The French data protection authority on Monday (8 February) gave Facebook three months to stop tracking non-users’ web activity without their consent and ordered the social network to stop transferring personal data to the United States.
The French order is the first significant action to be taken against a company transferring personal data to the United States following an EU court ruling last year that struck down an agreement that had been relied on by thousands of companies, including Facebook, to avoid cumbersome EU data transfer rules.
The transatlantic Safe Harbour pact was ruled illegal last year amid concerns over mass US government snooping and EU data protection authorities said firms had three months to set up alternative legal arrangements for transferring data.
That deadline expired last week meaning regulators can now start taking legal action against companies still relying on Safe Harbour for approval to transfer data.
“Facebook transfers personal data to the United States on the basis of Safe Harbour, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015,” the French CNIL said in a statement.
The regulator said Facebook’s tracking of non-users through a cookie placed on their browser when they visit a Facebook page did not comply with French privacy law.
“Facebook collects, without prior information, data concerning the browsing activity of Internet users who do not have a Facebook account. Indeed, the company does not inform Internet users that it sets a cookie on their terminal when they visit a Facebook public page (e.g. page of a public event or of a friend). This cookie transmits to Facebook information relating to third-party websites offering Facebook plug-ins (e.g. Like button) that are visited by Internet users,” CNIL said.
“The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders,” CNIL said.
Facebook has previously said that it does not use Safe Harbour as a means of moving data to the United States and has set up alternative legal structures to continue its transfers in line with EU law.
New agreement in the making
While the United States and the EU agreed a new pact last week to replace Safe Harbour, it is not yet operational and European data protection authorities have said they need more time to decide if transatlantic data transfers should be restricted.
Facebook said it was confident that it complied with EU data protection law.
“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We … look forward to engaging with the CNIL to respond to their concerns,” a spokeswoman said.
The US company was already forced to stop tracking non-users in Belgium last year after the Belgian regulator took it to court.
If Facebook does not comply within three months it could be fined, the regulator said.
The EU-US Safe Harbour agreement allowed over 4,000 companies to transfer personal data from their clients to the US - provided they guaranteed the data's security on American soil.
However, EU law now considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by American state surveillance agencies.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016.
On 2 February, the European Commission presented the new deal, rebranded as the 'EU-US privacy shield'. Under the agreement, which still needs to be finalised, US authorities would give binding assurances that access to data by the US administration will be subject to clear limitations, safeguards and oversight mechanisms. The White House would guarantee those safeguards in writing and an ombudsman would be designated to oversee privacy complaints from EU citizens.
- By the end of February: The European Commission is expected to share the written EU-US privacy shield agreement with national data protection authorities in the Article 29 Working Party.
- Article 29 Working Party: press release on consequences of the Safe Harbour judgment (3 Feb. 2016)
- Article 29 Working Party: press conference on the EU-US privacy shield (3 Feb. 2016)