The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).
In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.
Processing sensitive personal data for advertising purposes without consent
The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.
It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Continue Reading Spanish DPA fines Facebook €1.2 million for data protection infringements