Three months after safe harbour was ruled illegal by the EU Court of Justice, Facebook is still using the agreement to transfer data to the US, according to a damning ruling by the French authorities which details numerous other data protection breaches.
Along with watchdogs in Belgium, the Netherlands, Spain and Hamburg, the French regulator CNIL has been monitoring the social media giant since last March, as part of an investigation into the way Facebook collects and stores data, instigated by a change in the site’s privacy policies.
Ironically, it was a court case brought against Facebook which led to the scrapping of safe harbour in first place. Last week, the EU and US authorities struck a deal for a new scheme, dubbed Privacy Shield, although exact details are still being thrashed out. This has led to criticism that UK consumers’ data is still at risk.
During its investigation, CNIL has also found evidence that Facebook is tracking non-members of its website in France if they visit a Facebook page, such as a friend’s profile or an event, and gathering data on their web habits without explicit consent.
Facebook is also collecting personal information for advertising purposes without permission, CNIL claims.
The ruling states: “The social network collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders. It also sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users.
“Facebook compiles all the information it has on account holders to display targeted advertising (information provided by the Internet users themselves, collected by the website and by other companies of the group, and transmitted by commercial partners).
“As it is, the company provides no tools for account holders to prevent such compilation, which thereby violates their fundamental rights and interests, including their right to respect for private life.
CNIL has given Facebook three months to amend its practices or face the prospect of enforcement action, including fines.
Perhaps unsurprisingly, Facebook denies any wrong-doing. In a statement, the company said: “Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns.”
Related stories
Privacy Shield is nothing short of preposterous
UK consumer data ‘is still at risk’ despite US deal
EU confirms 11th-hour deal over US data transfers
Obama urged to intervene in safe harbour talks
Firms told ‘don’t panic’ over safe harbour ruling
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer