AEPD (Spain) - EXP202493476: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202493476 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/co-00083-2024-medida-provisional.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_So...")
 
mNo edit summary
 
Line 69: Line 69:
}}
}}


The DPA invoked urgency procedures to prohibit Meta’s processing through election-related platform features, finding that the processing lacked a legal basis and collected excessive data.
The DPA invoked urgency procedures to prohibit Meta’s deployment of election-related platform features, finding that the processing lacked a legal basis and collected excessive data.


== English Summary ==
== English Summary ==
Line 89: Line 89:
Finally, the AEPD determined that the controller violated the storage limitation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The storage period, which was redacted in the decision, was not justified by the controller in relation to the stated purposes. The AEPD considered this to indicate an additional purpose of the processing operation.  
Finally, the AEPD determined that the controller violated the storage limitation principle under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The storage period, which was redacted in the decision, was not justified by the controller in relation to the stated purposes. The AEPD considered this to indicate an additional purpose of the processing operation.  


Ultimately, the AEPD considered that the collection of the data via EDI and VIU put the rights of data subjects at great risk. It noted that the volume of data gathered would permit the controller to create elaborate profiles of users. This loss of control over one’s own data, the AEPD said, demonstrates a patent violation of the right to data protection and a significant risk for data subjects’ rights and liberties.  
Ultimately, the AEPD considered that the collection of the data via EDI and VIU put the rights of data subjects at great risk. It noted that the volume of data gathered would permit the controller to create elaborate profiles of users. This loss of control over one’s own data, the AEPD said, demonstrates a patent violation of the right to data protection and a significant risk for data subjects’ rights and liberties. Given the impending launch of the products and high risks, the AEPD invoked the urgency procedure for exceptional circumstances under [[Article 66 GDPR]]. It accordingly adopted immediate interim measures to prohibit the controller’s anticipated processing with EDI and VIU.
 
Given the impending launch of the products and high risks, the AEPD invoked the urgency procedure for exceptional circumstances under [[Article 60 GDPR|Article 60 GDPR]]. It accordingly adopted immediate interim measures to prohibit the controller’s anticipated processing with EDI and VIU. The measures may last up to 3 months.


== Comment ==
== Comment ==

Latest revision as of 07:35, 4 June 2024

AEPD - EXP202493476
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(b) GDPR
Article 66 GDPR
Type: Investigation
Outcome: Violation Found
Started: 22.04.2024
Decided:
Published: 31.05.2024
Fine: n/a
Parties: Meta Platforms Ireland Limited
National Case Number/Name: EXP202493476
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA invoked urgency procedures to prohibit Meta’s deployment of election-related platform features, finding that the processing lacked a legal basis and collected excessive data.

English Summary

Facts

On 28 February 2024, the Irish Data Protection Commission (DPC) shared information concerning two new products that Meta (the controller) planned to launch for Facebook and Instagram between 30 May and 9 June 2024. The tools were Election Day Information (EDI) and Voter Information Unit (VIU), both of which would send notifications to all eligible Instagram and Facebook users in the EU to remind them to vote in EU Parliament elections. The functionalities required users to input personal data including their name, IP address, age and gender.

The controller claimed that the products aimed to ensure that all Facebook and Instagram users who are eligible to vote see the EDI and VIU features. It argued that its legal basis for processing was the necessity of executing its contract with users.

On 22 April 2024, the AEPD sent the DPC a questionnaire concerning the controller’s planned processing. It also inquired whether it had initiated its own proceedings or if it had analysed whether the processing conformed to the GDPR. The DPC responded to the questionnaire but did not respond to the AEPD’s inquiries about its own proceedings or analysis of the processing.

Holding

The AEPD adopted provisional measures prohibiting the processing pursuant to Article 66 GDPR’s urgency procedure. It considered that the controller’s planned processing lacked a legal basis and would infringe the principles of legality, data minimisation and storage limitations under Articles 5(1)(a), (c) and (e) GDPR.

