Facebook ordered by France to stop tracking non-users

9 Feb 2016

France has ordered Facebook to stop tracking and collecting data on non-users.

In what could be the first test of the EU-US Privacy Shield to replace Safe Harbour, the French data protection authority has given Facebook explicit instructions to stop tracking non-users’ web activity and to stop some transfers of personal data to the US.

The Commission Nationale de l’Informatique et des Libertés (CNIL) has given Facebook three months to comply.

CNIL alleges Facebook tracks browsing activity after people visit a publicly viewable page on the social network site even if they don’t have an account.

It says Facebook then sets cookies that relay more information when these users go to sites that have Facebook plugins.

CNIL says it took part in an investigation that also involved the data protection authorities of Belgium, The Netherlands, Spain and Germany.

‘If Facebook Inc and Facebook Ireland Limited have not complied with the formal notice within the time limit, the chair shall appoint a ‘rapporteur’ who might refer the matter to the CNIL’s Select Committee with a view to deciding a sanction’

It says it performed onsite and online inspections as well as a documentary audit to verify if Facebook was acting in compliance with the French Data Protection Act.

The French data protection authority says that it uncovered several failures, including collection of data concerning the browsing activity of non-Facebook users who visit public Facebook pages.

CNIL said that the social network collects data concerning the sexual orientation, religious and political views of users without their explicit consent.

It also says Facebook sets cookies for advertising reasons without the consent of internet users.

CNIL also alleges Facebook transfers the personal data to the US on the basis of Safe Harbour even though the European Union’s Court of Justice declared such transfers invalid on 6 October 2015.

“The chair of the French data protection authority, therefore, issued formal notice to Facebook Inc and Facebook Ireland Limited to comply within three months with the French Data Protection Act,” CNIL stated.

Facebook has more than 30m users in France.

“This notice is not a sanction and the procedure will be publicly closed if the companies comply with the French Data Protection Act within the time limit.

“On the contrary, if Facebook Inc and Facebook Ireland Limited have not complied with the formal notice within the time limit, the chair shall appoint a ‘rapporteur’ who might refer the matter to the CNIL’s Select Committee with a view to deciding a sanction,” CNIL said.

According to Reuters, Facebook has maintained that it is operating within the law.

“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We … look forward to engaging with the CNIL to respond to their concerns,” a spokeswoman for the company said.

The first test for Privacy Shield

Last Tuesday (2 February), it was decided that Safe Harbour is to be replaced by the EU-US Privacy Shield after the EU and the US finally reached a deal to facilitate the transmission of data from the EU to the US while protecting European citizens’ private data from mass surveillance.

The agreement – which more than 4,000 US technology companies were waiting on in order to be able to transfer personal data across the Atlantic – covers everything from email to social media and personal photos.

The previous Safe Harbour agreement was scrapped by the EU after a longstanding case by activist Max Schrems, which was given fresh impetus by revelations by Edward Snowden that the NSA was spying on Europeans’ private communications.

The new Privacy Shield provides a framework on data flows between the EU and US.

Under the new agreement, the EU-US Privacy Shield will place strong obligations on companies handling Europeans’ personal data, with robust enforcement. Any company handling human resources data from Europe, for example, has to commit to complying with decisions by European data protection authorities (DPAs).

Any citizen who considers their data has been misused under the new arrangement will have several redress possibilities and a new ombudsman is to be created to handle complaints.

Eiffel Tower image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years