Facebook has been accused by French data authority CNIL of still using the defunct Safe Harbour framework as the basis for data transfers to the US.
The CNIL warned that it may issue fines against Facebook if the company does not amend its practices within a three-month deadline.
The French watchdog claimed to have uncovered the ongoing use of Safe Harbour as part of an investigation launched in March last year into the way Facebook collects and stores data, instigated by a change in the social site's privacy policies.
However, Facebook has denied this in the past, claiming that it has other processes in place to oversee data transfers to the US.
“Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour," the company said.
The report by the CNIL also claimed that Facebook tracks non-members of its website in France if they visit a Facebook page, such as a friend’s profile or an event, and gathers data on their web habits without explicit consent.
“Facebook collects, without prior information, data concerning the browsing activity of internet users who do not have a Facebook account,” it said.
CNIL explained that Facebook does this by installing a cookie on a user’s machine without notice which transmits information to Facebook on user browsing habits if they visit any site using a Facebook plug-in, most commonly the ‘Like’ button.
CNIL said that this means Facebook is gathering all kinds of data on French citizens without consent.
“[Facebook] collects data concerning the sexual orientation and the religious and political views without the explicit consent of account holders,” the report said.
“In addition, internet users are not informed on the sign-up form with regard to their rights and the processing of their personal data.”
CNIL has given Facebook three months to change how it operates or face the risk of “sanctions” that would most likely take the form of fines.
Facebook denied that the firm is doing anything wrong, and is confident that it can assuage the CNIL’s concerns.
“Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European Data Protection law and look forward to engaging with the CNIL to respond to their concerns," the company said in a statement.
CNIL has prior form in going after the internet big boys for data protection violations. Google was fined €150,000 in 2014 for not complying with the nation’s data protection rules.
A fast, gorgeous but expensive display
Intel wants to get inside your car, despite missing out on mobile
'We'll keep fighting to fight to keep the web free and open,' claim EFF
Breached in March by the same attackers, claim 'insiders'