Garante per la protezione dei dati personali (Italy) - 9853406

From GDPRhub
Garante per la protezione dei dati personali - 9853406
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 9 GDPR
Article 56 GDPR
Article 57 GDPR
Article 58 GDPR
Article 61 GDPR
Article 66 GDPR
Type: Investigation
Outcome: Other Outcome
Started: 20.09.2022
Decided: 21.12.2022
Published: 17.02.2023
Fine: n/a
Parties: Meta Ireland Limited
National Case Number/Name: 9853406
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Italian DPA (in IT)
Initial Contributor: LR

Following a lack of substantive feedback or assessment from the DPC during the mutual assistance procedure (Article 61 GDPR), The Italian DPA initiated the urgency mechanism in Article 66 GDPR to prohibit Meta’s processing of personal data in the context of the Italian elections.

English Summary

Facts

From 20 September 2022 onwards, five days before the Italian general elections, Meta Platforms Ireland Limited (Meta), the controller, launched a campaign specifically aimed at Italian adults, for the stated purposes of encouraging voting, providing information on the election, and combatting election interference. Specifically, Meta prepared electoral reminders on its Facebook and Instagram services, which redirected users to the website of the Ministry of the Interior where they could find “reliable information about the elections”. These features were available through the Election Day Information (EDI) function on the Facebook service, and by clicking on election day “stickers” (which can be added to shared photos and videos) through the Instagram service.

The Italian DPA considered it necessary to acquire further information regarding these activities and, by a letter dated 21 September 2022, sent a list of questions to Meta. In particular, this letter sought to ascertain: the nature and modalities of data processing in relation to the reminders and ‘stickers’, as well as the storage period of the data collected; the agreement allegedly in place with the Ministry of the Interior to redirect users to its website; any relevant corporate and community policies; any agreement with independent fact-checking organisations and the data exchanged with them; the manner in which the processing involved (in particular that which reveals political opinions) had been brought to the data subjects’ attention and the legal basis for such processing; and, finally, the measures put in place to ensure that these features would only be brought to the attention of those over 18 years old.

Meta responded to the DPA on 22 September 2022, via a letter which did not contain much of the information requested and did not alleviate many of the concerns raised. As a result, on 23 September 2022, the DPA called upon Meta to temporarily suspend the aforementioned processing activity. Late in the evening on 23 September 2022, Meta sent a letter in which it stated its intention not to pause the initiatives in question. Meta provided some additional information, in a non-exhaustive manner, which was still not enough for the DPA to alleviate its concerns. In fact, the information provided by Meta, in some respects, compounded these concerns further; in particular, by stating that the data would be aggregated within 90 days and could be shared with “third parties such as research partners, academia, governmental partners or electoral committees”.

Furthermore, in its responses to the Italian DPA, Meta stated that the development of the EDI function takes into account the recommendations made by the Irish DPA (DPC), which is the lead data protection authority of Meta, as this is the jurisdiction in which Meta has its main establishment in the EU (Article 56(1) GDPR). In particular, Meta asserted that the product was developed “following a broad consultation on the product characteristics and the relevant transparency safeguards”. Responding to this argument, the Italian DPA notes that the issues they have raised are linked to substantive issues (legal basis of processing, purpose limitation, nature of the data processed, data sharing, storage period and data retention). As such, despite the fundamental importance of transparency obligations, these concerns are not addressed exclusively by a focus on transparency.

By means of the voluntary mutual assistance procedure pursuant to Article 61 GDPR, The Italian DPA asked the DPC to: share information on the EDI functionality as a matter of urgency and to clarify whether, as stated by the controller, that functionality had received any form of approval by the DPC; and to consider, as a matter of utmost urgency, the adoption of corrective measures, including a temporary limitation on the processing prior to the holding of the elections in Italy. The Italian DPA rasied serious concerns regarding the assesment of the substantive issues by the DPC, and the feedback they received during this process. Therefore, they considered it necessary to adopt further measures in order to resolve this issue.

Holding

Issuing its decision, the Italian DPA sought to emphasise, from the outset, the fundamental importance of the “civic right/duty” of voting and engaging in democratic process, at such a delicate time for a country’s public institutions and political life; the election of a new Parliament. Such a fundamental and impactful right should be considered carefully and presented in a manner that is very different from that used in the case at hand – especially regarding activities carried out by a multinational business entity.

