Spanish Data Privacy Regulator Fines Facebook $1.5mn

Written by

Facebook has been fined $1.5 million (€1.2 million) by Spain’s data privacy regulator, stating that the social network “does not adequately collect the consent of either its users or nonusers, which constitutes a serious infringement.”

The agency (AEPD) said that Facebook collects data for advertising purposes, including political ideology, sex, religious beliefs, personal tastes and browsing history, without the user being aware that it’s happening nor for what purpose it will be used. It uses cookies to track what its users do on the web, in other words—including non-Facebook sites.

There’s also the issue of data retention.

“When a social network user has deleted his account and requests the deletion of the information, Facebook still keeps the information for more than 17 months, through a deleted account cookie,” the agency said. “Therefore, the personal data of the users is not canceled in full when it is no longer useful for the purpose for which it was collected, nor when the user explicitly requests its removal.”

Further, Facebook's privacy policy “contains generic and unclear expressions,” AEPD said, adding that it takes many levels of navigation on the part of users to even find it.

Instead, Facebook should obtain “unequivocal, specific and informed consent” from members in order to use their data, the regulator said, and must offer the right to be forgotten to users. Since it doesn’t, the AEPD found two “serious” violations and one “very serious” violation of the country’s Organic Law on Data Protection (LOPD), for which it fined the social network €300,000 for each of the first and €600,000 for the second.

Pete Zimmerman, vice president of client services and operations at Sonian, said that the Spanish regulator is probably making an example of the high-profile company, given that we are eight months out from GDPR officially going into effect.

“Spain has always had strong data protection laws, and it’s something we’ve experienced with our Spanish customers," he said. "However, due to limited resources, Spain can only afford to go after the big guys like Facebook. With GDPR going into effect, we could see more resources put behind penalization of regulatory infringement."

Zimmerman also anticipates that more large US companies will be some of the first to be hit with GDPR fines.

This isn’t the only time that Facebook has run afoul of data regulators in Europe. Earlier this year, the European Commission slapped it with a $122m fine for providing "incorrect or misleading" information during its purchase of WhatsApp in 2014.

The European Union’s antitrust regulators said that Facebook had originally insisted that it wouldn’t combine its own data with that of WhatsApp, which has more than one billion users. It didn’t carry through on that promise, however—in August 2016 it announced that it would begin doing just that. That sent up a red flag for those concerned that this kind of data scale offers an unfair advantage when it comes to advertising and psychometrics.

Facebook also was fined €3 million earlier in the year by the Italian competition and consumer authority and €150,000 by the French data protection regulator in relation to the companies' use of customer data. Also, a competition investigation in Germany into Facebook's privacy practices remains ongoing.

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s hot on Infosecurity Magazine?