The AEPD has imposed a fine of € 1,200,000 on Facebook for infringing three points of the LOPD

The Spanish Data Protection Agency ( AEPD ) accuses the social network of committing three serious infringements of the Organic Law on Data Protection ( LOPD ). This resolution follows a previous investigation in which the AEPD has verified that the company Facebook collects data on the users without their consent and without informing them properly on what types of data will be used and for what ends. In addition, the Agency uses the social network not to delete these personal data when they are no longer useful for the purpose for which they were collected and even when the user has deleted his account. These three infringements have led the AEPD to impose a penalty of EUR 1,200,000, 600,000 euros for one of the infractions typified as very serious and 300,000 euros for the other two infringements.

The social network with more than 2 billion users per month, according to March data, collects personal data of each user on ideology, sex, religion, personal tastes or navigation without previously informing about the use and the purpose that will be given to this data. This information is usually collected for the purpose of advertising or secret use for the company, but without the express consent of the users, which is considered an infraction typified as very serious in the LOPD.

The second infraction, which is gathered by the AEPD’s investigation, states that Facebook does not clearly inform users about the data it will collect and the treatment it will provide , but simply gives some examples. According to the statement made by the Agency, Facebook would gather information through the use of cookies when users of the social network, logged or not, navigate through Facebook pages or third parties, as well as when other users without profile in the community access some of its pages. In the first cases users receive information on data collection and treatment in the section “Privacy”, which according to the AEPD ” contains generic and unclear expressions and requires access to many different links to know it“. On the other hand, those who access Facebook without having any account “are unaware that their browsing data are collected ” according to the statement.

Finally, the third violation indicates that Facebook does not delete the information collected . The data is retained and reused, even when the user has deleted his account in the social network and requested the deletion of information related to it. In this case, Facebook retains and continues to use the information for 17 more months through a cookie from the deleted account.

Other sanctions in Europe

In 2014, following the Facebook announcement of a global review of its privacy policy, several European countries created a ” Contact Group ” to monitor and control the use of the data by the American giant. This group is formed by the respective data protection institutions in the Netherlands, France, Spain, Germany and Belgium. In all these countries, investigations have resulted in sanctions and prosecutions against Facebook. For example, France has decided to impose a sanction of 150,000 euros for the lack of information on the use of cookies, as the Spanish Agency, and in Germany was ordered to Facebook to stop combining data from WhatsApp users without their consent prior .