Facebook has been fined €150,000 (£129,000) by France’s data protection watchdog and is being investigated by Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of user data for advertising.
In a statement CNIL said: “In particular it has been observed that Facebook proceeded to a massive compilation of personal data of internet users in order to display targeted advertising. It has also been noticed that Facebook collected data on browsing activity of internet users on third-party websites, via the “datr” cookie, without their knowledge.”
The fine follows a deadline given to Facebook by the French watchdog last year to stop tracking non-users’ web activity without their consent, and an order to stop some transfers of personal data to the US.
Facebook said: “We take note of the CNIL’s decision with which we respectfully disagree. At Facebook, putting people in control of their privacy is at the heart of everything we do. Over recent years, we’ve simplified our policies further to help people understand how we use information to make Facebook better.”
Facebook has argued that the Irish data protection authority, not the CNIL or any other EU data regulator, was the competent authority to formulate such orders, as the social media company’s European headquarters are located in Dublin.
The French action is just one of the actions that will be taken by the contact group. The Belgian Privacy Commission is renewing its recommendations over Facebook’s tracking of users and non-users through cookies, social plug-ins and pixels, for which it is seeking judicial enforcement in October.
Likewise, the Netherlands found that Facebook violated Dutch data protection law for the 9.6 million social network users in the country, over the insufficient information given to users on how Facebook uses their data. Germany has taken issue with Facebook’s combining of WhatsApp user data with Facebook data, and the Spanish data protection authority has opened two infringement procedures against the social network.
The French fine, although small in relation to Facebook’s quarterly revenue of around $8bn, is the first significant action taken against a company transferring Europeans’ data to the US following an EU court ruling last year that struck down an agreement that thousands of companies, including Facebook, had relied on to avoid cumbersome EU data transfer rules.
From data privacy to heavy criticism over how the social network takes down objectionable and extremist content, Facebook has found itself in the centre of a EU-US storm that is likely to rage for the next few years.
A new EU data protection law is set to enter into force in 2018 that could fine companies up to 4% of their global turnover. Countries including France also want to give domestic data regulators more teeth through increased maximum fines.