AEPD (Spain) - EXP202493476
AEPD - EXP202493476 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(b) GDPR Article 66 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 22.04.2024 |
Decided: | |
Published: | 31.05.2024 |
Fine: | n/a |
Parties: | Meta Platforms Ireland Limited |
National Case Number/Name: | EXP202493476 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA invoked urgency procedures to prohibit Meta’s deployment of election-related platform features, finding that the processing lacked a legal basis and collected excessive data.
English Summary
Facts
On 28 February 2024, the Irish Data Protection Commission (DPC) shared information concerning two new products that Meta (the controller) planned to launch for Facebook and Instagram between 30 May and 9 June 2024. The tools were Election Day Information (EDI) and Voter Information Unit (VIU), both of which would send notifications to all eligible Instagram and Facebook users in the EU to remind them to vote in EU Parliament elections. The functionalities required users to input personal data including their name, IP address, age and gender.
The controller claimed that the products aimed to ensure that all Facebook and Instagram users who are eligible to vote see the EDI and VIU features. It argued that its legal basis for processing was the necessity of executing its contract with users.
On 22 April 2024, the AEPD sent the DPC a questionnaire concerning the controller’s planned processing. It also inquired whether it had initiated its own proceedings or if it had analysed whether the processing conformed to the GDPR. The DPC responded to the questionnaire but did not respond to the AEPD’s inquiries about its own proceedings or analysis of the processing.
Holding
The AEPD adopted provisional measures prohibiting the processing pursuant to Article 66 GDPR’s urgency procedure. It considered that the controller’s planned processing lacked a legal basis and would infringe the principles of legality, data minimisation and storage limitations under Articles 5(1)(a), (c) and (e) GDPR.
First, the AEPD found that the controller lacked a legal basis for processing under 6(1)(b) GDPR. Given the controller’s status as a private enterprise, a public interest could not be a ‘necessity’ for fulfilling a contract executed for commercial purposes. In fact, the AEPD considered that the purpose of processing the data pursuant to EDI and VIU was to aggregate information that it could then commercialize to third parties. The AEPD also noted that the controller failed to explain how it would exclusively process data of users over the age 18 for EDI and VIU purposes, given that it had no reliable mechanism in place to determine the age of its users. The AEPD considered the controller’s complete lack of legal basis -- based on necessity of contract or otherwise -- to violate the principle of legality pursuant to Article 5(1)(a) GDPR.
Second, the AEPD considered the controller’s processing of data excessive. It observed no justification for the use of a system that ensures that only the data of persons of legal age are processed. In addition, the controller aimed to collect city information based on data subjects’ IP addresses, when the narrowest degree of necessary data was merely nationality. The collection of such data, the AEPD found, is excessive relative to the supposed purpose of informing data subjects about elections.
Finally, the AEPD determined that the controller violated the storage limitation principle under Article 5(1)(c) GDPR. The storage period, which was redacted in the decision, was not justified by the controller in relation to the stated purposes. The AEPD considered this to indicate an additional purpose of the processing operation.
Ultimately, the AEPD considered that the collection of the data via EDI and VIU put the rights of data subjects at great risk. It noted that the volume of data gathered would permit the controller to create elaborate profiles of users. This loss of control over one’s own data, the AEPD said, demonstrates a patent violation of the right to data protection and a significant risk for data subjects’ rights and liberties. Given the impending launch of the products and high risks, the AEPD invoked the urgency procedure for exceptional circumstances under Article 66 GDPR. It accordingly adopted immediate interim measures to prohibit the controller’s anticipated processing with EDI and VIU.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Ref.: EXP202403476 Subject: Agreement on the adoption of provisional measures The Spanish Data Protection Agency (AEPD) has been aware of the future processing of personal data on a large scale which is described below and which It allegedly violates legislation on the protection of personal data. I Acts On February 28, 2024, through A61VMN 612500, the Irish authority (DPC) shared related information with the Data Protection Authorities with ***, two new features for the Facebook and Instagram products. Meta Platforms Ireland Limited (hereinafter META) would intend to implement There are two functionalities in its Instagram and Facebook products. *** (Election Day Information - EDI) *** and *** (Voter Information Unit -VIU) ***. They indicate that they intend for all Instagram and Facebook users in the EU with voting rights, ***, see VIU and EDI reminders for the next EU parliamentary elections. *** Given the doubts generated by the data processing that these may entail functionalities, this Agency addressed the DPC, on April 22, to ask receive a questionnaire with questions related to the data processing involved carry out META on the occasion of the launch of both functionalities. The same time the DPC was consulted as to whether any proceedings were in progress or whether carried out an analysis to determine whether the new data processing is GDPR compliant. The DPC has not answered these questions, but