Science

French privacy regulator vows to crack down on Facebook data collecting

The French data protection authority on Monday gave Facebook three months to stop tracking non-users' web activity without their consent, and ordered the social network to stop some transfers of personal data to the U.S.

Social media site has 3 months to stop tracking web activity, transferring personal data to the U.S.

A court ruling by the European Union last year struck down an agreement that had been relied on by thousands of companies, including Facebook, to avoid cumbersome EU data transfer rules. (Loic Venance/AFP/Getty Images)

The French data protection authority on Monday gave Facebook three months to stop tracking non-users' web activity without their consent and ordered the social network to stop some transfers of personal data to the U.S.

The French order is the first significant action to be taken against a company transferring Europeans' data to the United States following an EU court ruling last year that struck down an agreement that had been relied on by thousands of companies, including Facebook, to avoid cumbersome EU data transfer rules.

The transatlantic Safe Harbour pact was ruled illegal last year amid concerns over mass U.S. government snooping, and EU data protection authorities said firms had three months to set up alternative legal arrangements for transferring data.

That deadline expired last week, meaning regulators can now start taking legal action against companies still relying on Safe Harbour for approval to transfer data.

"Facebook transfers personal data to the United States on the basis of Safe Harbour, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015," the Commission nationale de l'informatique et des libertés, an independent French data protection authority, said in a statement.

Facebook was forced to stop tracking non-users in Belgium last year after the country's regulator took the U.S. company to court. (Dado Ruvic/Reuters)

Facebook has previously said that it does not use Safe Harbour as a means of moving data to the U.S. and has set up alternative legal structures to continue its transfers in line with EU law.

While the U.S. and the EU agreed on a new pact last week to replace Safe Harbour, it is not yet operational and European data protection authorities have said they need more time to decide whether transatlantic data transfers should be restricted.

Facebook said it was confident that it complied with EU data protection law.

"Protecting the privacy of the people who use Facebook is at the heart of everything we do. We ... look forward to engaging with the CNIL to respond to their concerns," a spokeswoman said.

Facebook collecting cookies

The CNIL said Facebook's tracking of non-users by placing a cookie on their browser without informing them when they visit a Facebook page did not comply with French privacy law.

It also said Facebook uses cookies that collect information then used for advertising without Internet users' consent, and said Facebook users should have the option of preventing the social network from profiling them in order to serve them personalised ads.

The U.S. company was already forced to stop tracking non-users in Belgium last year after the Belgian regulator took it to court.

Facebook's changes to its privacy policy prompted the French, Dutch, Belgian, Spanish and German authorities to begin investigations to find out more about the social media giant's practices.

If Facebook does not comply within three months it could be fined, the regulator said.