Following this, the Italian DPA conducted an analysis of the substantive issues raised, in order to verify at least whether there is a prima facie case of unlawfulness in the processing under way and whether or not there is a real danger to the rights and freedoms of Italian citizens – also with a view to putting in place safeguards provided for by the legal system.

Firstly, with regard to the lawfulness of processing, there was no clear indication of the legal basis for the processing of data through the EDI function. Based on the information provided to the DPA, which they note contained very little information and was not provided in a timely manner, the processing operations do not appear to be grounded in consent (Article 6(1)(a) GDPR). The purpose appears to relate to the pursuit of a public interest or, at the very last, of an interest for the public good (Article 6(1)(f) GDPR). However, Meta is a private company which is not established in the Italian Republic, it clearly pursues commercial objectives and its main business consists in providing a social media platform the operation of which is financed by the sale of advertising space, preferably linked to profiling of users. Therefore, the supposed objective of protecting a primary public interest such as the holding of democratic elections and the free exercise of the right to vote appears to fall outside of the scope defined by Meta’s business objectives. Additionally, it cannot be understood how purposes related to the public interest from a very high-level perspective may fall within the terms of a contractual relationship that has been or is about to be established between Meta and its users (Article 6(1)(b) GDPR). Additionally, there appears to be a major inconsistency between Meta’s alleged philanthropic and social purpose and the collection of data from Italian citizens in a specific electoral context; data which thereafter becomes part of Meta’s business activities according to unspecified mechanisms and terms. Finally, there appears to be no agreement or formal mandate by which the Ministry of the Interior entrusted Meta with the task of informing citizens of the voting operations. In light of the above, these elements allow the identification of a prima facie case of unlawfulness of the processing of personal data of Italian citizens.

With regard to the processing activities by fact-checkers, the information provided to the Italian DPA by these entities during its investigation further compounded the concerns raised by the DPA; in particular, that the processing activities are not underpinned by consent and fall outside of specific control by data subjects. The DPA expressed that Meta’s use of fact-checkers should be further investigated.

Additionally, regarding the processing of special category data, the DPA found, despite Meta’s assertions that it does not process such data through these features, enough evidence to conclude that there was a prima facie case of unlawfulness with regard to a possible infringement of Article 9 GDPR. In doing so, the DPA points to the lack of means to determine the EDI function is only communicated to citizens over 18, the lack of anonymity of the data processed, and the likelihood of the data revealing a subject’s political orientation, which is specifically identified as special category data under Article 9 GDPR.

Furthermore, the DPA stated “one cannot but find that” Meta’s processing in this regard is both excessive and unnecessary, establishing an infringement of Article 5(1)(c) GDPR principle of data minimisation. With regard to the storage limitation principle, Meta’s admission that data is aggregated within 90 days shows evidence of further processing to pursue an undefined purpose, a violation of Articles 5(1)(e) and 13(2)(a) GDPR.

In light of all of the above, the Italian DPA held that, while the DPC is the lead supervisory authority under Article 56(1) GDPR, it is necessary to undertake urgent corrective measures regarding Meta’s processing activities in relation to Italian elections, in order to protect the rights and freedoms of Italian citizens. The Italian DPA had submitted, to the DPC, an explicit request to consider taking urgent corrective measures, but received no substantive feedback. Furthermore, given the nature of the data involved, the gravity of the infringements, the envisaged retention of data, and the number of users potentially effected, the Italian DPA considered that a reasoned derogation from the cooperation mechanism under Article 60 GDPR should apply, and implemented the urgency procedure provided for in Article 66(1) GPDR.

The DPA made an order finding that the processing is likely to infringe the legislation in force (pursuant to Articles 57(1)(a) and 66(1) GDPR); issued a warning to Meta, valid for 3 months, to the effect that any processing of personal data under the terms described would be in breach of the provisions described above (Article 58(2)(a) and 66(1) GDPR); and stating they reserve the right to initiate the relevant procedures with a view to adopting final measures (Article 66(2) GDPR).

