Spanish DPA issues 1.2€ Million fine on Facebook for lack of transparency (among others) – with the potential for more fines from other DPAs
The Spanish Data Protection Agency (AEPD) imposed a sanction of 1.200.000 € against Facebook after determining it has committed several severe breaches of the Spanish Data Protection Act (The AEPD's press release can be found here).
The Belgian, French, Hamburg and Netherlands DPAs are also investigating Facebook on these issues and further fines are expected.
Why was Facebook fined?
According to the AEPD's statement, the key grounds for the fine are as follows:
-
Lack of transparency about the collection and processing of data on the Facebook website:
The AEPD describes Facebook's privacy policy as "vague" and considers it does not provide clear and detailed information about the processing purposes or what data is collected. It specifically criticizes that Facebook only provides some examples of what the purposes are. The AEPD also considers that users have to access too many different links in order to get to know the privacy policy.
-
Lack of transparency about the collection and processing of data on third party websites:
The AEPD maintains that users are not sufficiently informed about the use of Facebook cookies, for example when they navigate third party sites. According to the AEPD, the average user is oblivious to the fact that Facebook drops cookies when the third party website has a Facebook "like" button or when a non-account holder visits a Facebook page. Also, Facebook does not warn account holders that when they navigate other websites (even if they are not logged into their Facebook account at the time) Facebook tracks their activities via cookies and combines that information with their account information for profiling purposes.
-
Processing data (including sensitive data) without consent:
The AEPD goes on to explain that sensitive data (such as political and religious beliefs) are processed by Facebook as a result of Facebook user and non-users interaction with their website or linked third party sites. In the AEPD's opinion, Facebook does not collect adequate consents, mainly (i) because it does not provide clear and transparent information about the processing purposes, (ii) it does not inform non-users that their data is also collected and (iii) in the case of sensitive data, it does not obtain explicit consent.
-
Retaining data:
The AEPD found that Facebook does not delete all user data at the request of the relevant user (for example, when they delete their account). Specifically, Facebook continues to obtain, retains and reuses data for over 17 months, even after a user account is deleted. Moreover, Facebook was found to not delete data when it is no longer necessary for the purpose it was collected.
What should companies learn from Facebook's experience?
-
Transparency is key
Transparency is the cornerstone concept behind the GDPR. Make sure your policies are user friendly and comprehensive. Think about the individual – to be able to agree to the processing, they need to know and understand what you're doing. After all, a secretive attitude incentivizes the "big brother" myth and gives users reasons to distrust your motives to use data.
One of the challenges companies face is finding creative solutions when drafting policies. It is essential to strike the right balance between providing sufficient detail and being concise enough in order to meet GDPR requirements.
-
Obtain adequate consents where you need them
Your company may have legitimate reasons to process sensitive data. In order to do so, it is key that adequate consents are obtained from users (unless there are other lawful grounds for collecting this information). It is likely that if you clearly explain the purposes and obtain the necessary consents you will have better quality data or, at least, you'll avoid a fine and reputational damages.
-
Have a data retention strategy
Companies need to be prepared to justify how long they need to retain data and how this is linked to the purpose of the processing; it is useful to have a data retention policy and explain to users this criteria in clear terms.
Whereas users' right to delete data (or right to be forgotten) is not absolute, companies need to have other legal grounds to retain the data even after they have been asked to delete (for example, if they are legally required to do so). Know your fallback position, what data you can and cannot retain in this case and, most importantly, explain to the user requesting the deletion of their data what data you will not delete at that point in time, the reasons for the retention and when you expect this data to be finally deleted.
-
Take care when you are relying on 3rd parties to give notice for your processing of data on websites you don't operate
It is not uncommon for website publishers to allow third party service providers, like ad tech or analytics companies, to drop cookies on websites to provide services. Generally, it is contractually agreed that the publisher of the website will give notice of the processing in their website and/or cookie policy. It is therefore important to ensure that this information is clearly outlined in the website privacy and/or cookie policy and that there are adequate contractual provisions in place to cover the risk of such notice not being adequate or sufficient.
-
Remember that local DPAs are working together
Given the changes introduced by Facebook in its terms and conditions of use in January 2015, several Data Protection Authorities of the European Union, including the AEPD, formed a Contact Group through which to coordinate their actions. These authorities have developed their respective investigation procedures in accordance with the provisions of their national legal systems.
This cooperation initiative is proving effective for regulators and is likely to become the norm, especially under GDPR. So if your company has an issue with one DPA, you should expect similar issues to arise in more than one country.