First, the AEPD found that the controller lacked a legal basis for processing under 6(1)(b) GDPR. Given the controller’s status as a private enterprise, a public interest could not be a ‘necessity’ for fulfilling a contract executed for commercial purposes. In fact, the AEPD considered that the purpose of processing the data pursuant to EDI and VIU was to aggregate information that it could then commercialize to third parties. The AEPD also noted that the controller failed to explain how it would exclusively process data of users over the age 18 for EDI and VIU purposes, given that it had no reliable mechanism in place to determine the age of its users. The AEPD considered the controller’s complete lack of legal basis -- based on necessity of contract or otherwise -- to violate the principle of legality pursuant to Article 5(1)(a) GDPR.

Second, the AEPD considered the controller’s processing of data excessive. It observed no justification for the use of a system that ensures that only the data of persons of legal age are processed. In addition, the controller aimed to collect city information based on data subjects’ IP addresses, when the narrowest degree of necessary data was merely nationality. The collection of such data, the AEPD found, is excessive relative to the supposed purpose of informing data subjects about elections.

Finally, the AEPD determined that the controller violated the storage limitation principle under Article 5(1)(c) GDPR. The storage period, which was redacted in the decision, was not justified by the controller in relation to the stated purposes. The AEPD considered this to indicate an additional purpose of the processing operation.

Ultimately, the AEPD considered that the collection of the data via EDI and VIU put the rights of data subjects at great risk. It noted that the volume of data gathered would permit the controller to create elaborate profiles of users. This loss of control over one’s own data, the AEPD said, demonstrates a patent violation of the right to data protection and a significant risk for data subjects’ rights and liberties. Given the impending launch of the products and high risks, the AEPD invoked the urgency procedure for exceptional circumstances under Article 66 GDPR. It accordingly adopted immediate interim measures to prohibit the controller’s anticipated processing with EDI and VIU.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/5










Ref.: EXP202403476


Subject: Agreement on the adoption of provisional measures

The Spanish Data Protection Agency (AEPD) has been aware of the future
processing of personal data on a large scale which is described below and which
It allegedly violates legislation on the protection of personal data.



                                        I Acts


On February 28, 2024, through A61VMN 612500, the Irish authority
(DPC) shared related information with the Data Protection Authorities
with ***, two new features for the Facebook and Instagram products.

Meta Platforms Ireland Limited (hereinafter META) would intend to implement
There are two functionalities in its Instagram and Facebook products. *** (Election Day

Information - EDI) *** and *** (Voter Information Unit -VIU) ***.

They indicate that they intend for all Instagram and Facebook users in the
EU with voting rights, ***, see VIU and EDI reminders for the next
EU parliamentary elections.


***

Given the doubts generated by the data processing that these may entail
functionalities, this Agency addressed the DPC, on April 22, to ask
receive a questionnaire with questions related to the data processing involved

carry out META on the occasion of the launch of both functionalities. The same
time the DPC was consulted as to whether any proceedings were in progress or whether
carried out an analysis to determine whether the new data processing is
GDPR compliant. The DPC has not answered these questions, but it did send the
questionnaire to META and has provided this AEPD with the response given by it, with
date April 29, 2024.


           • ***

Taking into account the above, the following considerations are worth making:

FIRST: In relation to the basis of legitimation alleged by META, it must be indicated
that META is a private entity, with a commercial purpose, and whose main activity

consists of providing a social networking platform that is financed by the sale
of advertising spaces, fundamentally linked to the development of profiles of
the users. However, the holding of democratic elections and the free exercise
of the right to vote constitute a public interest, incompatible with the character
business of the company, so it cannot be seen that said interest is necessary
for the provision of the contract to which the interested party is a party.


The term "necessary" used by the GDPR has, in the opinion of the CJEU, its own meaning.
and independent in Community legislation. It is, says the Court, a “concept


28001 – Madrid 6 Seeagpd.gob.es 2/5









autonomous Community Law” (STJUE of 12/16/2008, case C-524/06, section
52). On the other hand, the European Court of Human Rights (ECHR) has offered
also guidelines for interpreting the concept of necessity. In section 97 of his

Judgment of 03/25/1983 states that the “adjective necessary is not synonymous with
“indispensable” nor does it have the flexibility of the expressions “admissible,” “ordinary,” “useful,”
“reasonable” or “desirable”.

