Facebook Slapped with €1.2m Fine for Breaching Privacy Laws in Spain

The data collection techniques employed by Facebook have long been the subject of controversial debate as concerns continue to arise regarding their storage and use of said data. Now, their data-harvesting activities have landed them in hot water once again as the Spanish data protection authority, known as the AEPD, have issued some substantial fines against the social media giant in response to recent investigations which uncovered multiple breaches of privacy laws.

The AEPD’s investigation into Facebook’s handling of user data reportedly identified three serious infringements, with one of the three being particularly severe. In response, the authority has issued Facebook with sanctions totalling €1.2million, broken down to €300,000 for each of the two lesser charges and a €600,000 fine for the more-substantial breach.

The data collection techniques employed by Facebook gather a wealth of information relating to a user’s ideology, sex, religious beliefs, personal tastes, and online navigation. This takes place both directly via an individual user’s use of Facebook services, or indirectly via third party pages. The AEPD argue that this takes place without “clearly informing the user about the use and purpose”. It is this lack of transparency that led to one of the supposed breaches of privacy laws, as not obtaining express consent of users to process sensitive personal data is classified as a very serious offense under local data protection laws.

Facebook are also in trouble over their use of browser cookies, as the regulator asserts that users are not informed when browsing non-Facebook sites that incorporate their ‘like’ button that their information will be processed through the use of such cookies.

“This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging on to Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations,” the AEPD noted.

The final breach relates to the social media company’s use of harvested data once its intended use has been fulfilled, specifically the fact that said data is retained rather than deleted. Worryingly, this was found to be true even when the company had received a specific request from the user to delete their data.

The AEPD said of the issue, “Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not cancelled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the LOPD [local data protection law], which represents a serious infringement.”

The investigations being carried out by the AEPD and various other data protection authorities throughout Europe began following changes to Facebook’s terms and conditions in 2015. The privacy policy used by Facebook is deemed to contain “generic and unclear terms”, with the AEPD asserting that a user of the platform “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used”. This seems to be the root of much of Facebook’s legal troubles.

Facebook have since issued a statement in which they make known their intention to dispute the decision, all while falling back on their old defence relating to the location of their Ireland HQ and the subsequent laws to which they should abide. Their statement read as follows:

“We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

“Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU’s new data protection regulation in 2018.”

While the fines may seem substantial to most, to a company on the scale of Facebook who turn over ridiculous figures each year, the monetary expense will hardly be noticed. Facebook’s decision to appeal therefore is more to do with their reputation and users’ perception of the company, as they would not want to be seen as compromising the privacy of their sizeable user-base. Money is not really an issue for the social media giant, but if users start leaving the site due to such concerns, every part of the business will suffer.

Sam Bonson

Sam is an aspiring novelist with a passion for fantasy and crime thrillers. Currently working as Editor of Social Songbird, he hopes to one day drop that 'aspiring' prefix. Follow him @Songbird_Sam

Contact us on Twitter, on Facebook, or leave your comments below. To find out about social media training or management why not take a look at our website for more info: TheSMFGroup.com