The order is the first significant action since the end of ‘Safe Harbour’ data transfer rules last autumn
France’s data-protection authority has ordered Facebook to stop tracking non-users’ web activity without their consent.
It has also ordered the social media network to make changes to the way it collects and processes data on its users, while the country’s consumer protection agency has also taken Facebook to task.
The CNIL, the French government’s data protection arm, on Monday gave Facebook three months to change its practices around the collection of data on its users, the use of such data in advertising, and the collection of data on non-users.
Data transfer rules
The order is the first major data protection action in Europe since the “Safe Harbour” data transfer agreement with the US was declared invalid last year.
Safe Harbour streamlined the legal framework for companies wishing to transfer individuals’ personal data between the European Union and the US, but it was annulled in October amid concern over the collection of such data by US security agencies.
EU data protection authorities gave companies three months to find other legal arrangements for their data transfers, and the deadline expired last week. A new deal has been agreed, but hasn’t yet come into force.
The CNIL’s missive urges Facebook to come into line with the new data transfer rules, but the agency’s demands also address more general concerns around Facebook’s collection and processing of data on both users and non-users.
The CNIL noted that Facebook doesn’t specifically ask for users’ consent for the collection of data on their political and religious opinions and sexual orientation, as it obliged to do under French law, and doesn’t inform users about how their data will be collected and used during the sign-up process.
Facebook’s collection of user data for advertising purposes also fails to sufficiently protect individuals’ privacy, and its collection of browsing data on non-users takes place without their consent, the CNIL said. Belgium’s equivalent agency last year was the first of Europe’s data protection authorities to force Facebook to stop collecting details on non-users last year, following a court case.
The CNIL also decried Facebook’s requirement of documents to prove a user’s identity, and requested that the social network better inform users on its deployment of cookies, that it require stronger passwords and that it erase the IP addresses used to access the service after six months.
Consumer protection complaint
For its part, the DGCCRF, which oversees consumer rights in France, on Tuesday took issue with a “significant imbalance” on rights and obligations between Facebook and its users, “to the detriment of users”.
The agency singled out Facebook’s “discretionary power” to withdraw materials published by users over the service and its “right to unilaterally modify the conditions of use without first informing users”.
The DGCCRF gave Facebook 60 days to make changes. Both it and the CNIL have the power to levy fines.
Facebook said it is “confident” its service conforms to European law.
“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We … look forward to engaging with the CNIL to respond to their concerns,” Facebook stated.
Facebook has previously said it doesn’t rely on Safe Harbour, but makes its data transfers to the US under other legal measures.
Are you a security pro? Try our quiz!