AEPD (Spain) - PS/00191/2022: Difference between revisions
No edit summary |
mNo edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The Spanish DPA found that the publication of the voice of a crime victim violated their right to privacy as their identity was not relevant for the general public. It fined the publisher | The Spanish DPA found that the publication of the voice of a crime victim violated their right to privacy as their identity was not relevant for the general public. It fined the publisher €50,000 for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject was the victim of a crime that was being covered by the media in Spain. During the case trial, the the data subject gave a testimony reporting the details of the crime. Telecinco, the controller, and other media channels, released the original audio without distorting the data subject's voice. The | The data subject was the victim of a crime that was being covered by the media in Spain. During the case trial, the the data subject gave a testimony reporting the details of the crime. Telecinco, the controller, and other media channels, released the original audio without distorting the data subject's voice. | ||
The DPA initiated an investigation after a complaint was filed and ordered the controller to remove the data subject's voice from their website. In response, the controller argued that the mere hypothetical possibility of singling out an individual is not sufficient to consider the person as identifiable. In their view, taking into account all the means that may reasonably be used by the controller or any other person, such a possibility does not exist or is either negligible. Therefore, the voice cannot be considered as personal data. It also claimed that the original source of the data was the Court, which distributed the recording to all media channels without applying any prior voice distortion or giving any instructions in this regard. Finally, it alleged that coverage of crimes is of public interest and that restricting the publication would infringe their right to freedom of expression. | |||
=== Holding === | === Holding === | ||
The DPA stated that the voice is personal data since it enables the identification of an individual, regardless of the number of persons who may recognise it. It emphasized that it is an individual attribute defined by its pitch, intensity and timbre. According to the DPA, the voice is endowed with unique and singular distinctive features that makes it possible to infer not only the person's age, sex and state of health but also their way of being, culture, origin and their hormonal, emotional and psychic state. In this sense, elements of expression, idiolect or intonation are also personal data considered together with the voice. It highlighted that, in line with [[Recital 75 GDPR]], risk must be interpreted as any circumstance that may give rise to a damage, without the need for this damage to materialise. | The DPA stated that the voice is personal data since it enables the identification of an individual, regardless of the number of persons who may recognise it. It emphasized that it is an individual attribute defined by its pitch, intensity and timbre. According to the DPA, the voice is endowed with unique and singular distinctive features that makes it possible to infer not only the person's age, sex and state of health but also their way of being, culture, origin and their hormonal, emotional and psychic state. In this sense, elements of expression, idiolect or intonation are also personal data considered together with the voice. It highlighted that, in line with [[Recitals GDPR#75|Recital 75 GDPR]], risk must be interpreted as any circumstance that may give rise to a damage, without the need for this damage to materialise. | ||
In the case at hand, there was a high risk that the victim would be identified at the very least in their closest circle and then subjected to a second victimization. The DPA clarified that the object of the investigation was the dissemination of the victim's voice by the media and not other data processings such as those carried out by the Court. It reaffirmed the position of Telecinco as a controller since it decided what data to publish and how. It noted that where there is a "processing chain", i.e. different and subsequent processing operations carried out by different controllers, each controller is responsible for the decisions it takes in its own sphere with regard to its processing. They cannot rely on what the previous controller did in order to be exempted from liability, just as they will not be held liable for the decisions taken by the controller further down the chain. | In the case at hand, there was a high risk that the victim would be identified at the very least in their closest circle and then subjected to a second victimization. The DPA clarified that the object of the investigation was the dissemination of the victim's voice by the media and not other data processings such as those carried out by the Court. It reaffirmed the position of Telecinco as a controller since it decided what data to publish and how. It noted that where there is a "processing chain", i.e. different and subsequent processing operations carried out by different controllers, each controller is responsible for the decisions it takes in its own sphere with regard to its processing. They cannot rely on what the previous controller did in order to be exempted from liability, just as they will not be held liable for the decisions taken by the controller further down the chain. | ||
Line 75: | Line 77: | ||
Finally, it recalled a decision from the Spanish Constitutional Court (27/2020), in which it analyzed whether the non-consensual reproduction of the image of an anonymous person who suddenly and involuntarily acquired a role in a newsworthy event, in this case as a victim, violated their individual rights. The Court held the limit of freedom of expression and access to information lies in the individualisation, direct or indirect, of the victim, as this data neither in the public interest nor relevant to the information provided. Likewise, the DPA found that although the facts under analysis were relevant for the general public, the identity of the victim was not, particularly because they are not a public figure. | Finally, it recalled a decision from the Spanish Constitutional Court (27/2020), in which it analyzed whether the non-consensual reproduction of the image of an anonymous person who suddenly and involuntarily acquired a role in a newsworthy event, in this case as a victim, violated their individual rights. The Court held the limit of freedom of expression and access to information lies in the individualisation, direct or indirect, of the victim, as this data neither in the public interest nor relevant to the information provided. Likewise, the DPA found that although the facts under analysis were relevant for the general public, the identity of the victim was not, particularly because they are not a public figure. | ||
Therefore, the | Therefore, the DPA found that the controller processed data which were excessive for the purpose of informing the public and fined it €50,000 for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
== Comment == | == Comment == |
Latest revision as of 05:19, 26 April 2023
AEPD - PS/00191/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 25.04.2022 |
Decided: | |
Published: | |
Fine: | 50.000 EUR |
Parties: | Conecta5 Telecinco |
National Case Number/Name: | PS/00191/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Bernardo Armentano |
The Spanish DPA found that the publication of the voice of a crime victim violated their right to privacy as their identity was not relevant for the general public. It fined the publisher €50,000 for violating Article 5(1)(c) GDPR.
