UODO (Poland) - DS.523.4480.2024

From GDPRhub
Revision as of 11:19, 27 August 2024 by Wp (talk | contribs) (links added)
UODO - DS.523.4480.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 66(1) GDPR
Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych)
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 05.08.2024
Published:
Fine: n/a
Parties: Meta Platforms Ireland
National Case Number/Name: DS.523.4480.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: wp

A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.

English Summary

Facts

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were ads, where his name, surname and image was published, combined with a fake information about him, for example deep-fake video with data subject image soliciting an investment platform. The fake-ads aimed at creating a false impression that the investment platform was supported by the data subject and, hence, secure and worth investing in. The ads were accessible to many users of Facebook and Instagram. The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request. In parallel, the data subject filed a complaint with the Polish DPA (UODO).

Holding

The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.

According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.

The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about him and his professional activity. Because of that, not only data subject’s privacy and reputation were threatened, but also credibility of data subject’s business activity was influenced.

As a result, the DPA considered it was probable that Meta violated Article 5(1) GDPR and Article 6(1) GDPR. Therefore, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych) to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via advertisements presented on Facebook and Instagram within Poland for three months.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details. 

PRESIDENTOF THE OFFICE OFPROTECTIONPERSONAL DATA 
Miroslaw Wroblewski
Warsaw, August 5, 2024.
DS.523.4480.2024
PROVISION
Pursuant to Article 123 of the Act of June 14, 1960, Code of Administrative Procedure (Journal of Laws of 2024, item 572), in conjunction with Article 70 (1) and (2) ofthe Act of May 10, 2018 on Personal Data Protection (Journal of Laws of 2019, item1781), in conjunction with Article 66 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of 4.03.2021, p. 35), in Proceedings from the complaint of Mr. J.C., residing in W., about irregularities in the processing of his personal data by M., consisting in providing his personal data, including false information about him, in advertisements displayed on social networks: F., available at the Internet address [...] and I., available at the Internet address [...], without legalbasis, the President of the Office for Personal Data Protection decides 
oblige M. to restrict the processing of the personal data of Mr. J.C., residing in W., by prohibiting it from being made available to other entities in advertisements displayed on social networks: F., available at the Internet address [...] and l., available at the Internet address [...], on the territory of the Republic of Poland for a period of three months from the date of delivery of this order to M.Justification The Office for Personal Data Protection received a complaint from Mr. J.C. zam. inW., hereinafter referred to as the Complainant, about irregularities in the processing of his personal data by M., hereinafter referred to as the Company, consisting in providing his personal data, including false information about him, in advertisements displayed on social networks: F., available at the Internet address [...] and I., available at the Internet address[...], without legal basis.In the wording of the aforementioned complaint, the Complainant claimed, in particular,that the Company violated his personal data by publishing - without his consent and without any other basis2The legal processing of personal data - his image and name in advertisements prepared in the form of deepfake, consisting in the provision of unlawfully modified footage of the Complainant's image without the required assessment of the reliability of the source of the materials and without applying an appropriate procedure for verifying the veracity of the acquired personal data (footage), which exposed the Complainant to the loss of confidence in his business and good name. This is because the advertisements juxtapose true and current personal data of the Complainant and data on his business activities with false information that the Complainant is the founder, supports and controls the advertisedinvestment platforms.At the same time, the Complainant indicated that he had taken action against the Company by sending [...] July 2024 a notice to remove advertisements and sponsored materials and to stop displaying ads that use the Complainant's image.
As evidence of the violation of data protection regulations, the Complainant submitted a printout of the advertisement displayed on the profile "I. ", available at:https://[...], a printout of the advertisement displayed on the profile of "T.", available at:https://[...], printout of the advertisement displayed on the profile of "R." available at:https://[...], printout of the advertisement displayed on the "N." profile, available at:https://[...], printout of the advertisements displayed on the "B." profile; available at:https://[...]; https://[...]; https://[...], printout of ads displayed on "S." profile, available at:https://[...], https://[...], printout of ads displayed on the profile of "L.", available at:https://[...]; https://[...]; https://[...], printout of ads displayed on the profile of "K. ", available at: https://[...]; https://[...]; https://[...]: https://[...]; https://[...], printout of ads displayed on theprofile of "P." available at: https://[...]; https://[...].
