The report was produced by the Centre of Interdisciplinary Law and ICT at the University of Leuven in Belgium at the request of the country’s privacy commission.
A subsequent report claims that Facebook tracks the web browsing of everyone who visits a page on its site, even if the user does not have an account or has explicitly opted out of tracking in the EU.
The latest report said that a plug-in, such as the follow button that Facebook provides to direct users to a company's Facebook page from its own website, can also track the sites that a user visits.
In a statement to the BBC, Facebook said the original report contained factual inaccuracies.
“The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based,” it said. “Neither did they invite our comment on the report before making it public.
“However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”
Facebook, which has its European headquarters in Dublin and is regulated by the Irish Data Commissioner, also said it had passed two audits of its data protection policies.
Faced with mounting criticism from European data protection authorities, Facebook updated its privacy policies in January 2015.
Read more about data privacy
- The European Parliament's consent to the EU-US trade deal “could be endangered” if blanket mass surveillance by the US National Security Agency does not stop, MEPs have warned.
- One-third of IT security professionals do not keep corporate data in the cloud because of fears of government snooping.
- Deputy prime minister Nick Clegg has called for greater transparency and “strong, exacting, third-party oversight” of UK intelligence agencies
But the researchers said most of the 'new' policies and terms simply made old practices more explicit.
The terms still allow Facebook to track its users across websites and devices, use pictures uploaded for commercial purposes and collate location data.
The report said Facebook "places too much burden" on members by presenting them with a “complicated web” of privacy settings.
“Facebook’s default settings related to behavioural profiling or social ads, for example, are particularly problematic,” the report said.
The report also claimed there is no way to stop Facebook from collecting location information about users though its smartphone app without disallowing location access in mobile operating system settings.
Users are offered no choice as regards their appearance in sponsored stories or the sharing of location data, and users do not receive adequate information to make informed choices where choices are available, the report said.
The authors of the latest report told The Guardian that they have not been contacted by Facebook directly or received any request to meet.
“We are not surprised that Facebook holds a different opinion as to what European data protection laws require,” they said in a statement. “But if Facebook feels that today’s releases contain factual errors, we are happy to receive any specific remarks it would like to make.”
Facebook is currently under investigation by the Dutch data protection authority and the Article 29 working party on data protection, comprising representatives of the data protection authority of each EU member state, the European Data Protection Supervisor, and the European Commission.
The ECJ is also expected to rule on whether an investigation should be launched into allegations by Edward Snowden that Facebook passes personal data to the US National Security Agency (NSA).
The case relates to concerns by Schrems that when Facebook collects user data and exports it to the US under safe harbour rules, it is giving the NSA the opportunity to use the data for mass surveillance.
At a hearing of the case in Luxembourg, the ECJ said it will issue its ruling on 24 June 2015.
Commentators said the ruling could shape international regulations on online information and affect all US companies dealing in Europeans’ data, such as Facebook, Twitter, Google, Microsoft and Yahoo.
Read more on Privacy and data protection
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield
Facebook: Legality of EU-US data sharing to be decided by Court of Justice
Facebook’s high-stakes privacy gamble goes to Dublin court
Max Schrems’s mass surveillance complaint knocked back another year or two by Irish judge