Facebook put on notice by French regulator to clean up its privacy act
via Flickr © rpongsaj (CC BY 2.0)
- Safe Harbor ends, but no replacement yet
- Privacy shield timetable agreed at EU level
- National regulators free to act
Facebook is embroiled in what can only be described as a ‘kerfuffle’ with the French data protection authority, the CNIL (The Commission Nationale de l’Informatique et des Libertés), which is threatening to impose sanctions unless the social media site pulls finger and complies with European and French laws on privacy in the wake of the ending of the ‘Safe Harbor’ arrangements last year following US spying allegations.
Part of the Facebook problem relates to the end of Safe Harbor, but there’s also several ‘things which have to be put right’ outstanding against Facebook’s name in France and it looks like the CNIL has finally lost patience with the US-based company and decided to get tough.
For one thing, like Google, Facebook has been under attack for its tax arrangements where it was recently described as ”nursing a loss and with a tax bill of just £4,327 in the UK”. That’s nothing to do with data privacy, of course, but that sort of thing can provide a following wind for bodies like the CNIL who want to flex their muscles.
So, ‘safe harbor’ first. This was the pact under which computer information could happily cycle back and forth between Europe and the US on the assumption that privacy and other measures were being observed similarly on both sides of the Atlantic. Following the famous spying allegations the arrangement was invalidated by the European Court of Justice in October last year. It’s not now enough for companies in the US to ‘self-certify’ that they are providing adequate protection when European personal data ends up being processed and stored in the US - by Facebook for example.
Instead, the US companies concerned were given three months by the European Court of Justice to come up with an alternative data transfer pact or to use ‘more cumbersome’ methods to ensure that European privacy law is complied with. They allegedly haven’t done so.
In the meantime, as the deadline approached, a ‘Privacy shield’ agreement was reached between the US and Europe at EU level to provide breathing space for a new pact to be worked out.
Down at national level, though, regulators are free to start taking action and France’s CNIL has stepped forward and given Facebook another three month deadline, after which it gets into real trouble.
But not finding a safer safe harbor is not the only grudge on the CNIL list.
The CNIL further points out that Facebook collects data concerning the sexual orientation and religious and political views without the explicit consent of account holders,” and that “Internet users are not informed on the signup form with regard to their rights and the processing of their personal data.”
So Facebook has been given another three months to get it all sorted before enforcement is launched.