The Spanish Data Protection Agency ("SDPA") has fined Facebook for violating Spanish Data Protection Legislation ("SDPL") with fines amounting to €1,200,000. The SDPA has determined that Facebook has been processing personal data, including highly sensitive personal data, without appropriate consent of the data owners. Additionally, Facebook did not erase the personal data when the purpose for which it was collected had expired.

The SDPA started the investigation in March 2016 and, after almost a year and a half, the SDPA has fined Facebook for the following three violations of the SDPL.

  • €600,000 for a very serious infringement consisting of the collection of highly sensitive data such as ideology, sex, religious beliefs, personal preferences or browsing activity either through users' use of its site or from third party sources, without clearly informing the data owners about the use of, and purpose for, saving such sensitive data. The SDPA has demonstrated that this sensitive data was used with commercial purposes by Facebook; however, the social network did not obtain the necessary consent from data owners for processing their data for that purpose.

  • €300,000 for a serious infringement whereby personal data was not deleted when it was no longer useful for the purpose for which it was collected, or worse, personal data was not erased when the owners requested such removal. The SDPA has established that Facebook kept browsing information or user behaviour, and used it afterwards.

  • €300,000 for a serious infringement with a lack of accurate collection of consent for the processing of data owners' personal data. The SDPA has shown that the privacy policy of Facebook contains generic and unclear terms, and obliges users to access too many different links to reach the information regarding the purposes of personal data collection. Moreover, the SDPA also mentions the fact that unregistered users of Facebook were not aware of the fact that Facebook collects personal data relating to their browsing habits.

These three fines for one very serious and two serious infringements amounting to a total of €1,200,000 are, at present, the highest penalty imposed by the SDPA for the violation of the SDPL.

Besides the fact that this is the highest penalty issued by the SDPA, there is another remarkable detail in this case. The SDPA has imposed the sanction to Facebook Inc, and not Facebook Spain S.L., following the recent reasoning of the Spanish Supreme Court, which issued a sentence in 2016 establishing that Google Inc. was also the data controller of their users' personal data in Spain. However, notification of the fine will be made directly to Facebook Inc. and through Facebook Spain S.L. as it is considered to be an establishment of Facebook Inc.