CNIL, the French Data Protection Authority, sent a formal notice to Facebook providing it with three months to stop tracking non-users' web activity without their consent and to stop the transfer of personal data collected from French users to the United States.

CNIL detailed five alleged violations by Facebook of the local Data Protection Act, including the collection of sensitive data, such as sexual orientation and political and religious views, without users’ explicit consent, the setting of cookies without notice or consent of its users and the lack of opt-out tools for users who choose not to be profiled for advertising purposes.

In addition, Facebook is also accused of continuing to rely on the void Safe Harbor data transfer mechanism in order to transfer users’ personal data to the United States. In this regard, the French privacy order is the first significant action to be taken against a company transferring personal data from the EU to the United States following the EU Court of Justice ruling from last October (see our report regarding this ruling and its consequences).

It should be noted that although the European Commission and the United States have recently agreed on a new framework for transatlantic data flows, namely the EU-US Privacy Shield, this framework is yet to come into force.

We will be happy to advise our clients on the updated regulatory aspects of transferring personal data from the EU to the United States and to advise on the applicable solutions which will enable such a transfer.