Facebook is breaking data privacy laws in France, Belgium, and the Netherlands and faces investigations in Spain and the German city of Hamburg, privacy regulators from those respective areas announced today. French authorities also announced they were slapping Facebook with the maximum fine allowed under French privacy law, of €150,000 ($164,000). To put that in perspective, Facebook generated $27.6 billion in revenues last year.
The European regulators say Facebook doesn’t give users enough control or information over how their data is used on the social platform, and, in some cases, is offered to advertisers. Tests conducted by the Dutch authority (pdf) found Facebook was using sensitive personal data—such as sexual preferences—to serve targeted ads to its users, without obtaining the required consent. “The Dutch [privacy regulator] has factually ascertained that the Facebook group enables advertisers to select ‘men that are interested in other men’ for targeted advertisement purposes,” the Dutch authority wrote. The regulator said Facebook has stopped allowing its data to be used in this way.
France found that Facebook engaged in a “massive compilation” of personal data to serve targeted ads without consent from its users. “Considering the significant number of users in France, the seriousness, and the numbers of infringements, the publicity and amount of this sanction are justified,” the French regulator wrote. Facebook has 33 million users in France.
The company insists it shouldn’t have to comply with data laws in the five European states because its European headquarters is in Dublin, and so it should only follow Irish data rules. The “contact group” countries say this can’t be right, since Facebook has offices in their countries which sell ads based on the user data collected locally. “Therefore, these activities are inextricably linked to the data processing by The Facebook Group,” the regulators write.
Facebook has not yet responded to a request for comment from Quartz.
The five countries banded together to form a “contact group” to deal with Facebook’s data policies when the social network announced a global revamp in 2014. Today’s action is an “unprecedented” attempt at coordination and analysis by regulators, data privacy researcher Lukasz Olejnik wrote in a blog post.
Facebook may not get off so easily in the future. A comprehensive new set of rules, called the European General Data Protection Regulations, come into force next May. These would allow privacy regulators to impose fines of up to 4% of Facebook’s revenues, or $1.1 billion, based on its 2016 numbers. That’s the sort of fine that should make Facebook think twice before being cavalier with its users’ data.