Facebook fined €1.2m in Spain for collecting users' personal data without obtaining express consent

Facebook has been slapped with a €1.2m ($1.4m) fine in Spain for allegedly collecting users' personal information to be used for advertising purposes and breaking privacy laws, the European country's data protection watchdog said on Monday (11 September).

The Spanish Data Protection Agency (AEPD) found three instances in which Facebook collected user data including sex, religious beliefs, ideology, personal tastes and browsing history of millions of Spanish users without properly notifying them about how their data would be used.

According to the AEPD, the social media giant also collected data from people who do not have Facebook accounts using cookies on other pages that contain a "Like" button without "clearly informing the user about the use and purpose". It added Facebook did not properly inform users about how it planned to use data collected on third-party sites and did not obtain express consent to use it either.

The investigation also found that Facebook stored the data of users who had closed their accounts for more than 17 months.

The Spanish authority said Facebook seriously breached local data protection laws in one instance for which it was fined €600,000, and moderately did so in the two other occasions hitting the firm with a €300,000 fine for each.

"Facebook's privacy policy contains generic and unclear terms," the AEPD said in a statement, Reuters reports. "The social network uses specifically protected data for advertising, among other purposes, without obtaining users' express consent as data protection law demands, a serious infringement."

Facebook said it disagreed with the decision and plans to appeal the penalty.

"We take note of the DPA's decision with which we respectfully disagree. Whilst we value the opportunities we've had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision," a Facebook spokesperson said. "As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people.

"Facebook has long complied with EU data protection law through our establishment in Ireland. We remain open to continuing to discuss these issues with the DPA, whilst we work with our lead regulator the Irish Data Protection Commissioner as we prepare for the EU's new data protection regulation in 2018."

Regulators in other European countries including France, Belgium, Germany, the Netherlands and the UK have also conducted similar investigations into Facebook's data collection practices and other privacy violations resulting in financial penalties. The latest fine is still a minor one compared to the company's quarterly revenue of about $8bn.