Facebook put on notice by French regulator to clean up its privacy act

via Flickr © rpongsaj (CC BY 2.0)

via Flickr © rpongsaj (CC BY 2.0)

  • Safe Harbor ends, but no replacement yet
  • Privacy shield timetable agreed at EU level
  • National regulators free to act

Facebook is embroiled in what can only be described as a ‘kerfuffle’ with the French data protection authority, the CNIL (The Commission Nationale de l’Informatique et des Libertés), which is threatening to impose sanctions unless the social media site pulls finger and complies with European and French laws on privacy in the wake of the ending of the ‘Safe Harbor’ arrangements last year following US spying allegations.

Part of the Facebook problem relates to the end of Safe Harbor, but there’s also several ‘things which have to be put right’ outstanding against Facebook’s name in France and it looks like the CNIL has finally lost patience with the US-based company and decided to get tough.

For one thing, like Google, Facebook has been under attack for its tax arrangements where it was recently described as ”nursing a loss and with a tax bill of just £4,327 in the UK”. That’s nothing to do with data privacy, of course, but that sort of thing can provide a following wind for bodies like the CNIL who want to flex their muscles.

So, ‘safe harbor’ first. This was the pact under which computer  information could happily cycle back and forth between Europe and the US on the assumption that privacy and other measures were being observed similarly on both sides of the Atlantic. Following the famous spying allegations the arrangement was  invalidated by the European Court of Justice in October last year. It’s not now enough for companies in the US to ‘self-certify’ that they are providing adequate protection when European personal data ends up being processed and stored in the US - by Facebook for example.

Instead, the US companies concerned  were given three months by the European Court of Justice to come up with an alternative data transfer pact or to use ‘more cumbersome’ methods to ensure that European privacy law is complied with. They allegedly haven’t done so.

In the meantime, as the deadline approached, a ‘Privacy shield’ agreement was reached between the US and Europe at EU level to provide breathing space for a new pact to be worked out.

Down at national level, though, regulators are free to start taking action and France’s CNIL has stepped forward and given Facebook another three month deadline, after which it gets into real trouble.

But not finding a safer safe harbor is not the only grudge on the CNIL  list.

Back in 2014 Facebook changed its privacy policy and as part of that it became clear that it collects the browsing activity of Internet users who do not have a Facebook account - when they arrive on a Facebook page having clicked on a URL provided by a Facebook user for instance. The CNIL took issue with this because it contravened France’s data protection laws, pointing out that Facebook “does not inform Internet users that it sets a cookie on their terminal when they visit a Facebook public page (e.g. page of a public event or of a friend). This cookie transmits to Facebook information relating to third-party websites offering Facebook plug-ins (e.g. Like button) that are visited by Internet users.”

The CNIL further points out that Facebook collects data concerning the sexual orientation and religious and political views without the explicit consent of account holders,” and that “Internet users are not informed on the signup form with regard to their rights and the processing of their personal data.”

So Facebook has been given  another three months to get it all sorted before enforcement is launched.

We have a question for you

 Is France’s CNIL right to pursue Facebook so energetically over data privacy issues?

Email Newsletters

Sign up to receive TelecomTV's top news and videos, plus exclusive subscriber-only content direct to your inbox.