As much of the privacy and technology world awaits the fate of the newly proposed EU-U.S. Privacy Shield, the clock is now ticking for Facebook to comply with France’s Data Protection Act. On Monday, after a multi-pronged investigation, French data protection authority CNIL sent a formal notice to the social networking giant that it was violating the nation’s privacy law and now has three months to get into compliance.

The investigation was triggered by Facebook's March 2015 privacy policy update. The change received the attention of several EU-based DPAs, including the CNIL,  Belgium, the Netherlands, Spain, and Hamburg, Germany.

At issue is Facebook’s tracking of non-users through cookies placed on third-party websites and on public-facing Facebook pages. In total, the CNIL detailed five alleged violations of the Data Protection Act in Monday’s advisory, including the collection of non-user data, collecting information about sexual orientation and political and religious views without users’ explicit consent, the setting of cookies without notice or consent of Internet users, the lack of tools for users who do not want to be profiled for advertising purposes, and that personal data is transferred to the U.S. under Safe Harbor.

The CNIL also issued a more detailed formal notice with additional requirements.

The notice was issued to both Facebook and Facebook Ireland Limited and has been “made public due to the seriousness of the violations and the number of individuals concerned by the Facebook service,” which, according to the CNIL, totals more than 30 million users in France. The CNIL also points out that if Facebook complies within the three-month time frame, no sanctions will be issued, but if they do not come to an agreement, “the CNIL shall appoint a ‘rapporteur’ who might refer the matter to the CNIL’s Select Committee with a view to deciding a sanction.”

As of now, however, Facebook feels that it is in compliance with European law. In an email sent to The Privacy Advisor, a Facebook spokesman said, “Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European data protection law, and look forward to engaging with the CNIL to respond to their concerns.”

Plus, according to the CNIL’s notice, Facebook’s compliance is also being investigated by the Belgian, German (Land of Hamburg), Spanish, and Dutch DPAs “at the national level and within an international administrative cooperation framework.”

The issue doesn’t appear to be limited to just Facebook, either.

“This confirms what we have been experiencing for the past few months, that international data flows are a top compliance target,” said Hogan Lovells Partner Eduardo Ustaran, CIPP/E.

Ustaran says there are two key aspects to this case against Facebook. “One is the fact that EU data protection authorities are operating in cross-border teams coordinating their enforcement actions while applying their powers under their national laws,” he said in comments provided to The Privacy Advisor. “As part of this approach, the idea of a competent lead authority becomes slightly less relevant than it has been in the past, as companies need to be paying attention to multiple regulators acting in parallel.”

With the EU-U.S. Privacy Shield arrangement under works and more answers to a potential agreement due in the next two-to-three months, the CNIL’s three-month deadline to Facebook – with the explicit inclusion of a mention of Safe Harbor – is, at the very least, intriguing.

Ustaran says the three-month deadline “gives you an idea of the timescales in which data protection regulators expect global organizations to put their international data flows in order. Three months is not much but at least it gives organizations the opportunity to prioritize key transfers and select the most appropriate mechanism in each case.”

Future of Privacy Forum Founder and Co-Chair Jules Polonetsky, CIPP/US, also points out that the three-month time period scales with the technological measures prescribed by the CNIL, including specific password requirements, additional tick boxes for user consent, and an approval process for deleting user accounts – all requirements pointed out in the longer formal notice from the CNIL.

Additionally, the CNIL’s notice may have a similar effect on websites as the Article 29 Working Party's opinion on obtaining consent for cookies did with notice requirements. As a result of that opinion, many websites now include cookie notices to inform users on their use.

“I suspect enforcement against big properties for collection about non-users on third-party sites might have a similar effect in terms of spurring action around the EU and global web,” said Center for Democracy & Technology Chief Technologist Joseph Lorenzo Hall. “The 10,000 euro question is: What are properties like this supposed to do? Ask everyone on the web nicely to remove and natively-host widgets and pixel tags that they have coded into their websites?”

Unlike the popups notifying users of a site’s cookie usage, this new paradigm would involve much more coordination and effort across the Internet, Hall points out.

[quote]“Certainly, Facebook can choose to ignore signals sent by these kinds of tracking technologies, but removing them or changing them seems like it would require a lot of coordinated action around the web.” -Center for Democracy & Technology Chief Technologist Joseph Lorenzo Hall[/quote]

“Certainly, Facebook can choose to ignore signals sent by these kinds of tracking technologies, but removing them or changing them seems like it would require a lot of coordinated action around the web,” Hall added.

There are also security concerns inherent in the CNIL’s order, according to the FPF's Polonetsky.

Though he wasn’t surprised the CNIL took aim at Facebook’s use of so-called Datr cookies – something the Belgian DPA has already gone after and something Facebook has argued helps protect the security of users – Polonetsky, explained, in a phone call with The Privacy Advisor, that he was surprised by “the grab bag of other legal charges in the order that will have dramatic consequences for other major players.”

Specifically, Polonetsky pointed to his concerns about the CNIL’s prescription for passwords, extra tick boxes, and the user-deletion process approved first by the CNIL. “Given the degree to which the French government is concerned about terrorism, I’m surprised they want to require Facebook to get approval first from the CNIL before deleting the accounts of bad actors,” he said. Polonetsky also pointed out that, while companies such as Facebook – and notably Twitter – are attempting to curb hate speech, terrorist-influencing accounts, and revenge porn, the CNIL’s prescriptive process seems illogical.

“The idea that a website can’t kick off users without special permission from the CNIL,” Polonesky continued, “is quite a narrow and odd charge.”

He added, "I hope Facebook appeals the order."