Facebook to Appeal $1.43 Million Fine From Spanish Privacy Office

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Facebook Inc. has been fined 1.2 million euros ($1.43 million) for failing to obtain proper consent to collect and store sensitive personal data, including information on gender, religion, and internet use, Spain’s privacy office announced Sept. 11.

The fine is relatively small for Facebook, but is a reminder that national regulators in Europe are carefully scrutinizing the privacy practices of U.S. online multinationals doing business there. The focus on particularly sensitive classes of data is a precursor to upcoming enforcement under the European Union General Data Protection Regulation, which is set to take effect in May 2018. The GDPR prohibits companies from processing sensitive data, with a list of narrow exceptions, such as obtaining explicit consent. Examples of sensitive data include information on religious and philosophical views, sex life, and sexual orientation.

Spain’s Agencia Espanola de Proteccion de Datos (AEPD) said in a statement that the user data was collected by Facebook through third-party web pages, and that Facebook doesn’t tell users in an exhaustive and clear way what kinds of data it will collect and the way the information will be processed.

The social media giant “respectfully disagrees” with the regulator’s ruling and intends to appeal the fine, Facebook spokesperson Sally Aldous told Bloomberg BNA.

The AEPD said it was particularly concerned with how sensitive information was used for advertising. According to the AEPD, Facebook failed to inform users that their information was handled by cookies when they accessed websites that didn’t belong to Facebook, and that it used cookies to collect data up to 17 months after a user deleted his or her account. Cookies are packets of data used by websites to save information on and identify certain users or computers.

These practices won’t be tolerated under the GDPR, Pete Zimmerman, vice president of client services and operations at Sonian Inc., a cloud archiving company, said in a statement provided to Bloomberg BNA. The GDPR empowers more regulators to go after tech companies in cases like the one against Facebook, and makes the likelihood of penalties much higher, he said.

The GDPR will bring stricter standards to the EU privacy regime, including tighter requirements for user consent to the use of their personal data, mandatory data breach notification, and fines as high as $20 million euros ($23.3 million) or 4 percent of a company’s annual worldwide income, among other reforms.

Since the fine is just a “drop in the bucket to a behemoth like Facebook,” the decision is more about instilling the importance of following privacy regulations, Zimmerman said.

Facebook’s total revenue for 2016 was $27.6 billion, according to Bloomberg data.

Aldous said that Facebook allows users to choose the kind of personal information, such as their religion, they want to share in their online profile.

With assistance from Brett Allan King in Madrid

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security