A Data Protection Authority (DPA) in Europe has recently issued Facebook with a significant €1.2 million fine for two ‘serious’ and one ‘very serious’ breaches of data protection law.
The investigation, which formed part of a joint initiative by Data Protection authorities across Belgium, France, Hamburg, and The Netherlands, revealed that Facebook users’ personal data, e.g. political views, religious beliefs, location, and other personal preferences had been collected without the users’ informed consent. Data subjects were also left unaware as to the purpose of sharing their information with Facebook (and other third-party web pages), and the use of it thereafter.
The breach equating to ‘very serious’ in the eyes of the DPA, which amounted to €600,000 of the total fine, was the discovery that Facebook did not ‘obtain unequivocal consent, specific and informed’ from its users before processing types of data (known as ‘special categories’ of data in legislative speak) for marketing purposes.
When issuing the fine, the DPA also took into consideration that users are not informed about how their data is collected via use of cookies on the site, some of which the social network categorised as ‘secret’. Webpages which are not affiliated with Facebook, yet contain a ‘like’ button for the network all the same, were also shown to be in breach – some of them collecting data exclusively for marketing purposes without providing clear information to the user about what data will be collected and how it will be processed.
Additionally, it was shown that Facebook’s privacy policy was below par in terms of transparency, containing general formulations and statements that would be unclear to the average user and which required readers to click through a multitude of links in order to access the policy in its entirety.
Finally, The DPA were able to prove that Facebook did not, in fact, delete personal data upon user request (e.g. termination of account), but instead retained the data via cookies for up to seventeen months – a time period which extends way beyond the original purpose for collecting it in the first place.
Is your organisation fully aware of Data Protection directives and the right to be forgotten legislation?
For more information on VinciWork’s Data protection, GDPR, and Information Security courses and microlearning courses, please don’t hesitate to get in touch.