The Spanish Data Protection Agency (AEPD) has slapped Facebook with a €1.2 million fine for breaking laws regarding the use of its users’ personal data. The agency has found that the social network compiles, stores and makes use of user information for advertising purposes without having previously obtained authorization to do so.
For its part, Facebook has responded saying that it “respectfully disagrees” with the agency’s decision, and as such plans to appeal the fine. “As we informed the AEPD, it is the users who decide what information they want to add to their profile and share with others, such as their religion,” the social network explained via a written statement. What’s more, it added that it does not use that information to show specific advertisements to its users.
According to the ruling made public today by the AEPD, Facebook has obtained information about the ideology, sex, religious beliefs, personal tastes and navigation of its users without having first secured “unequivocal consent.” As such, it believes that the tech giant has committed two serious infractions and one very serious infraction of Spain’s data protection law, meaning two €300,000 fines for the former and a €600,000 fine for the latter.
Facebook has obtained information about the ideology, sex, religious beliefs, personal tastes and navigation of its users without having first secured “unequivocal consent”
The investigation carried out by the agency found that the US firm, which counts on more than two billion users throughout the world, does not exhaustively nor clearly give information about the data that will be collected and the use that will be made of it, simply giving several examples instead. According to the findings of the AEPD, the social network collects other data deriving from the interaction between users of the site and third-party websites, without them clearly being able to see the information that Facebook collects about them nor how it will be used.
What’s more, the Spanish regulator argues that the personal data of users are not completely deleted when they are no longer useful for the purpose they were collected, nor when the user explicitly requests their deletion. The agency has confirmed that Facebook does not eliminate the information that it collects based on the browsing habits of its users, but rather it keeps it and reuses it later. What’s more, when a user of the social network deletes their account and requests for their information to be deleted, Facebook captures and processes data for a further 17 months via a cookie from the closed-down account.
“Facebook meets European Union data protection law from our center in Ireland,” the company said in a statement. “We are open to continue discussing these issues with the AEPD while we work with the Irish Data Protection Agency and we prepare for the new 2018 European Union regulations,” the social network insisted.