Facebook has become the first major company to feel the fallout from the Safe Harbor agreement being ruled invalid last year after the French data protection authority gave the social networking site three months to stop some transfers of personal data to the United States. It also ordered the firm to stop tracking the browsing habits of non-users.

The 15-year old Safe Harbor agreement, which allowed US companies to easily receive information from European servers and avoid cumbersome EU data transfer rules, was ruled illegal in October amid concerns over US government spying.

The European Court of Justice gave companies certified under Safe Harbor three months to come up with an alternative data transfer pact - a deadline that expired last week. This means regulators – in this case it’s the Commission Nationale de l’Informatique et des Libertés (CNIL) – can start taking legal action against companies that still rely on Safe Harbor.

“Facebook transfers personal data to the United States on the basis of Safe Harbour, although the Court of Justice of the European Union declared invalid such transfers in its ruling of October 6, 2015,” the CNIL said in a statement.

The CNIL also said that Facebook's use of cookies to track non-members of its site without informing them was a violation of French privacy law.

Facebook has claimed that it no longer uses Safe Harbor and added that it “has set up alternative legal structures to continue its transfers in line with EU law.” It seems that the CNIL isn’t convinced; the data protection agency has given Facebook three months to comply with its request or it could be fined.

"Protecting the privacy of the people who use Facebook is at the heart of everything we do. We ... look forward to engaging with the CNIL to respond to their concerns,” a Facebook spokeswoman said.

Facebook isn’t having an easy time in Europe at the moment; in addition to mounting problems in Germany, the CNIL’s anti-tracking order follows a similar demand made by a Belgian court last November.