UODO (Poland) - DS.523.4480.2024

From GDPRhub
UODO - DS.523.4480.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 66(1) GDPR
Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych)
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 05.08.2024
Published:
Fine: n/a
Parties: Meta Platforms Ireland
National Case Number/Name: DS.523.4480.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (Poland) (in PL)
Initial Contributor: wp

A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing the data subject’s data, including fake-ads, on Facebook and Instagram within Poland for three months.

English Summary

Facts

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were ads, where his name, surname and image was published, combined with a fake information about him, for example deep-fake video with data subject image soliciting an investment platform. The fake-ads aimed at creating a false impression that the investment platform was supported by the data subject and, hence, secure and worth investing in. The ads were accessible to many users of Facebook and Instagram. The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request. In parallel, the data subject filed a complaint with the Polish DPA (UODO).

Holding

The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.

According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.

The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about him and his professional activity. Because of that, not only data subject’s privacy and reputation were threatened, but also credibility of data subject’s business activity was influenced.

As a result, the DPA considered it was probable that Meta violated Article 5(1) GDPR and Article 6(1) GDPR. Therefore, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych) to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via advertisements presented on Facebook and Instagram within Poland for three months.

Comment

The Polish DPA issued another decision under Article 66(1) GDPR and Article 70(1) of Data protection act against Meta. The cases are correlated regarding the subject matter and the relationship between data subjects (a husband and a wife)- see: UODO (Poland) - DS.523.4486.2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT OF THE OFFICE FOR PERSONAL DATA PROTECTION
Mirosław Wróblewski

Warsaw, 5 August 2024

DS.523.4480.2024

DECISION

Pursuant to Article 123 of the Code of Administrative Procedure of 14 June 1960 (Journal of Laws of 2024, item 572) in conjunction with Article 70(1) and (2) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781) in conjunction with Article 66(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), in the proceedings of the complaint by Mr. J.C. residing in W., regarding irregularities in the process of processing his personal data by M., which involves sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis, the President of the Office for Personal Data Protection hereby orders M. to limit the processing of personal data of Mr. J.C. residing in W., by prohibiting their sharing with other entities in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], within the territory of the Republic of Poland for a period of three months from the date of delivery of this decision to M.

RATIONALE

The Office for Personal Data Protection received a complaint from Mr. J.C., hereinafter referred to as the Complainant, regarding irregularities in the process of processing his personal data by M., hereinafter referred to as the Company, involving sharing his personal data, including false information about him, in advertisements displayed on social media platforms F., accessible at [ ... ] and I., accessible at [ ... ], without a legal basis.

In the content of the aforementioned complaint, the Complainant specifically raised that the Company violated his personal data by publishing - without his consent and without any other legal basis for processing personal data - his image and name in advertisements prepared in the form of deepfake, involving the unlawful sharing of a modified recording of the Complainant's image without carrying out the required evaluation of the credibility of the source of the materials and without applying the appropriate procedure for verifying the authenticity of the obtained personal data (recordings), which exposed the Complainant to a loss of trust in his business activities and good name.

In these advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms.

Additionally, the Complainant indicated that he had taken action against the Company by sending a notice on [ ... ] July 2024 to remove the advertisements and sponsored materials and to cease displaying advertisements that utilize the Complainant's image.

As evidence of the occurred violation of personal data protection regulations, the Complainant submitted a printout of an advertisement displayed on the profile "I.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "T.", accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "R." accessible at: https://[ ... ], a printout of an advertisement displayed on the profile "N.", accessible at https://[ ... ], and printouts of advertisements displayed on the profiles "B."; accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "S.", accessible at: https://[ ... ], https://[ ... ], and printouts of advertisements displayed on the profile "L.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ], printouts of advertisements displayed on the profile "K.", accessible at: https://[ ... ]; https://[ ... ]; https://[ ... ]: https://[ ... ]; https://[ ... ], and a printout of advertisements displayed on the profile "P." accessible at: https://[ ... ]; https://[ ... ].

Pointing out the above, the Complainant requested, among other things, that the Company be ordered to completely limit the processing, including a ban on processing the Complainant's personal data in the form of deepfake material advertisements with his image and name, and imposing an administrative financial penalty on the Company under Article 83 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4 May 2016, p. 1, Official Journal of the EU L 127 of 23 May 2018, p. 2 and Official Journal of the EU L 74 of 4 March 2021, p. 35), hereinafter referred to as GDPR, appropriate to the circumstances and scale of the violation of personal data protection regulations.

