If companies thought that the prospect of penalties for GDPR data breaches were being exaggerated, they will be in for a shock when the new EU data protection law takes effect next year.
May 2018 marks a new era for the European Union regarding collection and processing of personal data for the citizens. Facebook might be considered to lucky to have been admonished breaching data protection law before the GDPR comes into force in Spain. Had the company committed the same illegalities under the the new EU legislation, the punishment would have set a perfect example for organizations that are not putting systems in place to ensure compliance and are not willing to play by the regulations. This might be Facebook’s last time to incur relatively low fines for infringement of privacy regulation.
Investigations into how Facebook collects and manages personal data have shown that the company is culpable of breaching privacy regulation. Spain’s AEPD, the national Data Protection Agency, confirmed that Facebook collects, stores and uses personal data for advertising purposes without the clear consent of the data subjects. This finding led the Spanish data protection regulator issuing a €1.2m,equivalent to $1.4m, fine against the company. Under GDPR, the company would have incurred a penalty of up to €20million or 4% of its last year’s annual income. A simple comparison reveals that the organization risks an additional fine of almost €19m if it is found in a similar mistake after May 2018.
The AEPD holds that it identified two serious counts of breaches and one very serious violation of data protection law. Each of the two serious breaches attracts a fine of €300,000 while the last breach attracts a penalty of €600,000 under the regulator’s rules. Facebook was guilty of collecting data relating to religious belief, sex, ideology, personal tastes and navigation history without the user’s consent. The judgment stated that the company accessed such information via the data subject’s use of its services, or possibly from a third party, but did not clearly inform the user about the use and purpose of the data. This constitutes a very serious crime under the local DP law.
The Right to be Forgotten
The forthcoming EU legislation is clear on the right to be forgotten. This is a provision that entitles users the right to have their data erased. The regulator’s claim that Facebook reuses or refuses to delete users’ data when requested implies that the company violates fundamental principles and may find it rough to operate under the new law in future. AEPD accuses the company of using deleted account cookies to retrieve deleted information and use it for more than 17 months without the owners’ knowledge. This represents a serious infringement under the local data protection law (LOPD) as well as GDPR.
People with average knowledge of the new technologies are advised to be careful when using Facebook because their personal data may be collected without notice. According to the regulator, the use and storage of such collected information will not be communicated to them. Facebook’s habit of collecting users’ browsing data is not only unlawful but also contravenes other European DPAs. Most of Facebook’s operations disregard the existing data protection law and risk even more financial losses and business disruptions next year.
Facebook’s GDPR Awareness
Facebook designated a cross-functional team to analyze GDPR and assist the firm in understanding the legal, policy and product perspective of the law. The cross-functional team marks the firm’s preparations for compliance with the law. It also plans to hire a data protection officer as mandated by the new EU legislation.
Companies like Facebook that process data across several European Union member states may find GDPR creating a situation where there are more concerted efforts from other DPAs. Consequently, Facebook may not easily claim that it only operates under the jurisdiction of Irish DPA according to the regulator.