UODO (Poland) - DS.523.4486.2024
| UODO - DS.523.4486.2024 | |
|---|---|
 | |
| Authority: | UODO (Poland) |
| Jurisdiction: | Poland |
| Relevant Law: | Article 5(1)(d) GDPR Article 66(1) GDPR Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych) |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | |
| Decided: | 05.08.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Meta Platforms Ireland |
| National Case Number/Name: | DS.523.4486.2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Polish |
| Original Source: | UODO (in PL) |
| Initial Contributor: | wp |
A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.
English Summary
Facts
Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were approximately 260 different ads, where her name, surname and image was published, combined with a fake information about her, for example information about her death or crime committed. The ads were accessible to many users of Facebook and Instagram, including the family of data subject.
The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request.
In parallel, the data subject filed a complaint with the Polish DPA (UODO).
Holding
The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.
According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.
The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from the GDPR, especially data accuracy principle of Article 5(1)(d) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about her. Because of that, data subject’s privacy, reputation and credibility of public figure were threatened, which violated also Article 1 CFR and Article 7 CFR.
As a result, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych), to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via ads presented on Facebook and Instagram within Poland for three months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
