Facebook fined €1.2M for privacy violations in Spain

Another privacy-related fine for Facebook in Europe: The Spanish data protection regulator has issued a €1.2M (~$1.4M) fine against the social media behemoth for a series of violations regarding its data-harvesting activities.

Spain’s AEPD said an investigation into how Facebook collects, stores and uses data for advertising purposes found it is doing so without obtaining adequate user consent.

It says it identified two serious infringements and one very serious infringement of data protection law — with the total sanction breaking down to €300,000 for each of the first breaches and €600,000 for the second.

The regulator found Facebook collects data on ideology, sex, religious beliefs, personal tastes and navigation — either directly, through users’ use of its services or from third party pages — without, in its judgement, “clearly informing the user about the use and purpose”.

Not obtaining express consent of users to process sensitive personal data is classified as a very serious offense under local DP law.

Facebook’s use of web browsing cookies was also found in violation of privacy laws, with the regulator saying it confirmed users are not informed that their information will be processed through the use of cookies when they are browsing non-Facebook pages that contain Facebook’s ‘Like’ button social plug in — noting that while some of the use of this data is declared as being for advertising, other use is “secret”, i.e. not disclosed by the company.

“This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging on to Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations,” it noted.

The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it — saying it had been able to verify Facebook does not delete web browsing habits data, but  in fact “retains and reuses it later associated with the same user”.

It also found this to be true even when the company had been explicitly requested to delete data by a user.

“Regarding data retention, when a social network user has deleted his account and requests the deletion of the information, Facebook captures and treats information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not canceled in full or when they are no longer useful for the purpose for which they were collected or when the user explicitly requests their removal, according to the requirements of the LOPD [local data protection law], which represents a serious infringement,” it said.

The AEPR, which noted it liaised with other DPAs — in Belgium, France, Germany (Hamburg) and the Netherlands, which also have their own separate investigations into these issues, initiated following Facebook’s 2015 T&Cs change — said Facebook’s existing privacy policy was judged to contain “generic and unclear terms”, and to “inaccurately” refer to the use it will make of the data it collects.

The regulator asserted that a Facebook user “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used”.

It also points out that unregistered Internet users would not be unaware that the social network collects their browsing data — something that has already got Facebook into trouble with other European DPAs.

Commenting on the regulator’s action, a Facebook spokesperson told us the company intends to appeal the decision, while also noting that its European business is (currently) regulated under Irish data protection rules, where its EU HQ is sited.

It provided the following statement:

We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU’s new data protection regulation in 2018.

The size of the AEPR fine is of course a mere pinprick for Facebook whose 2016 revenue was $27.64BN. So really its appeal against the fine is about the company trying to bat away any perception that it violates privacy by refuting the substance of the violations being asserted here.

But seen through the prism of stricter incoming EU data protection rules, under the new GDPR regime which comes into force next May, there are certainly serious financial considerations for Facebook’s business pertaining to privacy — as the new EU regime includes a far larger stick to beat companies that are judged to have violated data protection rules while also tightening up privacy rules by, for example, expanding the definition of personal data and giving EU citizens the right to ask for their data to be deleted.

Companies will be facing fines of up to 4% of their global annual turnover for privacy violations under GDPR. So, in Facebook’s case, privacy-related fines could start to scale to over a billion dollars. And penalties of that size aren’t something the tech giant can too often and too easily sweep under its revenue carpet.

Even as GDPR strengthens the consent requirements for processing personal data, and expands the risk of holding and processing lots of personal data.

In addition, a company like Facebook, which processes data across multiple EU Member States’ territories, may find the new regulation creates a situation where it faces more concerted action from other DPAs, i.e. beyond their local data authority where they’ve established a European base. So, in Facebook’s case, it may not so easily be able to claim to be only under the jurisdiction of the Irish DPA. And in Europe, it’s fair to say that some DPAs are decided more pro-privacy than others.

Asked about its GDPR preparations, Facebook previously told us it has designated a cross-functional team to “fully analyze the legislation and help us understand what this would mean from a legal, policy and product perspective” — saying this is “the largest cross functional team in the history of the Facebook family”.

It is also now looking to recruit a data protection officer — a position mandated under GDPR.

“Ahead of next May we are working with our product, design and engineering teams to enhance existing products and build new products in a way that simultaneously provides an intuitive, user-centric experience and permits us to meet our obligations under the GDPR,” added Stephen Deadman, Facebook’s deputy chief global privacy officer, in a statement.