Facebook fined in Spain for privacy violations

Facebook has been found guilty of breaches of privacy laws and fined a total of €1.2m (£1.1m), by the country’s data watchdog.

Like most countries, Spain has a number of laws which are designed to protect the information and privacy of its citizens both online and in the real world. These laws are enforced by the Spanish Data Protection Watchdog, the AGPD.

In recent months, they have been conducting an investigation into Facebook alongside similar probes which are taking place in a number of other EU countries, notably Belgium, France, Germany and the Netherlands.

Facebook privacy failings

They have now concluded that Facebook is guilty of failing to properly inform its users about on how they would use a whole host of personal information, particularly for the purposes of advertising. This includes such details as ideology, sex, religious beliefs, personal interests and browsing habits.

But that was not all. They also accused Facebook of failing to inform users of how they use data they collect from third-party websites as well as failing to obtain user consent to use this data.

Their use of cookies to track users who visited their pages without actually signing up with them was also deemed to be illegal. Internet users who visit a page with a Facebook ‘Like’ button embedded on it also have their online activity tracked via cookies. According to the AGPD, while some of this data was declared for advertising, others uses are kept secret and not made clear by the company.

And there was more. The AGPD concluded that Facebook had retained data from users who had deleted their accounts for more than 17 months, which was also an infringement on their rights. Rather than delete this information, Facebook “retains and reuses it later associated with the same user”.

‘Serious infringements’

In a statement, the AGPD said “Facebook’s privacy policy contains generic and unclear terms…. The social network uses specifically protected data for advertising, among other purposes, without obtaining users’ express consent as data protection law demands, a serious infringement.”

They concluded that any Facebook user “with an average knowledge of the new technologies does not become aware of the collection of data, nor of their storage and subsequent treatment, nor of what they will be used”.

Even though the amount of fine imposed on Facebook is a drop in the ocean for a company which has a quarterly revenue of US$8 billion, they will be appealing against the decision on principle.

The Ireland excuse

In a statement, Facebook said “As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people. Facebook has long complied with EU data protection law through our establishment in Ireland.”

Facebook has long argued in such cases that as their European headquarters is located in Dublin, they should be regulated under Irish data protection laws rather than subject to laws in every country where their service is used.

While the fine in this instance is a modest one, Facebook is more concerned with the long-term EU data protection position. New rules which will soon come into force would allow fines of up to 4% of their global annual turnover for privacy violations. Such a fine would obviously be considerably larger and have a much greater impact on their global finances.

But such legal technicalities and the levels of the fine handed down will not matter much to the average internet user. Rather they will be more concerned that Facebook has once again been called out for its abuse of user data.

Even if you are one of the people who can accept Facebook monetising data posted on their site by targeted you with adverts, their surreptitious use of data from external sites with a Facebook plugin and closed accounts will be much harder to stomach.

But it would be naïve to think that Facebook is alone in such practices and these findings should reinforce to everybody just how careful and selective we should be with the personal information we place in the public domain on social media sites.