It must be underlined that each Member State has some leeway in drafting its data protection laws. However, they are also subject to the Directive 95/46/CE on the protection of individuals with regard to the processing of personal data and on the free movement of such data. As such, national legislations must hold certain common principles. Both decisions hold common ground and sanction Facebook for similar reasons.
Mathias Avocats explains the issues presented in the AEPD’s case.
What are the issues ?
The AEPD’s investigations lead to alarming results. The Spanish regulator found that Facebook processed personal data, of both its users ans third parties, for advertising targeting purposes without their informed consent. It held that the company’s terms and confitions were far too broad and lacked clarity. The users and third parties did not know why, how and for what purpose their data was collected.
This lack of information is a clear violation of the data subject’s right to information. Without clear, precise and transparent information, the person cannot comprehend the data processing activities. The person is also unable to give informed consent which may prohibit the data processing activity unless the law provides another legal ground.
The AEPD found that Facebook has violated the national data protection law on three grounds. Each of them is considered separately.
- Facebook does not obtain the express consent of its users to process sensitive data
Sensitive data is data on ideology, racial or ethnic origins, sexual orientation, religious and political beliefs and health. The Spanish regulator found that the company processed this data directly through the information given by the user and through his or her use of the social network (ex: a page liked, a pictured commented on, etc.). It also held that the terms and conditions were not specific and only gave examples of the possible data processing.
- Facebook does not delete the processed data when it is no longer needed and does not delete the data upon a user’s request
A general rule regarding data protection is the limited time for data storage. The Spanish regulator brought to light the fact that the company stores the information for more than 17 months through a deleted account cookie when the user deletes his or her account and requests the deletion of his or her information. This is a double biolation of the law in the sense that it violates a data subject’s right to erasure and violates the principle of limited data storage.
What happens next ?
Facebook is not keen on paying the fine. Indeed, a Facebook spokesperson told Techcrunch, a leading technology media property, that the company would be appealing the decision. Mathias Avocats will keep you informed of the next steps of the case.
However, one should keep in mind that the imminent coming into effect of the General Regulation on Data Protection (regulation 2016/679) will only strengthen the consent requirements and increase the financial limit for fines. Moreover, companies processing data across several Member States, such as Facebook, may be confronted to several data authorities.