it did send the questionnaire to META and has provided this AEPD with the response given by it, with date April 29, 2024. • *** Taking into account the above, the following considerations are worth making: FIRST: In relation to the basis of legitimation alleged by META, it must be indicated that META is a private entity, with a commercial purpose, and whose main activity consists of providing a social networking platform that is financed by the sale of advertising spaces, fundamentally linked to the development of profiles of the users. However, the holding of democratic elections and the free exercise of the right to vote constitute a public interest, incompatible with the character business of the company, so it cannot be seen that said interest is necessary for the provision of the contract to which the interested party is a party. The term "necessary" used by the GDPR has, in the opinion of the CJEU, its own meaning. and independent in Community legislation. It is, says the Court, a “concept 28001 – Madrid 6 Seeagpd.gob.es 2/5 autonomous Community Law” (STJUE of 12/16/2008, case C-524/06, section 52). On the other hand, the European Court of Human Rights (ECHR) has offered also guidelines for interpreting the concept of necessity. In section 97 of his Judgment of 03/25/1983 states that the “adjective necessary is not synonymous with “indispensable” nor does it have the flexibility of the expressions “admissible,” “ordinary,” “useful,” “reasonable” or “desirable”. As stated in guidelines 2/2019 on the processing of personal data with pursuant to section 6.1.b of the GDPR in the context of making available to interested parties of online services, “Article 6, paragraph 1, letter b) applies when meet two conditions: the treatment in question must be objectively necessary for the execution of a contract with an interested party, or the processing must be objectively necessary to adopt pre-contractual measures at the request of a interested” (paragraph 22). And then they point out that “the need for treatment is a precondition for both parts of Article 6, paragraph 1, letter b). First of all, it is important to note that the concept of what is "necessary for the performance of the contract" is not a mere appreciation of what the clauses of a contract allow or put into practice. He The concept of necessity has an autonomous meaning in Union Law, which It should reflect the objectives of data protection legislation. Therefore, The fundamental right to privacy and the protection of personal data is also taken into account. personal data, as well as the requirements of data protection principles, including, in particular, the principle of loyalty” (paragraph 23). When evaluating what is “necessary”, an assessment must be made based on the objective that is pursued, evaluating whether there are less intrusive treatments to achieve the same objective. If there are other realistic and less intrusive alternatives, the treatment there's no need". This must be based on the purpose that META intends with the processing of the data. to evaluate the existence of “need”. In this case, it should be highlighted prior, that the alleged "need" for such treatment that META intends to carry out is incompatible with the purpose of the contract, since in no way a public interest, such as the right to vote and the guarantee of free elections, can be "necessary" for the fulfillment of a contract that has a private purpose. *** Nor does it justify how it intends to exclusively treat data of people over 18 years of age, when there is no reliable mechanism to determine the age of the recipients or justifies the processing of interactions with the website to which they direct. Finally, the data is used for the purpose of aggregating and transferring aggregated data to third parties. However, the aggregation process is not explained, nor what data is used. for that aggregation, nor the level of disaggregation, so it is unknown if the level Disaggregation allows the identification of users, which can It can be concluded that personal data could be retained and communicated. Thus, according to the information provided, the ultimate purpose of META is a 28001 – Madrid 6 Seeagpd.gob.es 3/5 purpose consisting of having data for the improvement of the product itself and to communicate them to third parties. For all of the above, the AEPD considers that META cannot rely on article 6.1.b) of the RGPD the processing of user data that it intends to carry out, nor in no other legal basis of article 6, what it would mean if it were finally carried out a violation of the principle of legality provided for in article 5.1.a) of the RGPD. SECOND: The intended data processing is excessive. Age data is processed, when the use of a system that guarantees that they are only subject to processing data of people of legal age. On the other hand, the city data contained in the profile and the IP address are stored with the purpose of making a selection of the voters, when what determines this condition is nationality, in the case of the next elections Europeans, which shows the unnecessaryness of this treatment, since part of the presumption that users who reside in certain cities or whose address IP is located in Europe they have the right to vote, leaving other citizens out residents abroad and addressing citizens of other countries who are found in Europe. In short, this treatment is disproportionate and excessive. *** Finally, the treatment of interactions is absolutely disproportionate in relation to the supposed purpose of reporting on the elections. THIRD: The principle of limiting the conservation period is not respected. ***, without justify the need for its storage in relation to the stated purposes, which which reveals an additional purpose of the processing operation. II Justification of urgency The data processing provided for by META represents an action contrary