The Spanish Data Protection Agency (AEPD) has fined Facebook 1.2 million euros, or just over $1.4 million dollars, for breaching the country’s data protection and privacy regulations. The fine follows an investigation into how the social media giant collects, stores and uses data which found it did not obtain the proper user consent necessary beforehand.
The data involved related to the ideology, religious beliefs, sex and personal tastes of Facebook’s users, taken from both Facebook itself and third party sites that utilized the “Like” social plugin. In the judgement of the regulators, users were not “clearly inform[ed]… about the use and purpose” of the data. Facebook fell foul of the strict privacy legislation, which classifies a lack of express consent before obtaining personal data as a very serious offense. Data taken from the “Like” plugin via cookies was also misused according to the AEPD, as while some of the data taken was declared as being used for advertising, other parts of it were not.
Data taken from users was also not deleted fast enough when requested, as the AEPD noted:
Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not canceled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the LOPD [local data protection law], which represents a serious infringement.
The AEPD also asserted that a regular Facebook user “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used.”
Facebook was therefore fined for three separate offences in total – two classed as serious, and one as very serious — with the charges breaking down to 300 thousand Euros for the first two, and 600,000 Euros for the third.
Other Data Protection Agencies liaised with the AEPD on the issue, including those from Belgium, France, Germany and the Netherlands; who are also currently investigating Facebook for similar potential offences.
Facebook released a statement to TechCrunch, saying that they intend to appeal the decision:
We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people. Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU’s new data protection regulation in 2018.