French regulator cracks down on Facebook over privacy concerns

France’s privacy regulator on Monday threatened to fine Facebook Inc. if it doesn’t change some of its data tracking practices and halt transatlantic transfers under a recently invalidated data flow agreement.

The French order is the first significant action taken by a European data protection authority since the EU high court struck down the agreement last October over privacy concerns.


Over 4,000 firms had relied on the so-called Safe Harbor agreement to legally handle EU citizens’ data. Regulators gave companies until the end of January to set up alternative legal means of transfer before they began taking enforcement action, while negotiators from both governments raced to strike a replacement deal. 

A working group that includes data protection authorities from 28 EU nations is expected to spend the next few months picking through the replacement to Safe Harbor — struck by the Commerce Department and the European Commission last week — to determine if it adequately protects the personal data of European citizens.

Critics have long warned that even with a new agreement, individual regulators could crack down on firms in their countries.

Legal sources tracking the new deal already expected that some countries might target large tech companies seen to have collaborated with U.S. surveillance efforts prior to reforms made under the Obama administration.

Facebook has three months to comply with the French regulator’s demands. According to the watchdog, the social media giant plants cookies on non-users’ computers and collects data on sexual orientation and the religious and political views of users without the explicit consent of account holders.

“The formal notice is made public due to the seriousness of the violations and the number of individuals concerned by the Facebook service (more than 30 million users in France),” the agency said in a statement.

Other countries, including Germany, Belgium, Spain and the Netherlands, have also been probing the company’s privacy policy for violations of EU law.