Comment

This is not the first time that Meta has launched user interaction features at the time of and in connection with the holding of important electoral events concerning Italian citizens. On 4 March 2018, a ‘candidati’ (‘Candidates’) product was launched on the Facebook service. On this occasion, the Italian DPA thought it necessary to step in and issue a prohibition on processing and an administrative fine of €1,000,000. Subsequently, on 26 May 2019, the Italian DPA formally drew the attention of the Irish DPA to an election day reminder put out on the Facebook services during the European Parliament Elections.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Intro
Following a lack of substantive feedback or assessment from the DPC during the mutual assistance procedure (Article 61 GDPR), The Italian DPA initiated the urgency mechanism in Article 66 GDPR to prohibit Meta’s processing of personal data in the context of the Italian elections.

Facts
From 20 September 2022, five days before the Italian general elections, onwards, Meta Platforms Ireland Limited (Meta), the controller, launched a campaign specifically aimed at Italian adults, for the purposes of encouraging voting, providing information on the election, and combatting election interference. Specifically, Meta prepared electoral reminders on its Facebook and Instagram services, which redirected users to the website of the Ministry of the Interior where they could find “reliable information about the elections”. These features were available through the Election Day Information (EDI) function on the Facebook service, and by clicking on election day “stickers” (which can be added to shared photos and videos) through the Instagram service.

The Italian DPA considered in necessary to acquire further information regarding these activities and, by a letter dated 21 September 2022, sent a list of questions to Meta. In particular, this letter sought to ascertain: the nature and modalities of data processing in relation to the reminders and ‘stickers’, as well as the storage period of the data collected; the agreement allegedly in place with the Ministry of the Interior to redirect users to its website; any relevant corporate and community policies; any agreement with independent fact-checking organisations and the data exchanged with them; the manner in which the processing involved (in particular that which reveals political opinions) had been brought to the data subjects’ attention and the legal basis for such processing; and, the measures put in place to ensure that these features would only be brought to the attention of those over 18 years old.

Meta responded to the DPA on 22 September 2022, via a letter which did not contain much of the information requested and did not alleviate many of the concerns raised. As a result, on 23 September 2022, the DPA called upon Meta to temporarily suspend the aforementioned processing activity. Late in the evening on 23 September 2022, Meta sent a letter in which it stated its intention not to pause the initiatives in question. Meta provided some additional information, in a non-exhaustive manner, which was still not enough for the DPA to alleviate its concerns. In fact, the information provided by Meta, in some respects, compounded the concerns further; in particular, by stating that the data would be aggregated within 90 days and could be shared with “third parties such as research partners, academia, governmental partners or electoral committees”.


Furthermore, in its responses to the Italian DPA, Meta stated that the development of the EDI function takes into account the recommendations made by the Irish DPA (DPC), which is the lead data protection authority of Meta, as this is the jurisdiction in which Meta has its main establishment in the EU (Article 56(1) GDPR). In particular, Meta asserted that the product was developed “following a broad consultation on the product characteristics and the relevant transparency safeguards”. Responding to this argument, the Italian DPA notes that the issues they have raised are linked to substantive issues (legal basis of processing, purpose limitation, nature of the data processed, data sharing, storage period and data retention). As such, despite the fundamental importance of transparency obligations, these concerns are not addressed exclusively by a focus on transparency.

By means of the voluntary mutual assistance procedure pursuant to Article 61 GDPR, The Italian DPA asked the DPC to: share information on the EDI functionality as a matter of urgency and to clarify whether, as stated by the controller, that functionality had received any form of approval by the DPC; and to consider, as a matter of utmost urgency, the adoption of corrective measures, including a temporary limitation on the processing prior to the holding of the elections in Italy.

Holding
Issuing its decision, the Italian DPA sought to emphasise, from the outset, the fundamental importance of the “civic right/duty” of voting, at such a delicate time for a country’s public institutions and political life; the election of a new Parliament. Such a fundamental and impactful right should be considered carefully and presented in a manner that is very different from that used in the case at hand – especially when it is carried out by a multinational business entity.

Following this, the Italian DPA conducted an analysis of the substantive issues raised, in order to verify at least whether there is a prima facie case of unlawfulness in the processing under way and whether or not there is a real danger to the rights and freedoms of Italian citizens – also with a view to putting in place safeguards provided for by the legal system.