As determined by the President of the Office for Personal Data Protection, despite the notice sent by the Complainant to the Company on [ ... ] July 2024, the Complainant's personal data are still being shared by the Company in the manner questioned in the complaint. These data are still featured in advertisements accessible at: https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ], https://[ ... ].

The questioned processing of the Complainant's personal data by the Company constitutes "cross-border processing" within the meaning of Article 4 point 23(a) GDPR, according to which cross-border processing means processing personal data that takes place in the Union within the activities of organizational units in more than one Member State of the controller or processor in the Union having organizational units in more than one Member State.

Given that the Company's headquarters are located in Ireland, the competent body to take actions in the case as the leading supervisory authority, with respect to this cross-border processing, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.

However, in accordance with Article 66(1) GDPR, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of the data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64, and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects in the territory of its Member State for a specified period not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the European Data Protection Board, and the Commission about those measures and the reasons for adopting them.

Further, in accordance with the wording of Article 70(1) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), if in the course of proceedings it is substantiated that the processing of personal data violates the provisions on personal data protection, and further processing may cause serious and difficult to remedy effects, the President of the Office, in order to prevent these effects, may, by way of a decision, require the entity accused of violating the provisions on personal data protection to limit the processing of personal data, indicating the permissible scope of such processing. In accordance with Article 70(2) of the Act on Personal Data Protection, in the decision referred to in paragraph 1, the President of the Office shall determine the term for the restriction of the processing of personal data not longer than until the day of issuing the decision concluding the proceedings in the case.

As follows from the above provisions, the basis for the supervisory authority concerned to adopt provisional measures in the territory of its Member State under Article 66(1) GDPR is the urgent need to take action to protect the rights and freedoms of the data subjects. Provisional measures on the basis of national law are provided for in the aforementioned Article 70(1) of the Act on Personal Data Protection in the form of issuing a decision requiring the entity accused of violating the provisions on personal data protection to limit the processing of personal data, while the premise for their application is the substantiation of the violation of the provisions on personal data and the threat of causing serious and difficult to remove effects.

In the opinion of the President of the Office for Personal Data Protection in the present case, the above premises for issuing the aforementioned decision have been met.

The urgent nature of the provisional measures should be assessed in relation to the need to protect the rights and freedoms of the data subjects. The negative effects on the persons concerned and their fundamental rights and freedoms are very significant in this case.

In the questioned advertisements displayed by the Company on the social media platform F., the personal data of the Complainant in terms of his name, surname, and image, as well as false information about him, are shared, which suggest that he offers to the advertisement recipients investments guaranteeing the multiplication of their wealth and a sure quick high return and financial independence, which can be achieved by watching the advertisements to the end and acting in accordance with the guidelines

 provided therein.

There is no doubt that the aforementioned information about the Complainant constitutes his personal data within the meaning of Article 4 point 1 GDPR, according to which personal data means any information concerning an identified or identifiable natural person ("data subject"), while an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name and surname.

In the questioned advertisements displayed by the Company in advertisements on the social media platform F., the Complainant is indeed identified by name and surname. Moreover, the advertisements indicate the Complainant's achievements and business activities, which further enable his identification.

Furthermore, the Complainant is a well-known person, a Polish entrepreneur, manager, investor, philanthropist, founder, and president of I., within which he organized a network of self-service parcel lockers in Poland. In addition, in 2022, the Complainant founded R., aimed at financially and mentorship supporting talented young individuals. He has received numerous awards and honors, such as, among others, in 2009, the Manager of the Year award for merits in breaking the monopoly of P., or in 2022, B. in the category "N." (award received together with his wife Mrs. B.K. for engagement in philanthropic activities), as well as decorations in 2022 - K. (see https://[ ... ]).

The content cited in the advertisements is false, affects the opinion of other people about the Complainant, undermines trust in him as a person, entrepreneur, and the aforementioned effects thus cause with respect to this natural person.

It should be noted that the Complainant, especially due to the aforementioned business and charitable activities, is a public figure, widely known and recognizable. The cited advertisements therefore generate a negative opinion about the Complainant, or undermine the trust in him necessary for his business and charitable activities. It can be assumed that the cited content in the advertisements would not have appeared if the Complainant were not a public figure, publicly known, as information about such a person enjoys widespread interest and because of such characteristics of this person, this natural person has become the target of an attack.

