Facebook faces restrictions in France on data transfer to US

The nation’s data protection authority has told the social network that it has just three months to stop tracking the browsing of non-users and sending them to the U.S., or it will face fines up to €150,000 (£116,000, $168,000).

The watchdog accused Facebook of breaking the law by continuing to transfer EU citizens personal data to servers based in the United States – a practice banned by the Court of Justice of the European Union since October 2015.

The order from France is the latest escalation in five coordinated Facebook probes launched by privacy regulators from Belgium to Germany.

CNIL said that this means Facebook is gathering all kinds of data on French citizens without consent.

The French watchdog uncovered the ongoing use of Safe Harbour as part of an investigation launched in March past year into the way Facebook collects and stores data, instigated by a change in the social site’s privacy policies.

“In addition, internet users are not informed on the sign-up form with regard to their rights and the processing of their personal data”.

It also notes that Facebook collects user data concerning sexual orientation, religious and political views “without the explicit consent of account holders”.

And although Europe and the US have apparently agreed a new deal (called the EU-US Privacy Shield), this has yet to come into force, so can not yet be relied up on by companies wanting to legalize data transfers across the Atlantic. Any company handling human resources data from Europe, for example, has to commit to complying with decisions by European data protection authorities (DPAs).

In order to comply with the French Data Protection Act within the time limit, Facebook has been asked to implement a number of changes.

Last year, authorities in Belgium also ordered Facebook to stop tracking non-users.

“Protecting the privacy of the people who use Facebook is at the heart of everything we do”, a Facebook spokeswoman said.

CNIL also wants password limit to be set at minimum 8 characters with three complexities, and Facebook could retain user Internet protocol (IP) addresses for a maximum of six months.

At the moment, Facebook installs a cookie on the computer of any user visiting one of its pages, such as fan pages and company pages.