to the RGPD which, at the very least, would breach the data protection principles of legality, minimization of data and limitation of the conservation period, as set out previously. Likewise, it has been previously indicated that Meta plans to launch the functionality VIU in Spain, from May 30 to June 9, which will consist of sending notices or reminders to users ***. Therefore, the adoption of the urgent measures against META due to the proximity of the period in which META has The start of the collection of personal data in Spanish territory is planned. If no urgent action is taken, META would collect and retain personal data failing to comply with the provisions of the RGPD and thereby violating the rights and freedoms of the interested parties. Even META has planned to communicate the data collected in aggregate form from third parties (which may even be individuals), without 28001 – Madrid 6 Seeagpd.gob.es 4/5 offer no guarantee that the data made available to users third parties are not personal data. The imminent start of the offending treatment serves as a clear justification for the adoption of the urgent provisional measure. III Risks for the rights of interested parties that need protection META's planned data collection and retention would seriously jeopardize risk the rights and freedoms of Instagram and Facebook users who would see increased the volume of information that META collects about them, without there was no legal basis that legitimized this action by META. The volume of information collected would allow META to develop more profiles complex, detailed and exhaustive of users, generating more treatments intrusive on their rights and freedoms, such as the rights to privacy and protection of personal data, recognized in articles 7 and 8 of the Charter of the Fundamental Rights of the European Union. Along with this, the making available to third parties of data that could be of a personal would involve a disproportionate interference in the rights and freedoms of interested. The loss of confidentiality would entail an absolute and total loss of control over one's own personal data with the consequent high risk of it being used by unknown responsible parties and for unexplained purposes. This loss of control over one's personal data results in a patent violation of the right to data protection and clear risks for their rights and freedoms. Therefore, in order to avoid the serious damage that could be caused to the rights and freedoms of the interested parties to carry out the planned processing operations META imposes the need to urgently order the adoption of a precautionary measure that prevents the materialization of such damages. The processing takes place in the European Economic Area and affects substantially or is likely to substantially affect interested parties in more than one State, with the Irish Control Authority (DPC) currently being the main control. Therefore, it is considered urgent by the AEPD to adopt a measure precautionary measure on an exceptional basis and within the enabling framework of article 66.1 of the GDPR, according to which, in exceptional circumstances, when an authority interested control authority considers that it is urgent to intervene to protect the rights and the freedoms of interested parties, may, as an exception to the coherence mechanism contemplated in articles 63, 64 and 65, or the procedure mentioned in article 60, immediately adopt provisional measures intended to produce effects legal in its own territory, with a specific period of validity that cannot be greater than three months. The supervisory authority will communicate these measures without delay, together with the reasons for its adoption, to the other interested supervisory authorities, to the Committee and the Commission. 28001 – Madrid 6 Seeagpd.gob.es 5/5 IV Description of the measures adopted For all the above, in use of the powers conferred by the article 58 of the RGPD, and in accordance with the provisions of article 69.2 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital, IT IS AGREED: 1.- ORDER Meta Platforms Ireland Limited to immediately, suspend the implementation of the Election Day Information functionalities Feature - EDI and Voter Information Unit -VIU in the Spanish territory, as well as the collection and processing of personal data that involves their use in Spanish territory. 2.- ORDER Meta Platforms Ireland Limited to inform this Agency the effective execution of the measure within a maximum period of 72 hours from the receipt of this Agreement. 3.- NOTIFY this Agreement to META PLATFORMS IRELAND LIMITED through FACEBOOK SPAIN, S.L. In accordance with the provisions of article 83.6 of the RGPD, non-compliance with the resolutions of the supervisory authority, pursuant to Article 58(2) of the GDPR, will be sanctioned with administrative fines of a maximum of 20 million euros or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of greater amount. During the sanctioning procedure that, if applicable, is initiated, or in the resolution by which the archiving of these previous investigation actions is agreed, will be resolved on the maintenance or lifting of the effects of this measure provisional. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDPGDD, and in accordance with the provisions of article 123 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from from the day following notification of this resolution or directly appeal administrative litigation before the Administrative Litigation Chamber of the Court National, in accordance with the provisions of article 25 and section 5 of the provision fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction Contentious-administrative, within a period of two months counting from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Sea Spain Martí Director of the Spanish Data Protection Agency 28001 – Madrid 6 Seeagpd.gob.es