Spanish DPA issues Eur 1.2 million fine to Facebook

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law.

According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use these data”. These data are processed, among others, for advertising purposes without the express consent of the users.

In addition, Facebook does not exhaustively and clearly inform users about “the information that Facebook collects about them or for what purpose they will use it.” Instead it offers only some examples and doesn’t allow users to clearly perceive that the social network collects data derived from interactions of users on the platform and on third-party sites.

The AEDP considers this violation as very serious and inflicted a fine of EUR 600,000 to Facebook.

The AEPD has also confirmed that users are not informed that their information will be processed through the use of cookies – some specifically used for advertising purposes and some for a purpose declared secret by the company – “when browsing non-Facebook pages containing the ‘Like’ button.” This being true also when users are not members of the social network or are not logged in to Facebook.

According to the AEDP, Facebook’s privacy policy contains “generic and unclear terms”, “so that a Facebook user with an average knowledge of the new technologies does not become aware of data collection or storage and subsequent processing, nor for what purpose they will be used.”

The lack of adequate consent constitutes a serious infringement and the AEDP imposed on Facebook a penalty of EUR 300.000.

Finally, “Facebook does not delete the information that it collects from the browsing habits of users”, but retains and reuses it later associated to the same user. The AEDP considers the fact that the data is not fully deleted – when no longer useful for the purpose for which it is collected nor when the user explicitly requests its removal – represents a serious infringement and fined Facebook with a penalty of EUR 300.000, bringing the total amount of the fines actually owed by Facebook to EUR 1.200.000.

Sources say Facebook will appeal the decision. However no document as been made public yet.

The full content of Resolución R/01870/2017 undertaken in the Procedimiento Nº PS/00082/2017, by the Agencia Española de Protección de Datos against FACEBOOK, INC. is available at…

Given Facebook’s privacy policy changes in January 2015, several EU Data Protection Authorities, including the AEPD, developed their respective investigation procedures in accordance with the provisions of their national legal systems.  See here the common statement by the coordinated contact group of the involved Data Protection Authorities of The Netherlands, France, Spain, Hamburg and Belgium. Click here for an overview of the national resolutions or on the name of each country to see the result of the various national procedures.

For more information on how to make your privacy policy compliant with EU data protection, contact Francesca Giannoni-Crystal and Federica Romanelli



Follow us on& Like us on