Facebook is again under fire for its EU-US data transfer practices, with the latest scrutiny coming from the French data protection authority (CNIL).  In a two part order issued on February 8, CNIL ordered Facebook to stop transferring user data to the US under the now defunct Safe Harbor framework. In October 2015, the European Court of Justice invalidated the EU Commission’s Safe Harbor pact, an agreement between the EU and US, that allowed US companies to transfer EU citizens’ data to the US out of the EU. The ECJ’s decision, which was prompted by an Austrian citizen’s claim that Facebook’s transfer of his personal information out of the EU violated his privacy rights, put at risk the ability of nearly 4,000 US companies to transfer data from the EU to the United States. CNIL’s order is predicated on the fact that Facebook’s France privacy policy webpage still includes language detailing Facebook’s use of Safe Harbor to transfer data.

In addition to the Safe Harbor claim, CNIL also alleges that Facebook is using cookies to track non-Facebook users’ Internet activity without first obtaining their consent. While tracking user activity through the use of cookies is a routine practice, using cookies to track non-users who may visit the website and doing so without their consent is a violation of French law according to the CNIL. The order gives Facebook three months to stop tracking non-Facebook users without their consent or else Facebook could face fines for its failure to comply.

The CNIL’s order comes during a time of extreme uncertainty with regard to the fate of EU-US data transfers. EU and US officials had been negotiating “Safe Harbor 2.0” since October, immediately after Safe Harbor was ruled invalid. The parties agreed to a new transatlantic data transfer pact on February 2nd, called the EU-US Privacy Shield, however, the language and legal implications of the agreement have yet to be finalized. Critics of the Privacy Shield point out that the agreement is merely an “agreement to agree” and not an actual framework on which to build a working policy, essentially giving the two sides more time to negotiate an actual policy. Critics also note that the EU’s focus on the US government’s data collection and spying practices is particularly sanctimonious in light of the fact that EU member state governments spy on their own citizens. 

With the data transfer situation still in flux, no one is 100% certain how this situation will pan out over the course of the next few months. If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.