Agencia española de protección de datos

The Spanish DPA fines Facebook for violating data protection regulations

  • The Agency notes that the social network collects, stores and uses data, including specially protected data, for advertising purposes without obtaining consent
  • The data on ideology, sex, religious beliefs, personal preferences or browsing activity are collected directly, through interaction with their services or from third party pages without clearly informing the user about how and for what purpose will use those data
  • Facebook does not obtain unambiguous, specific and informed consent from users to process their data, since the information it offers is not adequate
  • Users? personal data are not totally canceled when they are no longer useful for the purpose for which they were collected, nor when the user explicitly requests their removal
  • The Agency declares the existence of two serious and one very serious infringements of the Data Protection Law and imposes on Facebook a total sanction of 1,200,000 euros
  • The AEPD is part of a Contact Group together with the Authorities of Belgium, France, Hamburg (Germany) and the Netherlands, that also initiated their respective investigation procedures to the company 

(Madrid, September 11th, 2017). The Spanish Data Protection Agency (AEPD) has issued a closing decision in the procedure initiated to the company Facebook in order to analyze whether the data processing carried out by the social network is in accordance with the data protection regulations. The Agency declares the existence of two serious infringements and one very serious of the Organic Law on Data Protection (LOPD) and imposes on Facebook a penalty of 1,200,000 euros -300,000 for each of the first and 600,000 for the second-.

In the framework of its investigation the Spanish Data Protection Agency has verified that Facebook collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use these data. Specifically, it has verified that the social network processes specially protected data for advertising purposes, among others, without obtaining the express consent of the users as required by data protection law, a violation classified as very serious in the LOPD.

The investigation has also shown that Facebook does not inform users in an exhaustive and clear way about the data that will collect and the processing operations that will be carried out, and instead offers only some examples. In particular, the social network collects other data derived from interactions of users on the platform and on third-party sites without them being able to clearly perceive the information that Facebook collects about them or for what purpose they will use it.

The AEPD has also confirmed that users are not informed that their information will be processed through the use of cookies - some specifically used for advertising purposes and some for a purpose declared secret by the company - when browsing non-Facebook pages containing the 'Like' button. This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when the users who are registered on Facebook browse through third party pages, even without logging in to Facebook. In these cases, the platform adds the information collected in those  pages to the one associated with their account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection law.

The Agency has also found that the privacy policy of Facebook contains generic and unclear terms, and obliges users to access too many different links to get to know it. The social network inaccurately refers to the use it will make of the data it collects, so that a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent processing, nor for what purpose they will be used. For their part, unregistered Internet users are unaware that the social network collects their browsing data.

Consequently, the Agency considers that Facebook does not adequately collect the consent of either its users or those who are not - and whose data are also process, which constitutes a serious infringement.

Finally, the Agency has verified that Facebook does not delete the information that it collects from the browsing habits of users, but retains and reuses it later associated to the same user. Regarding data retention, when social network users have deleted their accounts and request the deletion of the information, Facebook captures and process the information for more than 17 months through a deleted account cookie. Therefore, the AEPD considers that the personal data of the users are not fully canceled when they are no longer useful for the purpose for which they were collected nor when the user explicitly requests their removal, according to the requirements of the LOPD, which represents a serious infringement.

Contact group

Given the changes introduced by Facebook in its terms and conditions of use in January 2015, several Data Protection Authorities of the European Union, including the AEPD, formed a Contact Group* through which to coordinate their actions. These authorities have developed their respective investigation procedures in accordance with the provisions of their national legal systems.

*The Contact Group is composed of the Data Protection Authorities of Belgium, Spain, France, Hamburg (Germany) and the Netherlands.