The French data protection authority has ordered Facebook to stop some transfers of personal data of its users to the U.S. and to change the way it handles the data of users and non-users visiting its website.
The order by the Commission Nationale de l’Informatique et des Libertés (CNIL), released late Monday, invokes an order in October last year by the Court of Justice of the European Union, which declared invalid a "safe harbor" agreement governing personal data transfers between the European Union and the U.S., as the data was not protected from spying by U.S. agencies.
The U.S. and the EU this month agreed on a new arrangement, called the EU-US Privacy Shield, that aims to replace the safe harbor. But it is not yet in operation as data protection authorities in various European countries have to first assess whether it adequately protects personal data.
CNIL points to Facebook's data policy, which states that it "complies with US-EU and US-Swiss Safe Harbor framework for the collection, use and retention of information from the European Union and Switzerland, as set out by the Department of Commerce."
Facebook's problems are, however, not limited to the safe harbor. Its data collection practices, including its planting of cookies on non-account holders visiting its site, have also come under scrutiny by the CNIL.
CNIL has, for example, asked Facebook to cease compiling data of account holders for advertising purposes without a legal basis. It said that compiling data does not constitute the primary object of the contract entered into by Internet users when they sign up to the website, according to the order, which is dated Jan. 26.
The data compilation is by its nature, scale and the bulk involved likely to be incompatible with the interests and fundamental privacy rights of account holders, CNIL chairwoman Isabelle Falque-Pierrotin wrote in the decision.
The company was ordered by the Belgian Privacy Commission last year to stop using a special cookie called 'datr' that it claims helps it distinguish between legitimate and illegitimate visits to its website. Technical experts assisting the Belgian Privacy Commission found that when a user not signed on to Facebook visited the website, the 'datr' cookie was set with a two-year lifetime. If users thereafter visited a website that includes a Facebook social plug-in, that information was sent back to the social networking website, according to the experts.
Facebook claims that it uses 'datr' to help it distinguish between legitimate and illegitimate visits to its website, and identifies browsers and not individuals. While that purpose may seem legitimate, it allows the company to know a large part of the last 10 days of browsing history of non-account holders that may have visited the Facebook website only once, without their being informed, CNIL said.
Facebook has three months to comply with the directions of the French authority or face sanctions under the French Data Protection Act. The company could not be immediately reached for comment.
In the wake of the Belgian order, the company agreed to stop using the 'datr' cookie but also made publicly available pages and other content on its website inaccessible to people without accounts.