France's data-protection watchdog has ordered Facebook to stop transferring data to the US and to cease tracking non-members without their consent.
French data-protection authority CNIL has given Facebook three months to comply with its formal notice, requesting the social network stops using the now-defunct EU-US Safe Habor agreement to transfer data across the Atlantic for processing.
Europe's highest court struck down Safe Harbor in October after reviewing Austrian privacy campaigner Max Schrem's case against Ireland's data-protection authority and his unmet demand for Facebook Ireland to stop transferring data to the US in light of the NSA's PRISM surveillance program.
That ruling resulted in last week's new EU-US proposal, dubbed Privacy Shield. However, until the new agreement comes into effect, European data-protection authorities are still able to enforce the Safe Harbor ruling.
"Facebook transfers personal data to the United States on the basis of Safe Harbor, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015," CNIL said in a statement.
"The formal notice is made public due to the seriousness of the violations and the number of individuals concerned by the Facebook service," it added.
CNIL has also ordered Facebook to stop collecting browsing activity of non-Facebook members without informing them it collects data by setting its 'datr' cookie to browsers that visit a public Facebook page.
CNIL wants Facebook to inform users of the cookie's purpose and explain how to change cookie settings in a banner on pages that use them.
Belgium's data-protection authority issued an interim ruling against Facebook over datr in December.
Facebook's chief security officer Alex Stamos said it uses datr to prevent unauthorized account takeovers, DDoS attacks, and copying of user content.
CNIL's investigation included a site inspection of Facebook and a documentary audit to determine whether the social network complied with French law.
The regulator also criticised Facebook for collecting data about users' sexual orientation, as well as religious and political views, without gaining their explicit consent. And it wants Facebook to stop requesting that users provide medical records to prove their identity.
Facebook said in statement to ZDNet that it does comply with European law.
"Protecting the privacy of the people who use Facebook is at the heart of everything we do. We are confident that we comply with European data-protection law and look forward to engaging with the CNIL to respond to their concerns," a Facebook spokesperson said.