The French data protection authority (DPA) has given Facebook three months to stop tracking the online activity of individuals who are not users of the social network without their consent. It has also urged the social network to stop transferring the personal data of EU citizens to the US on the basis of Safe Harbor, the now-defunct agreement that allowed such data transfers until the European Court of Justice ruled it invalid in October 2015. This move shows that DPAs are not willing to wait until the new Privacy Shield agreement is finalized; they are putting pressure on the EC to produce a meaningful tool to protect EU citizens’ personal data.
Individual DPAs are putting pressure on the EC to ensure Privacy Shield will not be an empty shell
The French data protection authority, the CNIL, has issued a formal notice to Facebook to stop tracking the web activity of individuals who are not even users of the social network and to cease transferring data to the US on the basis of Safe Harbor. The statement shows that EU DPAs are not simply waiting for Privacy Shield to be adopted. Privacy Shield is supposed to replace the now-defunct Safe Harbor agreement, which ensured the smooth transfer of personal data between the EU and the US. However, following last week’s announcement by the European Commission, it is yet to be finalized and is already attracting skepticism about its effectiveness from many stakeholders.
Strikingly, the head of the CNIL is also the head of the Article 29 Working Party, which groups together EU DPAs and sets out their common positions on privacy issues. Last week, the Article 29 Working Party said that it is ready to wait until April to see the Privacy Shield approved and in force. Yesterday’s move from the CNIL signals the French DPA’s clear intention to put pressure on the EU to obtain a meaningful and functional deal with the US and to ensure that protection of EU citizens’ personal data does not remain a mere principle. However, we will have to wait for three months to see if the CNIL will follow up on its stated intentions.
“The replacement for Safe Harbor will have more red tape, but no surprises,” TE0007-000990 (February 2016)
Data Protection Tracker, TE0007-000955 (December 2015)
Luca Schiavoni, Senior Analyst, Regulation