The watchdog said that the company had dodged questions from national regulators on how information was collected.
The commission, which was working with watchdogs in Germany, Holland, France, and Spain, accused Facebook of recognising EU national jurisdictions, citing the company’s claim that it was only subject to law in Ireland, where it has its European headquarters.
The data protection authority said, "Facebook has shown itself particularly miserly in giving precise answers," adding that the results of its investigation were disconcerting.
The watchdog threatened to take legal action against Facebook if it did not follow its recommendations.
A Facebook spokeswoman questioned the Belgians’ authority but said it would review the study’s recommendations with the Irish data protection commissioner, adding that the company works hard to ensure people have control over what they share and with whom.
She said: "Facebook is already regulated in Europe and complies with European data protection law, so the applicability of the CBPL’s efforts is unclear."