In the advertisements, true and current personal data of the Complainant and data concerning his business activities are combined with false information that the Complainant is the founder, supports, and controls the advertised investment platforms. By using false personal data, obtained unlawfully, false information is disseminated that these platforms are new business models of the Complainant, created by his employees, family, or in cooperation with other well-known entrepreneurs, and that they are fully safe tools. Significantly, the advertisements contain information that the Complainant is so well-known, professional, and enjoys great public trust that it cannot be a fraud, because he guarantees the legality of the new investment platform. In this way, the advertisements strongly affect the psyche of users of the indicated social media platforms, also creating the false impression that the recording is directed directly to them, assuring that if the recording is displayed to the user, he has been selected for the project and his device has the technical capabilities to participate in the investments. By using the image and personal data of the Complainant, the advertisers try to induce users of the portals to make impulsive decisions, emphasizing that after closing the post, it will no longer be possible to accept the invitation to invest, which is an obvious falsehood.

The dissemination of the Complainant's personal data is therefore aimed at using his trust and social position to reach the most vulnerable groups to such online frauds, such as in particular young people inexperienced in life, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.

The above content presented by the Company, due to its falsehood and potential danger of leading an unlimited number of people to disadvantageous financial investments and management of assets with financial losses, also fully justifies the urgent need to take immediate actions by the President of the Office for Personal Data Protection in the interest of protecting the fundamental rights and freedoms of the data subjects.

Moreover, despite these contents affecting "S." and "S." defined by the Company, they have not been removed by it, while according to the preferred standards it should have done so. As the Company declares in the aforementioned standards, quote: "( ... ) According to our principles, advertisements cannot promote products, services, programs, or offers using deceptive or misleading practices, including practices intended to extort money or personal data from individuals( ... )", as well as quote: "( ... ) Advertisements cannot coordinate, organize, promote or allow specific criminal or harmful activities that are aimed at people, businesses, property or animals( ... )", or quote: "( ... )Advertisers promoting financial products and services must demonstrate that they have authorization from the relevant regulatory authorities if required. Any such authorization may be subject to verification by M. Advertisers must also meet the legal requirements for disclosing information( ... )", and also quote: "( ... )We enforce our rules using automated and, in some cases, manual verification. In addition to verifying individual advertisements, we also monitor and investigate the behavior of the advertiser and may impose restrictions on his accounts if they violate our Advertising Posting Standards, Community Standards or other company rules and regulations( ... )", (see https://[ ... ]).

Furthermore, the Company committed itself, quote: "( ... ) We want to ensure that the content displayed on F. We believe that authenticity creates better conditions for sharing content( ... )", and also quote: "( ... ) We have committed to ensuring safety on F. ( ... )"(see [ ... ]).

Despite the aforementioned declarations of the Company, false information concerning the Complainant is still displayed on F., hence undoubtedly the urgent reaction of the supervisory authority for personal data protection in this case is fully justified and necessary.

Furthermore, in this case, it has been fully substantiated that through the questioned processing of the Complainant's personal data by the Company, involving the placement of his data, including false information concerning his person in the advertisements presented by the Company on the aforementioned platforms, there is a violation of the data protection regulations by the Company.

The Company is indeed a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 GDPR, according to which if at least two controllers jointly determine the purposes and means of processing, they are joint controllers, who in a transparent manner by mutual arrangements define the appropriate scopes of their responsibility concerning the fulfillment of the obligations arising from this regulation.

As follows from the regulations presented by the Company on the social media platform F., the Company and the user are joint controllers of data according to Article 26 GDPR in the scope of joint data processing defined in the Terms and Conditions of a given product. The scope of Joint data processing includes the collection of personal data specified by the Terms and Conditions of a given product and their transfer to the Company (see https://[ ... ]).

Moreover, as follows from the aforementioned regulations, quote: "( ... ) The advertiser creates advertisements for display on F. and I. as well as on other websites and mobile applications, and then sends them via our advertising management tools. Then F. displays the advertisement. When selecting appropriate advertisements to display, we take into account the advertiser's goal, the expected target group, and the advertisement. We do not provide advertisers with information about your identity and do not sell them your data( ... )" (see https://[ ... ]). Furthermore, according to the Company's claims contained in the aforementioned service, quote: "( ... )Protecting individuals' privacy is a key element in designing our advertising system. When displaying advertisements in M. Products, we display relevant and useful advertisements to the user without sharing information about the user with advertisers. We do not sell user's personal data or provide advertisers with information that enables direct identification of the user (such as name, email address or other contact data) without the user's explicit consent. We allow advertisers to provide us with such information as their business goal and the type of audience they want to display ads to (for example, individuals aged 18-35 who live near the advertiser's store in P.). We then display their advertisement to those who we believe may find it significant (see https://[ ... ]).