Pointing to the above, the Complainant requested, among other things, that the Company be ordered to completely restrict processing, including a ban on processing the Complainant's personal data in the form of broadcasting deepfake advertising materials with the Complainant's image and name, and to impose an administrative fine on the Company under Art. 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of4.03.2021, p. 35), hereinafter referred to as RODO, adequate to the circumstances and scale of the breach of data protection regulations.According to the findings of the President of the Office for Personal Data Protection,despite the Complainant's aforementioned request to the Company dated [...] July 2024, the Complainant's personal data continues to be provided by the Company in the manner questioned in the complaint. This is because the data continues to appear in advertisements available at: https://[...], https://[...], https://[...], https://[...], https://[...], https://[...].The Complainant's disputed processing of his personal data by the Company is in the nature of "cross-border processing" within the meaning of Article 4(23)(a) of the RODO,according to which cross-border processing means the processing of personal data that takes place in the Union in the course of the activities of organizational units in the3more than one member state of a controller or processor in the Union with organizational units in more than one member state.As the Company's registered office is in Ireland, the competent authority to act in the case as the lead supervisory authority, with respect to this cross-border processing of the Complainant's data, pursuant to Article 56(1) of the RODO, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.However, according to Article 66(1) of the RODO, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to take action to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on the territory of its Member State for a specified period, not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the European Data Protection Board and the Commission of these measures and the reasons for their adoption.In turn, according to the wording of Article 70 (1) of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), if in the course of the proceedings it becomes probable that the processing of personal data violates the provisions on the protection of personal data, and further processing of personal data may cause serious consequences that are difficult to eliminate, the President of the Office, in order to prevent such consequences, may, by means of a decision, oblige the entity alleged to have violated the provisions on the protection of personal data to restrict the processing of personal data, indicating the permissible scope of such processing.Pursuant to Article 70 (2) of the Personal Data Protection Act, in the order referred to in paragraph (1), the President of the Office shall specify the duration of the restriction of the processing of personal data no longer than until the date of issuing a decision concluding the case.As is clear from the above provisions, the basis for the adoption of provisional measures by the supervisory authority concerned in the territory of its member state under Article 66(1) of the RODO is the urgent need to take action to protect the rights and freedoms of data subjects. Provisional measures under national law are provided for by the above-cited Article 70(1) of the Law on Personal Data Protection in the form of the issuance of an order requiring the entity alleged to have violated data protection laws to restrict the processing of personal data, while the prerequisite for their application is the probability of a violation of data protection laws and the risk of causing serious consequences that are difficult to remedy.In the opinion of the President of the Office for Personal Data Protection, in the present case the above prerequisites for the issuance of the aforementioned order were met.The urgency of the interim measures must be assessed against the need to protect the rights and freedoms of data subjects. The negative effects on data subjects and their fundamental rights and freedoms are very significant in the present case.4In fact, in the questioned advertisements displayed by the Company on the F.social network, personal data of the Complainant in the scope of his name, surname and image are made available, as well as false information about him, from which it appears that he proposes to the recipients of the advertisements investments that guarantee the multiplication of their wealth and a certain fast high profit and financial independence,which can come true by watching the advertisements to the end and following the guidelines given in them.There is no doubt that the aforementioned information about the Complainant constitutes his personal data within the meaning of Article 4(1) of the RODO, according to which personal data means any information about an identified or identifiable natural person ("data subject"), and an identifiable natural person is one who can be identified directly or indirectly, in particular on the basis of an identifier such as a name.Indeed, in the questioned advertisements displayed by the Company in ads on the social network F., the Complainant is a person identified by name. In addition, the ads point to the Complainant's achievements and business activities, which further enable him to be identified.Moreover, the Complainant is a well-known person, he is a Polish entrepreneur,manager, investor, philanthropist, founder and president of I., under which he organized a network of self-service parcel machines in Poland. In addition, the Complainant founded R.in 2022, which aims to financially and mentor young talent. He has received a number of awards and honors, such as the Manager of the Year award in 2009 for his merits in crushing the P. monopoly, and the 2022. B. in the "N." category. (an award received jointly with his wife Mrs. B.K. for his commitment to philanthropy), as well as honors in 2022. - K.