As stated in guidelines 2/2019 on the processing of personal data with
pursuant to section 6.1.b of the GDPR in the context of making available to

interested parties of online services, “Article 6, paragraph 1, letter b) applies when
meet two conditions: the treatment in question must be objectively necessary
for the execution of a contract with an interested party, or the processing must be
objectively necessary to adopt pre-contractual measures at the request of a
interested” (paragraph 22).


And then they point out that “the need for treatment is a precondition for
both parts of Article 6, paragraph 1, letter b). First of all, it is important to note
that the concept of what is "necessary for the performance of the contract" is not a mere
appreciation of what the clauses of a contract allow or put into practice. He
The concept of necessity has an autonomous meaning in Union Law, which

It should reflect the objectives of data protection legislation. Therefore,
The fundamental right to privacy and the protection of personal data is also taken into account.
personal data, as well as the requirements of data protection principles,
including, in particular, the principle of loyalty” (paragraph 23).


When evaluating what is “necessary”, an assessment must be made based on the objective that
is pursued, evaluating whether there are less intrusive treatments to achieve the
same objective. If there are other realistic and less intrusive alternatives, the treatment
there's no need".


This must be based on the purpose that META intends with the processing of the data.
to evaluate the existence of “need”. In this case, it should be highlighted
prior, that the alleged "need" for such treatment that META intends to carry out is
incompatible with the purpose of the contract, since in no way a public interest,
such as the right to vote and the guarantee of free elections, can be
"necessary" for the fulfillment of a contract that has a private purpose.


***

Nor does it justify how it intends to exclusively treat data of people over 18 years of age,
when there is no reliable mechanism to determine the age of the recipients or

justifies the processing of interactions with the website to which they direct.

Finally, the data is used for the purpose of aggregating and transferring aggregated data to
third parties. However, the aggregation process is not explained, nor what data is used.
for that aggregation, nor the level of disaggregation, so it is unknown if the level

Disaggregation allows the identification of users, which can
It can be concluded that personal data could be retained and communicated.

Thus, according to the information provided, the ultimate purpose of META is a



28001 – Madrid 6 Seeagpd.gob.es 3/5









purpose consisting of having data for the improvement of the product itself and
to communicate them to third parties.


For all of the above, the AEPD considers that META cannot rely on article 6.1.b)
of the RGPD the processing of user data that it intends to carry out, nor in
no other legal basis of article 6, what it would mean if it were finally carried out
a violation of the principle of legality provided for in article 5.1.a) of the RGPD.

SECOND: The intended data processing is excessive. Age data is processed,

when the use of a system that guarantees that they are only subject to
processing data of people of legal age.

On the other hand, the city data contained in the profile and the IP address are stored
with the purpose of making a selection of the voters, when what

determines this condition is nationality, in the case of the next elections
Europeans, which shows the unnecessaryness of this treatment, since part of the
presumption that users who reside in certain cities or whose address
IP is located in Europe they have the right to vote, leaving other citizens out
residents abroad and addressing citizens of other countries who are
found in Europe. In short, this treatment is disproportionate and excessive.


***

Finally, the treatment of interactions is absolutely disproportionate
in relation to the supposed purpose of reporting on the elections.


THIRD: The principle of limiting the conservation period is not respected. ***, without
justify the need for its storage in relation to the stated purposes, which
which reveals an additional purpose of the processing operation.




                              II Justification of urgency


The data processing provided for by META represents an action contrary to the RGPD
which, at the very least, would breach the data protection principles of legality, minimization

of data and limitation of the conservation period, as set out
previously.

Likewise, it has been previously indicated that Meta plans to launch the functionality
VIU in Spain, from May 30 to June 9, which will consist of sending notices or
reminders to users ***. Therefore, the adoption of the

urgent measures against META due to the proximity of the period in which META has
The start of the collection of personal data in Spanish territory is planned.

