The French data protection authority has ordered Facebook to stop some transfers of personal data of its users to the U.S. and to change the way it handles the data of users and non-users visiting its website.
French data-protection authority CNIL has given Facebook three months to comply with its formal notice, requesting the social network stops using the now-defunct EU-US Safe Habor agreement to transfer data across the Atlantic for processing.
Europe’s highest court struck down Safe Harbor in October after reviewing Austrian privacy campaigner Max Schrem’s case against Ireland’s data-protection authority and his unmet demand for Facebook Ireland to stop transferring data to the US in light of the NSA’s PRISM surveillance program.
“Facebook transfers personal data to the United States on the basis of Safe Harbor, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015,” CNIL said in a statement.
“The formal notice is made public due to the seriousness of the violations and the number of individuals concerned by the Facebook service,” it added.
Read This Also: India Bans Facebook’s Basics App to Support Net Neutrality
CNIL has also ordered Facebook to stop collecting browsing activity of non-Facebook members without informing them it collects data by setting its ‘datr’ cookie to browsers that visit a public Facebook page.
CNIL wants Facebook to inform users of the cookie’s purpose and explain how to change cookie settings in a banner on pages that use them.
Facebook track you even you are not logged in with facebook:
The company was ordered by the Belgian Privacy Commission last year to stop using a special cookie called ‘datr’ that it claims helps it distinguish between legitimate and illegitimate visits to its website. Technical experts assisting the Belgian Privacy Commission found that when a user not signed on to Facebook visited the website, the ‘datr’ cookie was set with a two-year lifetime. If users thereafter visited a website that includes a Facebook social plug-in, that information was sent back to the social networking website according to the experts.
Facebook claims that it uses ‘datr’ to help it distinguish between legitimate and illegitimate visits to its website, and identifies browsers and not individuals. While that purpose may seem legitimate, it allows the company to know a large part of the last 10 days browsing history of non-account holders that may have visited the Facebook website only once, without their being informed, CNIL said.
Facebook said in statement that it does comply with European law:
“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European data-protection law and look forward to engaging with the CNIL to respond to their concerns,” a Facebook spokesperson said.