(see https://[...]).The cited content of the advertisements is false, harms the opinion of others about the Complainant, undermines confidence in him as a person, a businessman,or the above-mentioned effects on this individual. It should be noted that the Complainant, in particular by virtue of the aforementioned business and charitable activities, is a public figure, widely known and recognizable. Therefore, the cited advertisements evoke a negative opinion of the Complainant's person, or undermine the trust in him necessary for his business and charitable activities. It can be assumed that the referenced content of the advertisements would not have appeared if the Complainant had not been a public, publicly known person, since information about just such a person enjoys widespread interest, and because of such characteristics of this person, this individual became the target of the attack.The advertisements juxtapose the Complainant's true and current personal information and details of his business with false information that the Complainant is the founder, supports and controls the advertised investment platforms. Using false personal information obtained illegally, false information is spread that these platforms are new business models of the Complainant, created by his employees, family or in cooperation with other well-known entrepreneurs, and that they are fully secure tools. Significantly, theads claim that the Complainant5is such a well-known, professional and highly trusted public figure that it cannot be as cam, as he vouches for the legitimacy of the new investment platform. Thus, the advertisements strongly a f f e c t the psyche of the users of the indicated social networks,also creating the false impression that the video is aimed directly at them, assuring that if the video is displayed to the user, he has been selected for the project and his device has the technical capabilities to participate in investments. Using the Complainant's image and personal data, the advertisers are trying to lead the users of the portals to make an impulsive decision, emphasizing that once the entry is closed, the invitation to invest will no longer be available, which is patently untrue.Thus, the dissemination of the Complainant's personal information is aimed at taking advantage of the Complainant's trust and social standing to reach the groups that are most susceptible to this type of online fraud, such as, in particular, young people inexperienced in life, the elderly, the clumsy, or, for example, those without sufficient economic knowledge.The above content presented by the Company, due to its untruthfulness and the potential danger of leading an unlimited number of people to unfavorable financial investments and disposition of property with exposure to financial losses,also fully justifies the urgent need for the President of the Office for Personal Data Protection to take immediate action in the interest of protecting the fundamental rights and freedoms of data subjects.Moreover, this content, despite the fact that it dignifies "S." and "S." as defined by the Company, have not been removed by the Company, while according to its preferred standards it should do so. Indeed, as the Company declares in the aforementioned standards, quote: "(...) In accordance with our principles, advertisements may not promote products, services, programs or offers using deceptive or misleading practices, including practices that are intended to defraud people of money or personal information (...)", as well as quote: "(...) Advertisements may not coordinate, organize, promote or permit specific criminal or harmful activities that target people, businesses, property or animals(...)", or quote:"(...) Advertisers promoting financial products and services must demonstrate that they are authorized by the relevant regulatory authorities, if required. Any such authorization may be subject to verification by the M. Advertisers must also comply with disclosure requirements specified by law (...)," and cited:"(...) We enforce our policies using automated and, in some cases, manual verification. In addition to verifying individual advertisements, we also monitor and investigate advertiser behavior and may impose restrictions on advertiser accounts if they violate our Ad Placement Standards, Community Standards or other M. (...) policies and regulations,"(see https://[...]).In addition, the Company pledged, quote: "(...) We want to ensure that the content displayed on F. We believe that authenticity creates a better environment for sharing content (...)," and also quote: "(...) We are committed to ensuring that security on the F. (...)"(see [...]).Despite the indicated declarations of the Company, false information about the Complainant continues to be displayed on F., hence the undoubtedly urgent reaction of the authority6of the data protection supervisor in the present case is fully justified and necessary.In addition, in the present case, it has been fully probable that through the contested processing of the Complainant's personal data by the Company, involving the inclusion of the Complainant's data, including false information about the Complainant's person in the advertisements presented by the Company on the aforementioned portals,there is a violation of data protection laws by the Company.Indeed, the Company is a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 of the RODO,according to which, if two or more controllers jointly determine the purposes and means of processing, they are joint controllers who, through joint arrangements, transparently determine the respective scopes of their responsibility for fulfilling their obligations under this Regulation.According to the regulations presented by the Company on the portal F. community, the Company and you are joint data controllers in accordance with Article 26of the RODO to the extent of Joint Data Processing as defined by the Terms and Conditions of the relevant product. The scope of joint data processing includes the collection of personal data as defined by the Terms and Conditions of the relevant product and their transfer to the Company (cf. https://[...]).Moreover, as the aforementioned regulation states, quote: "(...) The advertiser creates ads to be displayed on F. and I. and on other sites and mobile apps, and then uploads them using our ad management tools. F. then displays the ads. We take into account the advertiser's goal, the expected audience and the advertisement when selecting t h e appropriate ads to display. We do not provide advertisers with information about your identity and we do not sell them your data (...)" (cf. https://[...]). Furthermore,according to the Company's claims in the aforementioned website, cited:"(...) Protecting people's privacy is a key dia of designing our advertising system. When we display ads on M. Products, we display relevant and useful ads to you without sharing information about you with advertisers. We do not sell your personal information or share information that directly identifies you (such as your name, email address or other contact information) with advertisers without your explicit consent. We allow advertisers to provide us with information such as their business purpose and the type of audience they want to display ads to (for example, people aged 18-35 who live near the advertiser's store in P.).We then display their