If no urgent action is taken, META would collect and retain
personal data failing to comply with the provisions of the RGPD and thereby violating the
rights and freedoms of the interested parties. Even META has planned to communicate the data

collected in aggregate form from third parties (which may even be individuals), without



28001 – Madrid 6 Seeagpd.gob.es 4/5









offer no guarantee that the data made available to users
third parties are not personal data.

The imminent start of the offending treatment serves as a clear justification for the adoption

of the urgent provisional measure.


       III Risks for the rights of interested parties that need protection

META's planned data collection and retention would seriously jeopardize

risk the rights and freedoms of Instagram and Facebook users who would see
increased the volume of information that META collects about them, without
there was no legal basis that legitimized this action by META.

The volume of information collected would allow META to develop more profiles

complex, detailed and exhaustive of users, generating more treatments
intrusive on their rights and freedoms, such as the rights to privacy and
protection of personal data, recognized in articles 7 and 8 of the Charter of the
Fundamental Rights of the European Union.


Along with this, the making available to third parties of data that could be of a
personal would involve a disproportionate interference in the rights and freedoms of
interested. The loss of confidentiality would entail an absolute and total loss of
control over one's own personal data with the consequent high risk of it being
used by unknown responsible parties and for unexplained purposes.


This loss of control over one's personal data results in a patent
violation of the right to data protection and clear risks for their
rights and freedoms.

Therefore, in order to avoid the serious damage that could be caused to the rights and

freedoms of the interested parties to carry out the planned processing operations
META imposes the need to urgently order the adoption of a
precautionary measure that prevents the materialization of such damages.

The processing takes place in the European Economic Area and affects

substantially or is likely to substantially affect interested parties in more than one
State, with the Irish Control Authority (DPC) currently being the
main control. Therefore, it is considered urgent by the AEPD to adopt a measure
precautionary measure on an exceptional basis and within the enabling framework of article 66.1 of the
GDPR, according to which, in exceptional circumstances, when an authority
interested control authority considers that it is urgent to intervene to protect the rights and

the freedoms of interested parties, may, as an exception to the coherence mechanism
contemplated in articles 63, 64 and 65, or the procedure mentioned in article
60, immediately adopt provisional measures intended to produce effects
legal in its own territory, with a specific period of validity that cannot be
greater than three months. The supervisory authority will communicate these measures without delay,

together with the reasons for its adoption, to the other interested supervisory authorities,
to the Committee and the Commission.




28001 – Madrid 6 Seeagpd.gob.es 5/5










                       IV Description of the measures adopted



For all the above, in use of the powers conferred by the article
58 of the RGPD, and in accordance with the provisions of article 69.2 of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital, IT IS AGREED:


       1.- ORDER Meta Platforms Ireland Limited to immediately,
       suspend the implementation of the Election Day Information functionalities
       Feature - EDI and Voter Information Unit -VIU in the Spanish territory, as well as the
       collection and processing of personal data that involves their use
       in Spanish territory.


       2.- ORDER Meta Platforms Ireland Limited to inform this Agency
       the effective execution of the measure within a maximum period of 72 hours from the
       receipt of this Agreement.

       3.- NOTIFY this Agreement to META PLATFORMS IRELAND LIMITED

       through FACEBOOK SPAIN, S.L.

In accordance with the provisions of article 83.6 of the RGPD, non-compliance with the
resolutions of the supervisory authority, pursuant to Article 58(2) of the GDPR,
will be sanctioned with administrative fines of a maximum of 20 million euros or,

In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of greater amount.

During the sanctioning procedure that, if applicable, is initiated, or in the resolution

by which the archiving of these previous investigation actions is agreed,
will be resolved on the maintenance or lifting of the effects of this measure
provisional.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations,
interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month from
from the day following notification of this resolution or directly appeal
administrative litigation before the Administrative Litigation Chamber of the Court

National, in accordance with the provisions of article 25 and section 5 of the provision
fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative, within a period of two months counting from the day following
the notification of this act, as provided for in article 46.1 of the aforementioned Law.


Sea Spain Martí
Director of the Spanish Data Protection Agency





28001 – Madrid 6 Seeagpd.gob.es