English Summary
Facts
The data subject was the victim of a crime that was being covered by the media in Spain. During the case trial, the the data subject gave a testimony reporting the details of the crime. Telecinco, the controller, and other media channels, released the original audio without distorting the data subject's voice.
The DPA initiated an investigation after a complaint was filed and ordered the controller to remove the data subject's voice from their website. In response, the controller argued that the mere hypothetical possibility of singling out an individual is not sufficient to consider the person as identifiable. In their view, taking into account all the means that may reasonably be used by the controller or any other person, such a possibility does not exist or is either negligible. Therefore, the voice cannot be considered as personal data. It also claimed that the original source of the data was the Court, which distributed the recording to all media channels without applying any prior voice distortion or giving any instructions in this regard. Finally, it alleged that coverage of crimes is of public interest and that restricting the publication would infringe their right to freedom of expression.
Holding
The DPA stated that the voice is personal data since it enables the identification of an individual, regardless of the number of persons who may recognise it. It emphasized that it is an individual attribute defined by its pitch, intensity and timbre. According to the DPA, the voice is endowed with unique and singular distinctive features that makes it possible to infer not only the person's age, sex and state of health but also their way of being, culture, origin and their hormonal, emotional and psychic state. In this sense, elements of expression, idiolect or intonation are also personal data considered together with the voice. It highlighted that, in line with Recital 75 GDPR, risk must be interpreted as any circumstance that may give rise to a damage, without the need for this damage to materialise.
In the case at hand, there was a high risk that the victim would be identified at the very least in their closest circle and then subjected to a second victimization. The DPA clarified that the object of the investigation was the dissemination of the victim's voice by the media and not other data processings such as those carried out by the Court. It reaffirmed the position of Telecinco as a controller since it decided what data to publish and how. It noted that where there is a "processing chain", i.e. different and subsequent processing operations carried out by different controllers, each controller is responsible for the decisions it takes in its own sphere with regard to its processing. They cannot rely on what the previous controller did in order to be exempted from liability, just as they will not be held liable for the decisions taken by the controller further down the chain.
Finally, it recalled a decision from the Spanish Constitutional Court (27/2020), in which it analyzed whether the non-consensual reproduction of the image of an anonymous person who suddenly and involuntarily acquired a role in a newsworthy event, in this case as a victim, violated their individual rights. The Court held the limit of freedom of expression and access to information lies in the individualisation, direct or indirect, of the victim, as this data neither in the public interest nor relevant to the information provided. Likewise, the DPA found that although the facts under analysis were relevant for the general public, the identity of the victim was not, particularly because they are not a public figure.
Therefore, the DPA found that the controller processed data which were excessive for the purpose of informing the public and fined it €50,000 for violating Article 5(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/32 File No.: PS/00191/2022 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D.A.A.A. (hereinafter, the claiming party), dated ***DATE.1, filed a claim with the Spanish Data Protection Agency (hereinafter, AEPD). The reasons on which the claim is based are the following: The complaining party reported that several media outlets published in their websites the audio of a victim's statement before the judge to illustrate the news regarding the holding of the trial in a case that was highly mediated. The part complainant provided links to news published on media websites claimed. On ***DATE.2, a new letter sent by the party was received claimant, stating that he had been able to verify that there were means that had removed that information, although it accompanied publications made by some outlets on Twitter where it continued to be available. SECOND: Dated ***DATE.3, in accordance with article 65 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the claim was admitted for processing submitted by the complaining party. THIRD: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the supervisory authorities in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Protection of Data, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following ends: During the investigation actions, publications were found, more than those initially denounced by the complaining party, where the voice of the complainant could be heard undistorted victim. Among them, the following CONECTA5 publication TELECINCO, S.A.U, with NIF A82432279 (hereinafter, the claimed party): ***URL.1 On ***DATE.4, the defendant was notified of a precautionary withdrawal measure urgent content or distorted voice of the intervener so as to be unidentifiable in the web address from which it was accessible this content. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/32 On ***DATE.5, a letter sent by this entity was received by this Agency informing that it had proceeded to give immediate and full compliance to the practiced requirements; verifying the deletion of the news. FOURTH: On April 25, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereafter, LPACAP), for the alleged infringement of article 5.1.c) of the GDPR, classified as in article 83.5.a). FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in the LPACAP, the claimed party submitted a brief of allegations on May 10, 2022 in which, in summary, he stated that: 1.- The voice is not considered as a personal data, because not all own attribute and individual of a person is a personal data, but only those that identify or allow us to identify the specific person. For this purpose, it invokes Opinion 4/2007 on the concept of personal data of the Group of Labor of Article 29, which indicates that a person can be considered "identified" natural person when, within a group of people, he is "distinguished" from all other members of the group; the natural person is "identifiable" when, although not has yet identified it, it is possible to do so. And that the identification is achieved normally through specific data that we can call "identifiers" and that They have a privileged and very close relationship with a certain person. It indicates the claimed party that never identified the victim basically because He was unaware and still is unaware of that identity. And that the information he gave was limited to some circumstances of the event, to procedural information, the sex of the victim and her voice. It states that in order to consider whether the voice is sufficient to identify the person, circumstances must be taken into account. And that in the case that we are concerned with, the voice, as can be verified in the recordings issued in its day, is the � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � , a fact that he considers should not be left aside, since it is about assessing whether the voice alone is capable of individualizing the victim among a certain group, daring to say that this group is so indeterminate and wide like that of young women (...) ***LOCATION.1. Therefore, he denies categorically that the voice can single out the victim among all the women young people who were in ***LOCATION.1 on the day of the events. For all these reasons, it considers that neither the voice nor the information it disclosed are identifiers enough to single out the person within the reference group to the point that it can be identified. He goes on to indicate that another element that he considers particularly important to ponder is that of the necessary means for the identification of a person, invoking the effect recital 26 of the GDPR: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es