Facebook hit with €1.2 million fine for Spanish privacy violations

That Facebook is causing ripples when it comes to privacy will come as little surprise to anyone. Like Google, the social network and its users have an interesting relationship with privacy. Facebook is facing a particular problem in Europe, and the latest installment of the saga sees the company being fined €1.2 million ($1.44 million) by the Spanish data regulator AEPD.

After an investigation into Facebook, the regulator found that the company had gathered sensitive personal data without consent, and this constituted a very serious infringement of data protection laws. The investigation also identified two "serious" violations, including tracking users through the use of Like buttons embedded in non-Facebook pages.

The second "serious" violation saw Facebook failing to delete the data it harvests when it has finished using it, and the data protection regulator noted that the company "retains and reuses it later associated with the same user". Both of these violations resulted in €300,000 fines.

AEPD was unhappy with the fact that Facebook gathered "gender, religious beliefs, personal tastes and browsing history" data without letting users know how this data would be utilized. This "very serious" violation resulted in a €600,000 fine.

Announcing its findings, the AEPD said that most Facebook users were unclear about how the company collects, stores and uses their data: "Facebook's privacy policy contains generic and unclear terms. The agency considers that Facebook does not adequately collect the consent of either its users or nonusers, which constitutes a serious infringement."

The regulator was not impressed by Facebook's tracking of non-users or users of the social network who were not logged into their accounts:

This situation also occurs when users are not members of the social network but have ever visited one of its pages, as well as when users who are registered on Facebook browse through third party pages, even without logging on to Facebook. In these cases, the platform adds the information collected in said pages to the one associated with your account in the social network. Therefore, the AEPD considers that the information provided by Facebook to users does not comply with data protection regulations

While Facebook has acknowledged the data protection agency's ruling, it is not in agreement:

We take note of the DPA's decision with which we respectfully disagree. Whilst we value the opportunities we've had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU's new data protection regulation in 2018.

Image credit: rvlsoft / Shutterstock