In case of doubts as to the joint administration by the Company along with the advertiser of any personal data contained in the content presented by the Company in the advertisements, it is reasonable to refer here to the judgment of the Court of Justice of 5 June 2018 in case C-210/16, i.e., the proceedings of Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein against Wirtschaftsakademie Schleswig-Holstein GmbH, with the participation of: Facebook Ireland Ltd, Representative of the Federal Interest at the Federal Administrative Court, in which the Court ruled that the entity operating a fanpage on Facebook jointly administers personal data together with the Company, stating in particular, quote: "( ... ) the administrator of a fanpage operated on Facebook,( ... ), participates by taking actions consisting of determining parameters dependent in particular on his target users, as well as from the objectives in terms of managing or promoting his business, in determining the purposes and means of processing personal data of persons visiting his fanpage. Therefore, in this case, it should be recognized that this fanpage administrator bears at the Union level joint responsibility with Facebook Ireland for processing data within the meaning of Article 2(d) Directive 95/46( ... )".

Therefore, on the Company, as a joint controller of the Complainant's personal data, rests the obligation to process his personal data in compliance with the legal bases mentioned in Article 6(1) GDPR, and also in compliance with the principles of data processing arising from Article 5(1) GDPR, such as in particular the principles of legality, fairness and transparency (Article 5(1)(a) GDPR), and also the principle of accuracy

 (Article 5(1)(d) GDPR). Furthermore, the Company, in accordance with Article 5(2) GDPR, must be able to demonstrate compliance with the GDPR regulations in the process of processing the Complainant's personal data.

The public disclosure by the Company of the Complainant's personal data, including false information about him, in the advertising content presented by the Company, in a manner enabling access to them by an unlimited circle of other persons/entities, may therefore result in the Company violating Articles 5(1) GDPR and 6(1) GDPR, as demonstrated above by indicating the manner of sharing the Complainant's data by the Company, as well as the nature of this sharing, additionally being in contradiction with the Company's regulations regarding the use of its services contained on the social media platform F.

The public disclosure by the Company of the aforementioned personal data of the Complainant, including the described false information about him, in the aforementioned advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which provides that human dignity is inviolable. It must be respected and protected.

Thus, in the case, it has been substantiated that the processing of the Complainant's personal data by the Company may violate the data protection regulations, as a result of which the first of the premises for applying the provisional measure under Article 70(1) of the Act on Personal Data Protection has been met.

In the case, there is also the second premise for issuing the aforementioned decision in the form of substantiating the threat of causing serious and difficult to remove effects.

Given that the Company is disseminating false information about forms of investing allegedly being new business models of the Complainant, the content publicized by the Company in the aforementioned advertisements on the social media platforms F. and I., may cause severe financial consequences for other persons, users of the aforementioned platforms, by disadvantageous disposition of their monetary funds.

It should be noted that the way of promoting alleged investment tools, especially when taking into account the dissemination of the Complainant's personal data and his alleged assurances of achieving high profit from investments (e.g., a promise of [ ... ] euros per day, [ ... ] thousand zlotys weekly), raises the suspicion that through this platform, financial frauds may occur to the detriment of persons to whom the discussed content was directed via the aforementioned platforms.

Consequently, in the case, an irremovable effect may occur in the form of further processing of false information concerning the Complainant by other entities and further spreading of misinformation about the Complainant in Polish society resulting in loss of trust in him as an entrepreneur and philanthropist, as well as in the form of severe financial consequences for other persons, users of the aforementioned platforms, susceptible to the displayed content, which may include both young inexperienced individuals, older people, helpless individuals, or those, for instance, lacking sufficient economic knowledge.

Therefore, prohibiting the Company in the present procedure from sharing the aforementioned personal data of the Complainant, contained in advertisements displayed on the social media platforms F. and I. within the territory of the Republic of Poland for a period of three months from the day of delivery of this decision to the Company, is fully justified and necessary.

A later decision of the leading authority in the case will not remove the negative consequences of unauthorized processing of personal data by other entities, especially with respect to the consequences for the rights of persons, as indicated above.

This fully justifies the application of the protection mechanism under Article 70(1) of the Act on Personal Data Protection in conjunction with Article 66(1) GDPR.

In this factual and legal state, the President of the Office for Personal Data Protection resolved, as in the ruling.

President of the Office for Personal Data Protection
Mirosław Wróblewski

This decision is final. Pursuant to Article 70(3) of the Act of 10 May 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), the party has the right to file a complaint with the Provincial Administrative Court in Warsaw within 30 days from the day of delivery of this decision, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw). The fee for the complaint is 200 zlotys. The party has the right to seek legal aid, including exemption from court fees.