The Spanish Data Protection Authority announced today that they fined Facebook with 1,2 million euro for several breaches of the Spanish Data Protection Law. Here’s a brief note in English from Politico.eu and the full press release of the Spanish DPA (in ES).
As per my knowledge, this is the biggest fine issued by a Data Protection Authority in Europe for breaches of data protection law (as always, please correct me in comments below and I will make the changes. UPDATE: It’s worth noting that the Italian Garante, in an investigation conducted in conjunction with Guarda de Finanza – a specialised body inquiring financial criminal conduct, issued in February this year a total sum fine of 5.8 mil euro to a company that was transferring money from Italy to China on behalf of persons without their knowledge, which also meant that they were processing personal data without consent. The total sum fine was reached by adding fines for unlawfully processing data of every person affected).
According to the press release, the Spanish DPA found two “serious breaches” and one “very serious breach” of the Spanish Data Protection Law. This investigation is a part of a joint initiative of a Contact Group composed of the DPAs from Belgium, France, Hamburg and The Netherlands.
So what prompted this record fine?
According to the press release (Please note that all quotes are unofficial translation, made by me, so they must not be relied on for legal advice. UPDATE: An official press release is now available in English):
- Personal data on political views, religious beliefs, sex, personal preferences or location data are collected directly, via mere interaction of the data subject with Facebook services or with third-party webpages, without clearly informing the user about the use and the purposes of collecting this data.
- Facebook does not obtain unequivocal consent, specific and informed, from users to process their data, because it does not properly inform data subjects.
Each of the serious breach was fined with 300.000 EUR and the very serious breach was fined with 600.000 EUR.
The very serious breach was that “the social network processes special categories of data for marketing purposes, among others, without obtaining explicit consent of users, as requested by the data protection law”.
“The investigation allowed to prove that Facebook does not inform users in an exhaustive and clear manner about the data that they are going to collect and the processing operations they are going to engage in with that data, limiting themselves to only giving some examples. In particular, the social network collects other data derived from the interaction carried out by users, both on the platform itself and on third-party websites, without them being able to clearly perceive the data that Facebook collects about them, or the purposes for which the data is collected”, according to the press release.
Finally, the DPA also referred to the fact they were able to prove that Facebook does not delete data that it collects on the basis of online browsing habits of users, retaining it and reutilising it associated with the same user. “Concerning data retention, when a user deletes their account and asks for deletion of data, Facebook retains and processes data for another 17 months through a cookie. This is why the DPA considers that the personal data of users are not completely deleted neither when they stop being necessary for the purposes they were collected, nor when the user explicitly require their deletion“.
This decision comes to show, yet again, how important transparency is towards the data subject! As you will also see soon in my commentary of the Barbulescu v Romania judgment of the ECHR Grand Chamber of last week, correctly and fully informing the data subject is key to data protection compliance.