Apple, Facebook and Twitter – to tunnel through Europe’s much stricter privacy rules and get data out and over to the US.
European countries started to look askance at that agreement once Edward Snowden began revealing how European data stored in the US wasn’t safe from a level of government surveillance that sent shivers down the spines of European lawmakers.
Facebook told news outlets that it’s now reviewing the French data privacy regulator’s order but that all is hunky dory with its compliance.
We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns.
As far as the Safe Harbor data transfers go, Facebook said that it’s not, in fact, using Safe Harbor, reiterating what it repeatedly said last year: that it uses other legal contracts to transfer data to the US:
Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.
With regards to CNIL’s order to stop tracking non-users, that action mirrors a lawsuit brought against Facebook last year in Belgium.
In November, the Belgian data protection authority told Facebook to stop tracking non-Facebook users or face stiff fines of up to €250,000 EUR ($267,000 USD) a day.
Facebook had been using a cookie – called “datr” – that visitors pick up if they visit a friend’s page on Facebook or any other page on the web with Facebook “like” or “share” code, all without the visitor having ever signed up for a Facebook account.
The datr cookie sticks around on a given device for up to two years, enabling Facebook to keep track of people and what they’ve looked at on the web.
Facebook claimed at the time that its cookies were keeping Belgians safe and keeping the country from becoming “a cradle for cyber terrorism.”
But as of December, Facebook had complied with Belgium’s order: it started blocking Belgians if they hadn’t signed in.
That meant that Belgians who didn’t have a Facebook account were thereafter unable to view Belgian Facebook pages at all, even public profiles such as those for local businesses.
Now, it’s France’s turn to tell Facebook to knock it off with tracking non-users.
CNIL on Monday said in its notice that Facebook fails to properly inform, or to obtain consent from, users when setting cookies used for advertising or for collecting data about users’ browsing habits when they visit third-party websites.
In addition, the French data privacy regulator said that Facebook collects data about people’s sexual orientation, along with their religious and political views, without account holders’ explicit consent.
CNIL also faulted Facebook for failing to inform users about their rights and the processing of their personal data on its account sign-up form.
CNIL said that it was making the order public “due to the seriousness of the violations” and the number of people affected: Facebook has more than 30 million users in France, it said.
If Facebook hasn’t complied within the three-month period granted by the CNIL, the social network could be sanctioned.