Spain has slapped Facebook with a €1.2m fine for breach of privacy laws

12 Sep 2017

Madrid cityscape. Image: Sean Pavone/Shutterstock

Social networking giant Facebook continues to run the gauntlet of Europe’s legal apparatus.

Facebook, the world’s biggest social network, has been slapped with a €1.2m fine by Spanish privacy authorities for allegedly collecting personal data on Spanish users without informing them how that data was going to be used.

The ruling by Spain’s data protection watchdog has prompted French, German and Dutch data authorities to focus on how Facebook holds and uses their citizens’ data.

‘Facebook has long complied with EU data protection law through our establishment in Ireland’

The Spanish Data Protection Agency alleges that Facebook collected personal data from its users in Spain without obtaining their “unequivocal consent”.

“Facebook collects data on ideology, sex, religious beliefs, personal tastes or navigation without clearly informing about the use and purpose that it will give them,” the agency said in a statement.

It warned that Facebook’s privacy policy contained generic and unclear terms, and does not “adequately collect the consent of either users or non-users.

“The social network uses specifically protected data for advertising, among other purposes, without obtaining users’ express consent as data protection law demand – a serious infringement,” it said.

It added that when users requested that their data be removed, Facebook did not do so.

As such, the Spanish agency said it has fined Facebook €600,000 for violating the country’s data protection rules, and €300,000 apiece for two serious violations.

GDPR is coming

Facebook said it will appeal the decision.

The social network overturned a similar judgement in Belgium after it argued that its base in Ireland means that it is only subject to Irish law.

However, with the EU General Data Protection Regulation (GDPR) looming in May 2018 – which harmonises EU privacy laws and comes with hefty fines – Facebook may not be able to get away so lightly in the future.

€1.2m is a drop in the ocean of advertising cash amassed by Facebook, which recorded second-quarter revenues of €9.3bn.

In a statement, Facebook said: “We take note of the Data Protection Authority’s (DPA) decision, with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision.

“As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

“Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator, the Irish Data Protection Commissioner, as we prepare for the EU’s new data protection regulation in 2018.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years