Spain’s Data Protection Authority—the Agencia Española de Protección de Datos (AEPD)—issued a 1.2 million euro fine against Facebook after it found three instances when the company collected data without informing users, as required by European Union privacy laws.
AEPD Findings
The AEPD found multiple issues with how Facebook gathered data on Spanish users.
One of the issues was that Facebook collects data on ideology, sex, and religious beliefs, as well as personal tastes and web surfing habits without informing the users about how that data will be used.
A second issue was that Facebook wasn’t obtaining specific and informed consent from the users because the data it was offering them about the collection was not sufficiently clear.
The company has been tracking both users and non-users of the service through the Like button across the web without informing them about this sort of tracking, nor about what it plans to do with the data. The company has said that the collection is done for advertising purposes before, but some purposes remain secret, according to the Spanish Data Protection Authority. The AEPD said this sort of collection doesn’t comply with the EU’s data protection regulations.
The Spanish agency also complained that Facebook’s privacy policy contains language that wouldn’t be easy for an “average user” to understand. The AEPD concluded that neither users nor non-users have sufficient knowledge about how Facebook collects and uses their data.
Finally, the AEPD also noticed that Facebook has not been completely purging the data about users who had already deleted their accounts and that Facebook was making use of accounts’ data that have been deleted for more than 17 months. Considering the data that has remained behind is no longer useful for the purpose for which it was collected, the agency considered this another serious infringement of EU privacy laws.
Déjà Vu
Facebook was also previously ordered to pay a fine by a Belgium court over similar infringements. However, the ruling was overturned by an appeals court because Facebook operates from Ireland, and Belgium had no jurisdiction over the company. It remains to be seen if this case will end the same way.
