Spain fines Facebook for violating data protection regulations
The Agency declares the existence of two serious infringements and one very serious of the Organic Law on Data Protection (LOPD) and imposes on Facebook a penalty of 1,200,000 euros -300,000 for each of the first and 600,000 for the second.
In the framework of its investigation the Spanish Data Protection Agency has verified that Facebook collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use these data.
Specifically, it has verified that the social network processes specially protected data for advertising purposes, among others, without obtaining the express consent of the users as required by data protection law, a violation classified as very serious in the LOPD.
The investigation has also shown that Facebook does not inform users in an exhaustive and clear way about the data that will collect and the processing operations that will be carried out, and instead offers only some examples.
In particular, the social network collects other data derived from interactions of users on the platform and on third-party sites without them being able to clearly perceive the information that Facebook collects about them or for what purpose they will use it.
This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when the users who are registered on Facebook browse through third party pages, even without logging in to Facebook.
In these cases, the platform adds the information collected in those pages to the one associated with their account in the social network.
Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection law.
The social network inaccurately refers to the use it will make of the data it collects, so that a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent processing, nor for what purpose they will be used.
For their part, unregistered Internet users are unaware that the social network collects their browsing data.
Consequently, the Agency considers that Facebook does not adequately collect the consent of either its users or those who are not - and whose data are also process, which constitutes a serious infringement.
Finally, the Agency has verified that Facebook does not delete the information that it collects from the browsing habits of users, but retains and reuses it later associated to the same user.
Regarding data retention, when social network users have deleted their accounts and request the deletion of the information, Facebook captures and process the information for more than 17 months through a deleted account cookie.
Therefore, the AEPD considers that the personal data of the users are not fully canceled when they are no longer useful for the purpose for which they were collected nor when the user explicitly requests their removal, according to the requirements of the LOPD, which represents a serious infringement. ■