The Spanish Data Protection Agency (AEPD) has fined Facebook €1.2 million (just under $1.44 million) for three violations of data protection laws, TechCrunch reports. The two less serious infractions carry fines of €300,000; the more serious one would cost the social networking giant €600,000.

The AEPD’s investigation found that Facebook’s privacy policy contains “generic and unclear terms,” and does not adequately familiarize a user possessing “an average knowledge of the new technologies” with the ways in which his/her personal data is collected, stored and used, the regulator said.

Facebook gathers data from users’ actions on its site, as well as from third parties. The company uses some of that data for advertising purposes, and some for “secret,” undisclosed purposes, according to the AEPD. Facebook also gathers data regarding people’s behavior on third-party sites that feature embedded Facebook “Like” buttons.

The AEPD says Facebook collects the personal data even of internet users who do not hold accounts with the social media service when such users visit a Facebook page. The company tracks account holders’ behavior on third-party sites, even when an account holder is not logged into Facebook. In this last case, the AEPD says, “the platform adds the information collected in [third-party] pages to the one associated with your account on the social network.”

Non-Facebook users, then, are unaware that the social media company is harvesting their personal data, and Facebook account holders are unaware of the nature and extent of the data being harvested. Other European regulators, TechCrunch notes, have made similar accusations against the company.

Facebook fined €1.2M for privacy violations in Spain https://t.co/KDaWbgSJaU

— TechCrunch (@TechCrunch) September 11, 2017

The AEPD also alleges that Facebook unlawfully retains the data it has collected from a given user even after that user terminates his/her Facebook account. The company “captures and treats information [concerning former users who have deleted their accounts] for more than 17 months [after an account has been terminated] through a deleted account cookie,” the regulator says, even though the information in question is “no longer useful for the purpose for which [it was allegedly] collected.”

Facebook intends to appeal the AEPD’s ruling even though, as TechCrunch notes, the $1.4 million sum of the fines represent but a minute fraction of the $27.64 billion in revenue the company reported in 2016. The motivation behind Facebook’s appeal of the penalties, then, is not financial but political. The company aims to protect its public image by proving that it does not violate users’ privacy.

“We take note of the DPA’s decision with which we respectfully disagree. Whilst we value the opportunities we’ve had to engage with the DPA to reinforce how seriously we take the privacy of people who use Facebook, we intend to appeal this decision. As we made clear to the DPA, users choose which information they want to add to their profile and share with others, such as their religion. However, we do not use this information to target adverts to people,” Facebook said in a statement.

Facebook also contends that because its headquarters of its European operations are situated in Ireland, the company is subject only to Irish data protection laws.

In May, the EU is scheduled to implement tighter General Data Protection Regulation (GDPR), which will permit fines of up to four percent of a company’s global annual turnover, according to TechCrunch. Should Facebook be convicted of an infraction under the new rules, the company could face a fine of as much as $1 billion.

The new GDPR will also expand the definition of personal data and give EU citizens the right to demand that their personal data be deleted. It will likely also allow regulators across the EU to work together to police companies like Facebook that operate across multiple jurisdictions.

Per TechCrunch, Facebook says it has assembled “the largest cross functional team in the history of the Facebook family” to “fully analyze the legislation and help us understand what this would mean from a legal, policy and product perspective.”

“Ahead of next May we are working with our product, design and engineering teams to enhance existing products and build new products in a way that simultaneously provides an intuitive, user-centric experience and permits us to meet our obligations under the GDPR,” said Stephen Deadman, Facebook’s deputy chief global privacy officer, in a statement.

The privacy policy, the AEPD contends, contains “generic and unclear terms,” and “inaccurately” describes the manner in which Facebook uses user data.

Featured image via Pixabay