France's data protection authority has ordered Facebook to stop transferring user data to the US, following a ruling from the European Union that invalidated a longstanding trans-Atlantic data transfer agreement. In an order published Monday, the data protection authority, known by its French acronym CNIL, also gave Facebook three months to stop tracking the web activity of non-users without their consent. Facebook could face fines if it fails to comply, CNIL added.
In October, the European Court of Justice ruled that the trans-Atlantic data transfer agreement between Europe and the US, known as the Safe Harbor pact, was illegal on the grounds that the US does not provide adequate privacy protections. A three-month deadline to establish alternative agreements expired last week, and although US and European officials agreed to a new framework last week, it has not been put into operation.
One of several privacy probes
The invalidation of Safe Harbor provided the basis for CNIL's order, though Facebook has said its data transfers are in accordance with EU law. "Protecting the privacy of the people who use Facebook is at the heart of everything we do," a Facebook spokeswoman told Reuters. "We ... look forward to engaging with the CNIL to respond to their concerns."
CNIL also ordered the social network to inform non-Facebook users that their web browsing activities are tracked with cookies when they visit a Facebook page. The regulator added that Facebook users should be able to choose whether their data is shared with advertisers, and that the company should stop "retaining personal data beyond the length of time required for the purposes for which it was collected and processed." CNIL said the practices are in violation of French law.
Facebook is facing a number of privacy-related probes in Europe. In November, a Belgian court ordered the company to stop using cookies to track the web activity of its users, meaning that users must now log in to view Facebook pages, including public ones.