Spanish data protection regulator has issued a €1.2 M ($1.4M) fine against the social media giant for a series of violation regarding its data harvesting activities.
Spain’s AEPD said that an investigation, into how Facebook collects, stores and uses data for advertising purposes, found that it is doing so without obtaining adequate user consent.
It says it identified two serious infringements and one very serious infringement of data protection law — with the total sanction breaking down to €300,000 for each of the first breaches and €600,000 for the second.
The regulator found that Facebook collects data on ideology, sex, religious beliefs, personal tastes, and navigation — either directly, through users’ use of its services or from third party pages — without, in its judgement, “clearly informing the user about the use and purpose”.
Not obtaining the express consent of users to process sensitive personal data is classified as a very serious offence under local DP law.
The regulator is also unhappy that Facebook does not delete harvested data once it has finished using it.
One of the spokesperson of Facebook told us that the company intends to appeal the decision, while also noting that its European business is (currently) regulated under Irish data protection rules, where its EU HQ is sited.