MADRID – Facebook “does not adequately collect the consent of either its users or nonusers” before collecting and sharing intensely personal information about their lives, according to the Spanish Data Protection Agency. That “constitutes a serious infringement” of Spain’s data-protection rules.
On Monday, the country’s privacy watchdog slapped Facebook with a €1.2 million (about U.S. $1.44 million) fine for allowing advertisers to access personal information about Spanish users.
“Facebook collects data on ideology, sex, religious beliefs, personal tastes or navigation without clearly informing about the use and purpose that it will give them,” the agency asserted in a prepared statement.
The privacy watchdog called the actions “a serious infringement” of Spain’s data-protection rules.
The €1.2 million fine is miniscule compared to the U.S. $9.2 billion in revenue Facebook posted for the second quarter of 2017, mostly from mobile video ads, but Spain isn’t the only country taking punitive financial action against the company. In May, after a two-year investigation, France’s data regulator fined the social network €150,000 for allowing advertisers to access users’ personal data.
Last year, France’s privacy watchdog ordered Facebook to stop tracking non-users activity without their consent and to cease transferring French citizens’ personal data to the U.S.
Belgium, Germany and the Netherlands also are investigating how Facebook collects, stores and uses data about their citizens.
Facebook, which claims to have 2.01 billion active monthly users, collects about 25 percent of its annual revenue in the European Union. In May 2018, the EU will implement the European General Data Protection Regulations, a new set of laws designed to protect citizens’ personal information and privacy. The GDPR requires data collectors, storers and processors to obtain explicit consent from those whose information they handle. Failure to adhere to GDPR regulations could bring a fine of €20 million or up to 4 percent of global revenue, whichever is greater.
The U.K., which currently is wrangling a data-collection-and-storage nightmare of its own due to online age-verification rules imposed by the Digital Economy Act 2017, will not fall under the jurisdiction of the GDPR. Britain and its neighboring states voted last year to leave the EU in a process that has come to be known as the Brexit.