France orders Facebook to stop tracking non-users or risk fines

Company also still using Safe Harbour framework to oversee data transfers

Facebook has been ordered to stop tracking non-users of its site in France by the French data authority CNIL. The watchdog also accused Facebook of still using the defunct Safe Harbour framework as the basis for data transfers to the US.

The CNIL warned that it may issue fines against Facebook if it does not amend these practices within three months.

The French watchdog claimed to have uncovered the ongoing use of Safe Harbour as part of an investigation launched in March last year into the way Facebook collects and stores data, instigated by a change in the social site's privacy policies.

However, Facebook issued a statement reiterating its stance from last year that it has other means of transferring data.

"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour."

The report by the CNIL also claimed Facebook is tracking non-members of its website in France if they visit a Facebook page, such as a friend's profile or an event, and gathering data on their web habits without explicit consent.

"Facebook collects, without prior information, data concerning the browsing activity of internet users who do not have a Facebook account," it said.

CNIL explained that Facebook does this by installing a cookie on a user's machine that transmits information to Facebook on user browsing habits if they visit any site using a Facebook plug-in, most commonly the "Like" button.

CNIL said that this means Facebook is gathering all kinds of data on French citizens without consent.

"[Facebook] collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders," the report said.

"In addition, internet users are not informed on the sign-up form with regard to their rights and the processing of their personal data."

CNIL has given Facebook three months to change how it operates or face the risk of "sanctions" that would most likely take the form of fines.

Facebook response
Facebook denied that the firm is doing anything wrong, and is confident that it can assuage the CNIL's concerns.

"Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns," the company said in a statement.

CNIL has prior form in going after the internet big boys for data protection violations. Google was fined €150,000 in 2014 for not complying with the nation's data protection rules.