The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).
In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.
Processing sensitive personal data for advertising purposes without consent
The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.
It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Failure to provide clear and transparent notice of how Facebook collects and uses personal data on the Facebook platform and third-party websites
Further, the AEPD criticised that users aged 13 can register with Facebook without any requirement to obtain the consent of the user’s parents or guardian.
Retention of user data following requests for removal of accounts and to delete information
The AEPD held that the personal data of Facebook users is not deleted when it is no longer required for the purpose for which it was originally collected, or when the user explicitly requests the deletion of their data. For example, the information relating to a deleted account cookie is stored by Facebook for more than 17 months and is subsequently associated with a new user where an account is set up using the same email address. Moreover, Facebook continues to collect and process data relating to the deleted account during this 17-month period. The AEPD also criticised Facebook for retaining the IP addresses from which a user’s Facebook account was accessed for at least 11 months without anonymising this information.
Facebook is also being investigated by the relevant authorities in Belgium, France, Germany (Hamburg) and the Netherlands, so it will be interesting to note the decisions in these cases and any subsequent fines that may be awarded.
Businesses should already be looking at their privacy notices and consent mechanisms (where seeking to rely on this as a legal ground for processing personal data) in preparation for the General Data Protection Regulation (GDPR). However, this case is a useful reminder that transparency is key when dealing with users, and privacy policies need to be clear and user-friendly to enable users to understand exactly what happens with their data, especially as the AEPD imposed the fine on the basis of the current data protection law, whereas the relevant requirements will be more stringent under the GDPR. In particular, when dealing with sensitive personal data, it is essential to check that consents obtained from users meet GDPR standards (or that any of the other Article 9 exceptions have been correctly applied). Finally, businesses should be thinking about data retention policies and how to explain these to users so that it is clear how long their data will be held by an organisation. There may, of course, be other legitimate reasons for holding on to some of the data, but where a user requests that their account is deleted, it should be made clear to them what data will or will not be deleted, and why.