Facebook Ordered To Stop Tracking Non-Users In France

Yet more privacy problems for Facebook in Europe. Now the French data protection authority, the CNIL, has issued the company with a formal notice to get its house in order and comply with European data protection law or face possible referral to the CNIL’s select committee which could then choose to pursue a sanction against the company.

Facebook has been given three months to make the changes deemed necessary by the CNIL. If it does so to the DPA’s satisfaction it will not face any sanctions, the DPA said yesterday.

TechCrunch understands Facebook is in the process of reviewing the order from the CNIL. A spokesperson provided the following statement regarding the action: “We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns.”

Those concerns are multiple, and were unearthed by an investigation triggered after Facebook amended its privacy policy in fall 2014. Specifically, the CNIL is unhappy that Facebook collects the browsing activity of Internet users who do not have a Facebook account.

“Indeed,” the CNIL notice reads, “the company does not inform Internet users that it sets a cookie on their terminal when they visit a Facebook public page (e.g. page of a public event or of a friend). This cookie transmits to Facebook information relating to third-party websites offering Facebook plug-ins (e.g. Like button) that are visited by Internet users.”

It also notes that Facebook collects user data concerning sexual orientation, religious and political views “without the explicit consent of account holders”. Nor does it inform users on the sign up form “with regard to their rights and the processing of their personal data”.

Advertising cookies are also set by Facebook “without properly informing and obtaining the consent of Internet users”, the CNIL asserts, noting that users are not offered any tools to prevent the compilation of info for targeted advertising — which it says “thereby violates their fundamental rights and interests, including their right to respect for private life”.

Perhaps most surprisingly, Facebook also stands accused of continuing to use the now illegal Safe Harbor data transfer mechanism, which was invalidated by the European Court of Justice last October — so a full four months ago.

And although Europe and the US have apparently agreed a new deal (called the EU-US Privacy Shield), this has yet to come into force, so cannot yet be relied up on by companies wanting to legalize data transfers across the Atlantic. And, last week the head of the CNIL, who also heads up the WP29 group of European DPAs, reiterated that Safe Harbor is not an option — stressing that companies continuing to use the invalidated framework are “in an illegal situation” and could face sanctions from DPAs.

Alternative data transfer methods were detailed by the European Commission last fall, after the Safe Harbor strikedown, so it’s rather surprising that Facebook has apparently not switched to using one of these alternatives to govern its Europe to US data transfers. We’ve asked Facebook about this point and will update this story with any response.

Update: Facebook claims it is not in fact using Safe Harbor to transfer data — pointing to prior comments it made last year, in which it said: “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.”

Update 2: However a CNIL spokeswoman has pointed out that Facebook France’s privacy policy page still includes the following paragraph noting its use of Safe Harbor… Oops…

Screen Shot 2016-02-10 at 9.37.12 AM

The CNIL goes on to add that it has made its formal notice against Facebook public due to “the seriousness of the violations and the number of individuals concerned by the Facebook service” — noting the site has more than 30 million users in France.

Its action follows a lawsuit brought against Facebook by the Belgian data protection authority last summer, which was also concerned with how it tracks non-users. The Belgian legal action led to the threat of daily fines for Facebook if it did not amend the operation of its tracking cookies — which it subsequently did, switching to requiring users to log in to view pages on the site.

As well as investigations by the French and Belgian DPAs, Facebook is also being probed by Spanish, Dutch and German (Hamburg) data protection authorities. This working group of five DPAs was set up in March 2015 explicitly to investigate its new privacy policy.

The CNIL notes that investigations by all the respective DPAs are “ongoing at the national level and within an international administrative cooperation framework”. So Facebook’s problems in Europe associated with its amended privacy policy look to be far from over.

The new EU-US Privacy Shield is also at least two months out from being approved by the WP29, so there’s no quick fix for companies needing to legalize transatlantic data transfers (although there are a range of alternative mechanisms that can be used, such as standard contractual clauses and model contracts).