Selecciona Edición
Selecciona Edición
Tamaño letra


Spanish data protection agency slaps Facebook with €1.2 million fine

Social network found to have compiled and stored information without proper authorization

The Spanish Data Protection Agency (AEPD) has slapped Facebook with a €1.2 million fine for breaking laws regarding the use of its users’ personal data. The agency has found that the social network compiles, stores and makes use of user information for advertising purposes without having previously obtained authorization to do so.

Facebook has said it will appeal the fine from the data-protection agency. REUTERS

For its part, Facebook has responded saying that it “respectfully disagrees” with the agency’s decision, and as such plans to appeal the fine. “As we informed the AEPD, it is the users who decide what information they want to add to their profile and share with others, such as their religion,” the social network explained via a written statement. What’s more, it added that it does not use that information to show specific advertisements to its users.

According to the ruling made public today by the AEPD, Facebook has obtained information about the ideology, sex, religious beliefs, personal tastes and navigation of its users without having first secured “unequivocal consent.” As such, it believes that the tech giant has committed two serious infractions and one very serious infraction of Spain’s data protection law, meaning two €300,000 fines for the former and a €600,000 fine for the latter.

Facebook has obtained information about the ideology, sex, religious beliefs, personal tastes and navigation of its users without having first secured “unequivocal consent”

The investigation carried out by the agency found that the US firm, which counts on more than two billion users throughout the world, does not exhaustively nor clearly give information about the data that will be collected and the use that will be made of it, simply giving several examples instead. According to the findings of the AEPD, the social network collects other data deriving from the interaction between users of the site and third-party websites, without them clearly being able to see the information that Facebook collects about them nor how it will be used.

The agency also found that Facebook’s privacy policy contains “generic and unclear expressions,” and forces users to access a number of different links in order to access it. The social network makes imprecise references to the use that will be made of the data that is collected, in such a way that the user is not conscious of the data collection the company carries out, nor of the storage of that data.

The AEPD has also confirmed that users are not informed that their information is going to be collected via the use of cookies when they visit pages that are not on the Facebook site but that contain the social network’s “Like” button.

What’s more, the Spanish regulator argues that the personal data of users are not completely deleted when they are no longer useful for the purpose they were collected, nor when the user explicitly requests their deletion. The agency has confirmed that Facebook does not eliminate the information that it collects based on the browsing habits of its users, but rather it keeps it and reuses it later. What’s more, when a user of the social network deletes their account and requests for their information to be deleted, Facebook captures and processes data for a further 17 months via a cookie from the closed-down account.

“Facebook meets European Union data protection law from our center in Ireland,” the company said in a statement. “We are open to continue discussing these issues with the AEPD while we work with the Irish Data Protection Agency and we prepare for the new 2018 European Union regulations,” the social network insisted.

More information