ads to people we think might find them relevant (cf. https://[...]).In case of doubts about the Company's co-administration with the advertiser of possible personal data contained in the content of advertisements presented by the Company, it is reasonable to refer here to the judgment of the Court of Justice of June 5,2018 in Case C-210/16, i.e. the proceedings Unabhängiges Landeszentrum fürDatenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, withthe participation of: Facebook Ireland Ltd, Vertreter des Bundesinteresses beimBundesverwaltungsgericht, in which the Court held that a Facebook fanpage operator co-manages personal data7together with the Company, stating in particular quote: "(...) the controller of a fanpageoperated on Facebook, (...) participates, by taking steps to establish parameters depending in particular on its target users, as well as on the objectives for the management or promotion of its activities, in the determination of the purposes andmeans of processing of the personal data of visitors to its fan page. Therefore, in the present case, it should be considered that this fan page controller is jointly liable at the Union level with Facebook Ireland for the processing of data within the meaning of Article2(d) of Directive 95/46 (...)."Therefore, it is incumbent on the Company, as co-controllers of the Complainant's personal data, to process the Complainant's personal data in compliance with the legitimizing prerequisites listed in Article 6(1) of the RODO, and furthermore in compliance with the principles of data processing under Article 5(1) of the RODO, such as, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) of the RODO), as well as the principle of accuracy (Article 5(1)(d) of the RODO). In addition, the Company, pursuant to Article 5(2) of the RODO, must be able to demonstrate compliance with the provisions of the RODO in the processing of the Complainant's personal data.Thus, the Company's publicizing of the Complainant's personal data, includingfalse information about him, in advertising content presented by the Company, in a manner that allows an unlimited circle of other persons/entities to become acquainted withit, may therefore result in the Company's violation of Art. 5(1) of the RODO and Article6(1) of the RODO, as demonstrated above by indicating the manner in which the Company shared the Complainant's data, as well as the nature of that sharing, further contradicting the Company's regulations on the use of its services contained in the Fsocial network.The Company's publicizing of the aforementioned personal data of the Complainant, including the described false information about him, in the aforementioned advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which states that human dignity is inviolable. It must be respected and protected.Thus, in the case it has been made probable that the processing of the Complainant's personal data by the Company may violate the provisions on the protection of personal data, as a result of which the first of the prerequisites for the application of the provisional measure in the case under Article 70 (1) of the Law on the Protection of Personal Data, has been met.In the case, there is also a second prerequisite for issuing the above-mentioned order in the form of a probable threat to cause serious and difficult-to-remove consequences.This is because, due to the Company's dissemination of false information about forms of investment allegedly being the Complainant's new business models, the content made public by the Company in the aforementioned advertisements on the social network F. and I., may cause severe financial consequences for other people, users of the aforementioned portals, through unfavorable disposition of their funds.In doing so, it should be noted that the manner in which the alleged investment tools were promoted, especially when taking into account the dissemination of the Complainant's personal data and his alleged assurances of achieving a high return on8investment (e.g., the promise of [...] euros per day, [...] thousand zlotys per week), raises9suspicion that financial fraud may be carried out through this platform, to the detriment of those to whom the content in question was directed through the aforementioned portals.In view of the above, the case may give rise to an irremediable effect in the form of further processing of false information about the Complainant by other entities and further spreading of disinformation about the Complainant in the Polish society resulting in loss of trust in him as an entrepreneur and philanthropist, as well as in the form of severe financial consequences in other people, users of the above-mentioned portals, susceptible to the displayed content, who may be both young people inexperienced in life, elderly people, clumsy people or, for example, those without sufficient economic knowledge.Therefore, prohibiting the Company in this procedure from providing the aforementioned personal data of the Complainant contained in advertisements displayed on the social network F. and I. in the territory of the Republic of Poland for a period of three months from the date of delivery of this order to the Company is fully justified and necessary.The subsequent decision of the lead authority in the case will not remove the negative effects of unauthorized processing of personal data by others, especially with regard to the effects on the rights of individuals, as indicated above.This fully justifies the application of the protection mechanism of Article 70(1) of the Data Protection Law in conjunction with Article 66(1) of the RODO.In this state of facts and law, the President of the Office for Personal Data Protection has ruled as in the operative part.
President of the Office Personal Data Protection Miroslaw Wroblewski
This order is final. Pursuant to Article 70 (3) of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), a party has the right to lodge a complaint against this order with the Provincial Administrative Court in Warsaw,within 30 days from the date of delivery of this order, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw). The entry fee for the complaint is PLN 200. The party has the right to apply for the right to assistance, including exemption from court costs.
Retrieved from "https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DS.523.4480.2024&oldid=42757"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki