The French data protection authority (CNIL) is placing Facebook’s EU-U.S. data transfer practices under new scrutiny over its use of the defunct Safe Harbor framework.

The agency issued a two-part order Feb. 8 requiring the social media company to stop using Safe Harbor to transfer data to the United States. Safe Harbor was nullified in October 2015 when the European Court of Justice invalidated the EU Commission’s Safe Harbor agreement with the U.S. The agreement had allowed U.S. companies to transfer EU citizens’ data to the U.S. from the EU.

The ECJ’s decision to invalidate Safe Harbor stemmed from an Austrian citizen’s complaint – filed in the aftermath of revelations about U.S. National Security Agency data collection practices – that Facebook violated his privacy rights by transferring his personal data to the U.S. The decision imperiled 4,000 U.S. companies’ ability to transfer data from the EU to the U.S.

The new CNIL order is based on Facebook continuing to include language detailing its use of Safe Harbor on its France privacy policy page. Part two of the order accuses Facebook of using cookies to track non-users’ activity without their consent, a violation of French law, according to CNIL. It gives Facebook three months to stop tracking non-users without their consent, or face potential fines.

The order comes at an tumultous time for U.S.-EU data transfer policy. EU and US officials agreed to a new EU-U.S. Privacy Shield transatlantic data transfer pact on Feb. 2nd,  but many of the details, including language and legal implications of the agreement are in flux. Critics say details are so scarce that the agreement is not the basis for a working policy. While many in the EU have criticized the U.S. government’s data collection practices, critics point out that the EU may want to take a look in the mirror since many of its member states spy on their own citizens.

It all leads to massive uncertainty. No one is sure how things will develop over the next few months.

If you or your company have questions or concerns about preparing for or responding to new privacy regulations, or you are interested in creating and/or implementing a cybersecurity plan, contact the author or a Fox Rothschild Privacy & Data Security team member.