APD/GBA (Belgium) - 29/2023: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 82: Line 82:
On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA.   
On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA.   


In September 2022, under [[Article 60 GDPR|Article 60(3) GDPR]], the DPC submitted a draft decision to various DPA’s, including the Belgian one who communicated comments. In particular, in contrast to what the DPC had held, the Belgian DPA considered that data scraping should have been considered a data breach and that Meta had a duty to inform its users of the data leakage.  
In September 2022, under [[Article 60 GDPR|Article 60(3) GDPR]], the DPC submitted a draft decision to various DPA’s, including the Belgian one who communicated their objections. In particular, in contrast to what the DPC had held, the Belgian DPA considered that data scraping should have been considered a data breach and that Meta had a duty to inform its users of the data leakage.  


On 25 November 2022, the DPC adopted its final decision. Its investigation revealed that in the Facebook search tool, the default settings allowed all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis.  
On 25 November 2022, the DPC adopted its [https://www.dataprotection.ie/sites/default/files/uploads/2022-12/Final%20Decision_IN-21-4-2_Redacted.pdf final decision]. Its investigation revealed that in the Facebook search tool, the default settings allowed all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis.  


Therefore, the DPC found a violation of  [[Article 25 GDPR|Article 25(1)]], [[Article 25 GDPR|25(2),]] [[Article 5 GDPR|5(1)(b)]] and [[Article 5 GDPR|5(1)(f)]] GDPR, ordered Meta to comply with the provisions and imposed a Є150,000,000 and a Є115,0000 fine respectively for the violations of [[Article 25 GDPR|Articles 25(1)]] and [[Article 25 GDPR|25(2)]].
Therefore, the DPC found a violation of  [[Article 25 GDPR|Article 25(1)]], [[Article 25 GDPR|25(2),]] [[Article 5 GDPR|5(1)(b)]] and [[Article 5 GDPR|5(1)(f)]] GDPR, ordered Meta to comply with the provisions and imposed a Є150,000,000 and a Є115,0000 fine respectively for the violations of [[Article 25 GDPR|Articles 25(1)]] and [[Article 25 GDPR|25(2)]].


=== Holding ===
=== Holding ===
The complaints in Belgium were related to a possible violation of [[Article 32 GDPR|Articles 32]] to [[Article 34 GDPR|34]] GDPR and the DPC decision focused on [[Article 25 GDPR|Article 25]]. The Belgian DPA considered that this focus on [[Article 25 GDPR|Article 25]] did not cause any prejudice to the complainants. In the context of the cooperation procedure of [[Article 60 GDPR]], the DPA considered to be bound by the DPC’s decision, exclusively competent. Therefore, it rejected the complaints in Belgium.  
The complaints in Belgium were related to a possible violation of [[Article 32 GDPR|Articles 32]] to [[Article 34 GDPR|34]] GDPR and the DPC decision focused on [[Article 25 GDPR|Article 25]]. The key question, according to the DPC, was not whether there was an unauthorized disclosure of personal data or some other form of data breach, but to what extent appropriate measures had been taken to ensure that the data protection principles were observed when implementing the choices of Meta users. For this reason, the DPC's investigation focused on [[Article 25 GDPR|Article 25]]. The Belgian DPA considered that the focus on [[Article 25 GDPR|Article 25]] did not cause any prejudice to the complainants.
 
In the context of the cooperation procedure of [[Article 60 GDPR]], the DPA considered to be bound by the DPC’s decision, which was exclusively competent. Therefore, it rejected the complaints in Belgium.  


== Comment ==
== Comment ==

Latest revision as of 14:11, 21 March 2023

APD/GBA - 29/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 25(1) GDPR
Article 25(2) GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Rejected
Started: 07.04.2021
Decided: 17.03.2023
Published:
Fine: n/a
Parties: Meta
National Case Number/Name: 29/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (in NL)
Initial Contributor: ls

The Belgian DPA rejected several complaints against Meta following a data leakage, considering that it was bound by a previous Irish DPC's decision on that matter, even though the DPC decision focused on other GDPR provisions than the complaints.

English Summary

Facts

The controller in this case was Meta Platforms Technologies Ireland Limited (hereafter Meta).

Following a suspected data leakage concerning around 3,000,000 Belgian Facebook users, on 7 April 2021, the Belgian DPA called on Belgian citizens to check on the website https://benikerbij.be whether their data were part of the data leakage and if necessary to lodge a complaint with the DPA. Following this call, 1,113 complaints were lodged.

On 14 April 2021, the Irish DPC opened its “own volition inquiry” to determine whether Meta complied with its privacy obligations with the functionalities Facebook Search, Facebook Contact Importer, Messenger Contact and Instagram Contact. On 29 July 2021, the Irish DPC was notified of the existence of complaints regarding the events under investigation with the Belgian DPA.

In September 2022, under Article 60(3) GDPR, the DPC submitted a draft decision to various DPA’s, including the Belgian one who communicated their objections. In particular, in contrast to what the DPC had held, the Belgian DPA considered that data scraping should have been considered a data breach and that Meta had a duty to inform its users of the data leakage.

On 25 November 2022, the DPC adopted its final decision. Its investigation revealed that in the Facebook search tool, the default settings allowed all users to find each other's profiles via their phone numbers or email addresses (with a possibility to deactivate it manually). It therefore concluded that there was a strong risk that the phone numbers and email addresses would be scraped and linked to the identity of their owners. It also held that after the leakage, Meta did not implement adequate technical and organizational measures and failed to demonstrate that it had conducted a risk analysis.

Therefore, the DPC found a violation of Article 25(1), 25(2), 5(1)(b) and 5(1)(f) GDPR, ordered Meta to comply with the provisions and imposed a Є150,000,000 and a Є115,0000 fine respectively for the violations of Articles 25(1) and 25(2).

Holding

The complaints in Belgium were related to a possible violation of Articles 32 to 34 GDPR and the DPC decision focused on Article 25. The key question, according to the DPC, was not whether there was an unauthorized disclosure of personal data or some other form of data breach, but to what extent appropriate measures had been taken to ensure that the data protection principles were observed when implementing the choices of Meta users. For this reason, the DPC's investigation focused on Article 25. The Belgian DPA considered that the focus on Article 25 did not cause any prejudice to the complainants.

In the context of the cooperation procedure of Article 60 GDPR, the DPA considered to be bound by the DPC’s decision, which was exclusively competent. Therefore, it rejected the complaints in Belgium.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.