“Spanish Data Protection Authority fines Facebook €1.2 million for data protection infringements”, article by José Lema, lawyer at ECIJA, for Leading Internet Case Law.
European Data Protection Authorities have had Facebook in their bullseye for quite some time and not without a reason: the American giant has been less than transparent in the communicating how personal data is processed on the platform. However, only recently has the context shifted to one where the general public is much more conscious of data protection related issues, which has allowed the Spanish DPA (hereinafter, “AEPD”) to confidently carry out an investigation in the context of a sanctioning procedure.
The Spanish DPA took it upon itself to investigate Facebook’s processing of personal data and whether it was compliant with the European regulations and the Spanish Data Protection Law (hereinafter, “LOPD”). On the date the resolution was issued, the AEPD could use arguments backed by the CJEU and the Spanish Supreme Court to pin Facebook Inc. to the local jurisdiction and apply the LOPD in full force.
The investigation goes on to find that Facebook Inc. was breaching several obligations of the LOPD, namely duly informing users about the data processing, duly obtaining users’ consent for the processing, and duly canceling data after being requested to do so or when data is no longer relevant.
Details of the proceeding.
- Facebook, Inc. as data controller
The AEPD does not accept Facebook’s argument that the company bound by the European data protection regulation would be Facebook Ireland, Ltd, as accepted by European users when registering to the social network. The AEPD’s counterarguments that, based on Spanish Supreme Court’s case law (STS 1384/2016), Facebook Inc. would be considered a data controller in any case:
“In its Opinion 1/2010, the Article 29 Working Party stated that “The concept of controller is autonomous […], and functional, […] and thus based on a factual rather than a formal analysis”. […] Google Inc., which manages the search engine Google Search, is a personal data controller, since it determines the ends, the conditions and the methods for the personal data processing”.
Facebook, Inc. is therefore identified as a data controller for users in the European Union, given its key role in the data processing.
2. Application of the LOPD
Following from this premise, the AEPD analyzes whether the LOPD is applicable to Facebook Inc., which would be the case for a data controller not established in Spain if a) the processing is carried out in the context of the activities of an establishment of the data controller, where the establishment is located in Spain, and b) where means located in Spain are being used in the processing of personal data. The AEPD quotes the CJEU Sentence of May 13th, 2014, reminding that:
“[…] it must be held that the processing of personal data for the purposes of the service of a search engine such as Google Search, which is operated by an undertaking that has its seat in a third State but has an establishment in a Member State, is carried out ‘in the context of the activities’ of that establishment if the latter is intended to promote and sell, in that Member State, advertising space offered by the search engine which serves to make the service offered by that engine profitable”
Based on that reasoning, the AEPD finds that Facebook Spain, S.L. could be considered an establishment located in Spain. The AEPD argues that the main purpose of Facebook Spain, S.L. is attracting advertisers to the platform, an activity that is causally linked with the data processing of Facebook Inc. This would guarantee the application of the LOPD to the facts at hand.
Furthermore, the AEPD also states as a secondary argument that Facebook Inc. is using means located in Spain for the processing of personal data, namely the user’s computers and the cookies therein installed. This alone would also be enough grounds for the LOPD to be applicable to the case at hand.
- Information duty
The AEPD finds that Facebook has infringed its duty to duly inform users regarding the collection and processing of data, the methods of processing and its purpose. The AEPD reached this conclusion after finding that:
- Facebook misguides users when obtaining consent, not disclosing that personal data other than the directly provided by the user will also be collected and processed. The use of multi-layered information makes it difficult for the user to grasp all relevant information.
- A “data policy” is linked at the moment of registry, without making explicit reference to data protection. Accessing this policy is not mandatory prior to registration.
- Users are not provided with a list of the data that will be collected and processed.
- No options for guaranteeing parental consent for minors are enabled. Furthermore, advertising campaigns can target minors.
- Users are not warned that the cookies installed in their browsers can gather information even when they are not logged in the network.
3.Duty of obtaining consent
The AEPD finds in its investigation that Facebook has infringed its duty to obtain free, unequivocal, specific and informed consent from its users. The AEPD reached this conclusion after finding that:
- The consent cannot be specific where the information is given by means of imprecise wording which does not allow to understand the data processed and the purpose of the processing.
- The data collected is not proportional in connection with the purpose of the processing, much less where the user is giving a misinformed consent.
- Considering that the information shown by Facebook can confuse the average new technologies user, the consent can never be unequivocal or specific.
4. Sensitive personal data
Some duties are stricter when referring to the sensitive personal data of the users of Facebook:
- Facebook collects and processes sensitive personal data, which uses for building profiles, even after informing the user that its sensitive personal data will not be used for advertising.
- The tools for advertisers allow to parse the target public based on sensitive data such as sexual life, beliefs or health.
- For sensitive data, the consent must be explicit and in writing, and Facebook does not comply with these requirements.
5. Duty of cancellation of data
The AEPD finds that Facebook has infringed its duty to cancel personal data where it is no longer necessary for the purpose for which it was collected. The AEPD reached this conclusion after finding that:
- Where a user configures its privacy settings so that ads are not served based on personal data, the profiling data collected by Facebook is not erased but stored.
- The IP addresses from where connections have been established are stored for at least 11 months, which could lead to correctly identifying the physical location of a user.
- After deletion of an account, a cookie associated to the cancelled profile can be associated to a new user registered with the same e-mail for up to 17 months.
The AEPD imposes the following fines:
- For breaching article 6.1 of the LOPD, constituting a serious infringement: €300,000.
- For breaching article 7 of the LOPD, constituting a very serious infringement: €600,000.
- For breaching article 4.5 of the LOPD, constituting a serious infringement: €300,000.
The AEPD hands down the largest sanctions available for each of the infringements, taking into account aggravating facts such as the infringement being continued, the volume of the processing carried out, the link between Facebook’s activity and the personal data processing, Facebook’s turnover being created as a direct result of the infringements or Facebook’s intentionality in its conduct.
What the decision tells us about large-scale data processing
The decision itself does not mean a sudden change of tendency in the manner that data processors are regarded in Europe. Rather, the AEPD resolution is but a consequence of a much broader and slow process, of which the ultimate result is the GDPR. This regulation is the one that should be taken into account by large scale data processors in their handling of personal data. Data controllers that process personal data of European individuals have been sufficiently warned and given enough time to accommodate the requirements of the GDPR. This fine is but a reminder that local Data Protection Agencies shall start taking measures if they understand that the provisions of the GDRP or the local regulations are not being complied with.
Arguments for pinning down international operators to not only the European, but also local jurisdiction are now fully backed by the CJEU and even local Supreme Courts. This current doctrine is much more in line with what the GDPR has in store: its article 2 states that the GDRP shall apply to controllers not established in the EU where the processing of personal data of European data subjects is related to (a) the offering of goods or services; or (b) the monitoring of their behavior. It is clear that the activity of many international operators, including Facebook, falls within those definitions, and therefore they will have to comply with the dispositions of the European regulation when it enters into force.
Finally, this decision corroborates that businesses, European and non-European, will have a harder time complying with European data protection regulations, which will result in a double-edged effect. On the one hand, non-EU companies will be more dubious to offer their services in Europe, where those services imply processing personal data – which might be specially harming considering the vocation of universality of internet-borne, information technology services. On the other hand, European companies, especially newly formed companies, will have to bear a heavy compliance burden that just will not exist for non-EU competitors. All of the above, might result in innovation stagnation for European companies, which might be incapable of competing in an environment based on novelty and speed.