On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law.
According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use these data”. These data are processed, among others, for advertising purposes without the express consent of the users.
In addition, Facebook does not exhaustively and clearly inform users about “the information that Facebook collects about them or for what purpose they will use it.” Instead it offers only some examples and doesn’t allow users to clearly perceive that the social network collects data derived from interactions of users on the platform and on third-party sites.
The AEDP considers this violation as very serious and inflicted a fine of EUR 600,000 to Facebook.
The lack of adequate consent constitutes a serious infringement and the AEDP imposed on Facebook a penalty of EUR 300.000.
Finally, “Facebook does not delete the information that it collects from the browsing habits of users”, but retains and reuses it later associated to the same user. The AEDP considers the fact that the data is not fully deleted – when no longer useful for the purpose for which it is collected nor when the user explicitly requests its removal – represents a serious infringement and fined Facebook with a penalty of EUR 300.000, bringing the total amount of the fines actually owed by Facebook to EUR 1.200.000.
Sources say Facebook will appeal the decision. However no document as been made public yet.
The full content of Resolución R/01870/2017 undertaken in the Procedimiento Nº PS/00082/2017, by the Agencia Española de Protección de Datos against FACEBOOK, INC. is available at http://www.agpd.es…