The Spanish Data Protection Authority announced today that they fined Facebook with 1,2 million euro for several breaches of the Spanish Data Protection Law. Here’s a brief note in English from Politico.eu and the full press release of the Spanish DPA (in ES).
As per my knowledge, this is the biggest fine issued by a Data Protection Authority in Europe for breaches of data protection law (as always, please correct me in comments below and I will make the changes. UPDATE: It’s worth noting that the Italian Garante, in an investigation conducted in conjunction with Guarda de Finanza – a specialised body inquiring financial criminal conduct, issued in February this year a total sum fine of 5.8 mil euro to a company that was transferring money from Italy to China on behalf of persons without their knowledge, which also meant that they were processing personal data without consent. The total sum fine was reached by adding fines for unlawfully processing data of every person affected).
According to the press release, the Spanish DPA found two “serious breaches” and one “very serious breach” of the Spanish Data Protection Law. This investigation is a part of a joint initiative of a Contact Group composed of the DPAs from Belgium, France, Hamburg and The Netherlands.
So what prompted this record fine?
According to the press release (Please note that all quotes are unofficial translation, made by me, so they must not be relied on for legal advice. UPDATE: An official press release is now available in English):
- Personal data on political views, religious beliefs, sex, personal preferences or location data are collected directly, via mere interaction of the data subject with Facebook services or with third-party webpages, without clearly informing the user about the use and the purposes of collecting this data.
- Facebook does not obtain unequivocal consent, specific and informed, from users to process their data, because it does not properly inform data subjects.
Each of the serious breach was fined with 300.000 EUR and the very serious breach was fined with 600.000 EUR.
The very serious breach was that “the social network processes special categories of data for marketing purposes, among others, without obtaining explicit consent of users, as requested by the data protection law”.
“The investigation allowed to prove that Facebook does not inform users in an exhaustive and clear manner about the data that they are going to collect and the processing operations they are going to engage in with that data, limiting themselves to only giving some examples. In particular, the social network collects other data derived from the interaction carried out by users, both on the platform itself and on third-party websites, without them being able to clearly perceive the data that Facebook collects about them, or the purposes for which the data is collected”, according to the press release.
The DPA also took into account that “users are not informed on how their data are processed through the use of cookies – some of them used exclusively for marketing purposes and some of them used for a purpose that the company categorised as “secret”, when they are accessing web pages that are not of the company but that contain the “Like” button”. The DPA mentions as well the situation of users that are not registered with the social platform, but visit at one point one of the platform’s pages – their data is also retained by the social network.
The DPA also found that “the privacy policy contains general formulations that are not clear, and it obliges the user to access a multitude of links to be able to read it”. On one hand, the DPA notes, a Facebook user with an average knowledge of how new technology works is not able to acknowledge to the full extent the collection of data, how it’s subsequently used, or why it is used. On the other hand, the non-users are not at all able to be aware of how they’re data is used.
Finally, the DPA also referred to the fact they were able to prove that Facebook does not delete data that it collects on the basis of online browsing habits of users, retaining it and reutilising it associated with the same user. “Concerning data retention, when a user deletes their account and asks for deletion of data, Facebook retains and processes data for another 17 months through a cookie. This is why the DPA considers that the personal data of users are not completely deleted neither when they stop being necessary for the purposes they were collected, nor when the user explicitly require their deletion“.
This decision comes to show, yet again, how important transparency is towards the data subject! As you will also see soon in my commentary of the Barbulescu v Romania judgment of the ECHR Grand Chamber of last week, correctly and fully informing the data subject is key to data protection compliance.
pdpEcho 
Thanks for your analysis of this decision.
I don’t think that this can be stated to be the largest fine issued by a European DPA. In February this year, the Italian Garante issued a single fine of €5.9 million, in a package of fines to five companies that amounted together to around €11 million.
There have been other large fines related to data protection in Europe, but which were not from DPAs. The UK Financial Services Authority fined HSBC €3.2 million in 2009 for being careless in its security for customer data.
Many DPAs are currently limited by the maximum fines they are permitted to issue.
LikeLike
Hi Robert!
Thank you for your comment. I know about the efforts in Italy, but as those investigations were always in cooperation either with Guarda de Finanza (the company sanctioned with that 5.9 mil fine was investigated for transferring small sums of money to China without the consent of individuals, which also involved the fact that their data was processed without consent), or with/by the Competition and Consumer Protection Law authorities, I didn’t look at them as purely data protection investigations and fines. But thank you for reminding me, I will make a note about that case in the text.
I am very much aware of the fact that many DPAs are limited by the maximum fines permitted to use. Think, for instance, that the maximum fine the Romanian DPA can issue is 10.800 EUR (50.000 RON), which is a bit ridiculous if you think about it.
In fact, even the Garante had to be creative to issue that fine in the China money transfers investigation, adding fines for the mishandling of the data of each person that was affected to reach that total sum.
LikeLike