France’s privacy watchdog dropped a series of bombs on Facebook late Monday, threatening not only the company’s transfers of personal data to the U.S., but also its core business model.
The French data protection authority, CNIL, told Facebook that it’s breaking the law by not letting users opt out of being profiled for targeted advertising. It said this “violates their fundamental rights and interests, including their right to respect for private life.”
Remember, this is essentially an advertising company we’re talking about — 96.5 percent of Facebook’s 2015 revenues came from ads — so there’s a very good reason it doesn’t provide such an opt-out. It’s probably fair to say that the average person doesn’t realise all the data Facebook holds on them is combined with data from other companies to build a detailed profile that’s then exploited for money. If Facebook has to give people the option of stopping this from happening, it could take a hit where it hurts.
There’s more, too — plenty more.
Facebook tracks people for advertising purposes using cookies (snippets of code that are placed in people’s browsers) but does not properly gain their targets’ consent before doing so, the watchdog complained. CNIL also said it was illegal for Facebook to scoop up data on sexual orientation and religious and political views without explicit consent.
CNIL claimed Facebook continues to transfer French people’s personal data to the U.S. under the now-defunct EU-U.S. Safe Harbor scheme. If true, this is also illegal, though Facebook is these days also using an alternative legal mechanism called “model clauses” to justify its transatlantic transfers. (Here’s a reminder of where things stand on the post-Safe Harbor front — in short, it’s complicated and companies don’t yet have a reliable long-term solution for staying on the right side of the law.)
Get Data Sheet, Fortune’s technology newsletter.
Even if Facebook is no longer relying on Safe Harbor, it’s worth noting that its privacy policy still talks about Facebook’s compliance with the scheme — and CNIL’s complaints are based on Facebook’s privacy policy. Perhaps the company should follow the lead of others such as Twitter, and tweak its policy to stop talking about the dead deal.
CNIL also attacked Facebook over the fact that it tracks the browsing activity of people who aren’t even signed up to Facebook, but who visit a Facebook public page — CNIL didn’t mention it, but the same applies to people who visit pages with embedded Facebook comment sections. This accusation is interested because it shows France following the lead of neighboring Belgium, where the local privacy regulator has already forced Facebook to stop following non-users.
Facebook does this by setting a “datr” cookie in people’s browsers when they visit one of the aforementioned pages, which then registers every time the browser accesses a page with a “like” button or some other Facebook tool embedded in it. Facebook insists it does not do this for advertising purposes, but rather to boost security by making it easier to spot when a user’s account has been taken over, and to avoid fraudulent clicks on those “like” buttons.
In Belgium, Facebook has now had to stop using the cookie, and in response it has started requiring people to sign into Facebook if they want to see a public page — the firm claims this is harmful to small business owners in particular, who may use a public Facebook page as their main presence on the web. The company is appealing the court ruling that forced it to do this (with one of its claims being that the ruling is invalid because it used English words such as “cookie” and “browser”).
For more on Facebook, watch:
So if France follows Belgium, and others do the same, this will become very annoying for Facebook. It will arguably hit its security, and it will certainly make Facebook a less obvious home for small businesses’ and public events pages.
There’s a good chance more of this action could follow. CNIL’s broadside against Facebook follows a review of the company’s privacy policy by a group of regulators, also including those from Belgium, the Netherlands, Spain, and the German city-state of Hamburg (uniquely in Europe, Germany has a separate data protection authority for each of its 16 states, plus one at the federal level).
As for CNIL’s demands, Facebook has three months to get its act together and start complying with the law — so far, there is no mention of what will happen to the social network if it does not comply.
A Facebook spokesperson said: “Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European data protection law and look forward to engaging with the CNIL to respond to their concerns.”
The regulator insisted it is not telling Facebook how to comply with the law, and it is not trying to produce “a negative impact on its business model or innovation capacity.”
Without trying to be overly cynical, it’s hard to see how Facebook’s business model could fail to be harmed by giving people this much more control over what happens to their personal data.
