France attacks Facebook data tracking, opening new front in privacy battles

French data regulators have given Facebook three months to stop transferring data on French users to the US and to refrain from tracking nonusers.

Facebook's Chief Operating Officer Sheryl Sandberg attended the World Economic Forum in Davos, Switzerland, in January.

Ruben Sprich/Reuters

February 12, 2016

In yet another fissure between the US and Europe over digital privacy practices, French regulators ordered Facebook to curtail its online data collection practices.

The country's data protection authority, known by its French acronym CNIL, ruled this week to give Facebook three months to stop transferring data on French users to the states and to refrain from collecting information about nonusers, or else face hefty fines.

French regulators claim that the social media behemoth violates the country's data privacy laws because it tracks information on Internet users' sexual orientation, religious, and political views "without the explicit consent of account holders" and fails to inform users that it uses "cookies" – information about stores on users' browsers – to track activity on third-party pages.

Facebook's balancing act between trust and security

The ruling is the latest blow to Facebook in Europe and comes amid a major overhaul of privacy regulations in the European Union that will affect how thousands of US companies handle Europeans' personal information.

Even though American and EU regulators agreed earlier this month on a new, more robust data privacy regime to satisfy Europeans' privacy concerns, that deal known as Privacy Shield will take months to put into place. 

In the meantime, companies such as Facebook face more uncertainty and roadblocks in their dealings with European data protection regulations. Until Privacy Shield is implemented, US tech firms must abide by the privacy policies of individual countries. 

The French ruling against Facebook "can easily happen to another American company," said Christopher Talib, campaign manager of Paris-based internet freedom watchdog La Quadrature du Net.  

"The minute they stop following the rules in France and the rights of our citizens, there is a problem," he said. "Internet users see that Like button everywhere but they never think that by clicking it, their privacy will be compromised."

The French data regulator's decision isn't the first time European countries have complained about the company's practices. Last fall, a Belgian court ruled that the company put a stop to tracking nonusers' browsing activity or face fines. In December, the company ultimately agreed to stop using Internet cookies that track nonusers' activity. 

In fact, Facebook's data collection practices in Europe were at the center of last year's court battle over the so-called Safe Harbor agreement, the transatlantic deal that outlined how American companies would safeguard European data.

The European Court of Justice eventually invalidated that deal after Austrian privacy activist Max Schrems argued that Facebook violated its terms. Essentially, he argued that Facebook couldn't keep data it moved to US servers safe from National Security Agency spying. The new Privacy Shield agreement is meant to put greater protections on Europeans' data.

Until Privacy Shield is put into action, it'll be a challenging period for US companies, since each country operates under its own legal framework, said Thomas Lanson, a security researcher at the Paris-based French Institute for International and Strategic Affairs. 

"The [US companies] needs to find a way to deal with that without altering its services," said Mr. Lanson.

French data regulators said it simply wants Facebook to give both users and nonusers notification about how the company is tracking them online – and what information it collects. "Companies should at a minimum inform users over transparency concerns," said CNIL. 

"European Internet users have rights that must be respected," the agency said. "It’s a question of confidence between the user and the internet service provider." 

In addition to France, data protection authorities in the Netherlands, Spain, and Germany are investigating Facebook’s compliance with local and European privacy legislation.

Facebook did not respond to a request for comment.

In a Financial Times interview last month, Facebook Chief Operating Officer Sheryl Sandberg said that "poorly designed regulation" would hamper innovation and stifle businesses. She encouraged regulators not to stand in the way of "progress" with burdensome privacy policies.

There are others who say that European regulators are also wielding privacy policies as a way of keeping data inside the EU, which could be a boon to the fledgling European digital economy.

"This digital revolution has created so many jobs in the US, but it's no secret that France is lagging behind in this domain," says Lanson of the Institute for International and Strategic Affairs.

American tech firms' revenues from European users goes to US companies instead of remaining in the country, at a time when the French – and European – economy is struggling. 

"This process destroys access for French companies to create advertising jobs and revenue and instead gives it to the US," he says. "Data protection is incredibly important for EU member countries for this reason."