Firstly, with regard to the lawfulness of processing, there was no clear indication of the legal basis for the processing of data through the EDI function. Based on the information provided to the DPA, which they note contained very little information and was not provided in a timely manner, the processing operations do not appear to be grounded in consent (Article 6(1)(a) GDPR). The purpose appears to relate to the pursuit of a public interest or, at the very last, of an interest for the public good (Article 6(1)(f) GDPR). However, Meta is a private company which is not established in the Italian Republic, it clearly pursues commercial objectives and that its main business consists in providing a social media platform the operation of which is financed by the sale of advertising space, preferably linked to profiling of users. Therefore, the supposed objective of protecting a primary public interest such as the holding of democratic elections and the free exercise of the right to vote appears to fall outside of the scope defined by Meta’s business objectives. Additionally, it cannot be understood how purposes related to the public interest from a very high-level perspective may fall within the terms of a contractual relationship that has been or is about to be established between Meta and its users (Article 6(1)(b) GDPR). Additionally, there appears to be a major inconsistency between Meta’s alleged philanthropic and social purpose and the collection of data from Italian citizens in a specific electoral context; data which thereafter becomes part of Meta’s business activities according to unspecified mechanisms and terms. Finally, there appears to be no agreement or formal mandate by which the Ministry of the Interior entrusted Meta with the task of informing citizens of the voting operations. In light of the above, these elements allow the identification of a prima facie case of unlawfulness of the processing of personal data of Italian citizens.

With regard to the processing activities by fact-checkers, the information provided to the Italian DPA by these entities during its investigation further compounded the concerns raised by the DPA, in particular, that the processing activities are not underpinned by consent and fall outside of specific control by data subjects. The DPA expressed that Meta’s use of fact-checkers should be further investigated.

Additionally, regarding the processing of special category data, the DPA found, despite Meta’s assertions that it does not process such data through these features, enough evidence to conclude that there was a prima facie case of unlawfulness with regard to a possible infringement of Article 9 GDPR. In doing so, the DPA points to the lack of means to determine the EDI function is only communicated to citizens over 18, the lack of anonymity of the data processed, and the likelihood of the data revealing a subject’s political orientation, which is specifically identified as special category data under Article 9 GDPR.

Furthermore, the DPA stated “one cannot but find that” Meta’s processing in this regard is both excessive and unnecessary, establishing an infringement of Article 5(1)(c) principle of data minimisation. With regard to the storage limitation principle, Meta’s admission that data is aggregated within 90 days shows evidence of further processing to pursue an undefined purpose, a violation of Articles 5(1)(e) and 13(2)(a) GDPR.

In light of all of the above, the Italian DPA held that, while the DPC is the lead supervisory authority under Article 56(1) GDPR, it is necessary to undertake urgent corrective measures regarding Meta’s processing activities in relation to Italian elections, in order to protect the rights and freedoms of Italian citizens.  The Italian DPA had submitted, to the DPC, an explicit request to consider taking urgent corrective measures, but received no substantive feedback. Furthermore, given the nature of the data involved, the gravity of the infringements, the envisaged retention of data, and the number of users potentially effected, the Italian DPA considered that a reasoned derogation from the cooperation mechanism under Article 60 GDPR should apply, and implemented the urgency procedure provided for in Article 66(1) GPDR.
The DPA made an order finding that the processing is likely to infringe the legislation in force (pursuant to Articles 57(1)(a) and 66(1) GDPR); issued a warning to Meta, valid for 3 months, to the effect that any processing of personal data under the terms described would be in breach of the provisions described above (Article 58(2)(a) and 66(1) GDPR); and stating they reserve the right to implement the relevant procedures with a view to adopting final measures (Article 66(2) GDPR).


Comment
This is not the first time that Meta has launched user interaction features at the time of and in connection with the holding of important electoral events concerning Italian citizens. On 4 March 2018, a ‘candidati’ (‘Candidates’) product was launched on the Facebook service. On this occasion, the Italian DPA thought it necessary to step in and issue a prohibition on processing and an administrative fine of €1,000,000. Subsequently, on 26 May 2019, the Italian DPA formally drew the attention of the Irish DPA to an election day reminder put out on the Facebook services during the European Parliament Elections.