14 September 2017
The Spanish data protection authority (‘AEPD’) announced, on 11 September 2017, that it had issued a decision in which it fined Facebook, Inc. €1.2 million for serious violations of the Organic Law 15/1999 of 13 December on the Protection of Personal Data (‘the Law’) (‘the Decision’). Firstly, the AEPD found that Facebook had collected personal data for advertising purposes through users’ interactions with its services and third party pages utilising ‘like’ buttons without clearly informing users of this fact, and that it had not obtained informed, specific and unequivocal consent from its users and non-users for the processing of their data.
Joaquín Muñoz Rodríguez, Attorney at Ontier España S.L.P., told DataGuidance, “In my opinion, the key point and novelty of the Decision is that there had not, to date, been a resolution that went into detail when sanctioning massive scale data processing used to profile users based not only on the information they provide directly in their profile, but also on their interactions with the social network. Perhaps this was something that the advanced user could intuit, but this [was the first] investigation […] to confirm it.”
[T]he infringements imputed to Facebook are among those listed in the GDPR as serious, and in this case they may have reached a fine of up to 4% of the total worldwide annual turnover […]
Muñoz Rodríguez continued, “It is not clear to me whether the amount of the sanction would have varied greatly under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). It is true that the infringements committed by Facebook are among those listed in the GDPR as serious, and in this case they may have reached a fine of up to 4% of the total worldwide annual turnover of the preceding financial year, but alleviating and aggravating circumstances must also be taken into account. In general, the GDPR establishes a specific framework to regulate the way in which user profiling for marketing purposes is to be carried out. It is very explicit in requiring companies to provide detailed information about what type of data will be collected for this purpose and even to warn of the consequences that profiling can have for the user. Furthermore, a data controller will be required to carry out Data Protection Impact Assessments (‘DPIAs’) in relation to such processing operations, as profiling could result in a high risk for the data subject’s rights and freedoms.”
The Decision follows a joint investigation into Facebook’s privacy and cookie policies, which was carried out by the AEPD, the Dutch data protection authority, the Hamburg State Commissioner for Data Protection and Freedom of Information and the Belgian Commission for the Protection of Privacy.
“From now until May 2018 is time to review data processing practices to bring them into line with the GDPR,” said Muñoz Rodríguez. “If profiling is going to be carried out, it is necessary in most cases to carry out DPIAs in which the entire cycle of data processing in the company is reviewed, from the time the data is collected until it must be deleted or blocked. It is a good time to conduct data mapping to help identify which processes are more sensitive and establish security measures that allow increased compliance and quality of data processing. Nowadays data is one of the main assets of all companies and it is necessary to dedicate the necessary resources to protect it.”
Cristina Ulessi | Privacy Analyst
Photo Credit: chaofann / Photography / iStockphotos.com