UODO (Poland) - DS.523.4486.2024

From GDPRhub
UODO - DS.523.4486.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1) GDPR
Article 6(1) GDPR
Article 66(1) GDPR
Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych)
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 05.08.2024
Published:
Fine: n/a
Parties: Meta Platforms Ireland
National Case Number/Name: DS.523.4486.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: wp

A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.

English Summary

Facts

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were approximately 260 different ads, where her name, surname and image was published, combined with a fake information about her, for example information about her death or crime committed. The ads were accessible to many users of Facebook and Instagram, including the family of data subject.

The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request.

In parallel, the data subject filed a complaint with the Polish DPA (UODO).

Holding

The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.

According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.

The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about her. Because of that, data subject’s privacy, reputation and credibility of public figure were threatened, which violated also Article 1 CFR and Article 7 CFR.

As a result, the DPA considered it was probable that Meta violated Article 5(1) GDPR and Article 6(1) GDPR. Therefore, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych) to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via advertisements presented on Facebook and Instagram within Poland for three months.

Comment

The Polish DPA issued another decision under Article 66(1) GDPR and Article 70(1) of Data protection act against Meta. The cases are correlated regarding the subject matter and the relationship between data subjects (a husband and a wife)- see: UODO (Poland) - DS.523.4480.2024.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.

PRESIDENT
OF THE OFFICE OF
PROTECTION
PERSONAL DATA
Miroslaw Wroblewski
Warsaw, August 5, 2024.
DS.523.4486.2024
PROVISION
Pursuant to Article 123 of the Act of June 14, 1960, Code of Administrative
Procedure (Journal of Laws of 2024, item 572), in conjunction with Article 70 (1) and (2) of the Act of May 10, 2018 on Personal Data Protection (Journal of Laws of 2019, item 1781), in conjunction with Article 66 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of 4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, p. 2, and Official Journal of the EU L 74 of 4.03.2021, p. 35), in
Proceedings from the complaint of Ms. B.K., residing in W., about irregularities in the processing of her personal data by M. consisting in providing her personal data, including false information about her, in advertisements displayed on social networks: F., available at the Internet address [...] and I., available at the Internet address [...], without legal basis, the President of the Office for Personal Data Protection decides oblige M., to restrict the processing of the personal data of Ms. B.K. zam. in W., by prohibiting them from being made available to other entities in advertisements displayed on social networks: F., available at the Internet address [...] and l., available at the Internet address [...], on the territory of the Republic of Poland for a period of three months from the date of delivery of this order to M.
Justification
The Office for the Protection of Personal Data received a complaint from Ms. B.K.,
registered address in W., hereinafter referred to as the Complainant, about irregularities in the processing of her personal data by M., hereinafter referred to as the Company, consisting in making her personal data, including false information about her, available in advertisements displayed on social networks: F., available at the Internet address [...] and
I., available at the Internet address [...], without legal basis.
In the body of the aforementioned complaint, the Complainant claimed that the Company violated her personal data by publishing on the aforementioned social networks - without her consent and without any another legal basis for the processing of personal data - her image, name and surname and false information about the Complainant contained in advertisements displayed in these services. The Complainant further alleged that the Company published her image on the above-mentioned portals, including an unlawfully modified image, without making the required assessment of the reliability of the source of the materials and without applying the appropriate procedure for verifying the veracity of the personal
data obtained (the record), which violated her fundamental rights and freedoms and
exposed her to a loss of confidence in her activities, including her charitable activities. The Complainant further pointed out that the advertisements disseminated her personal information, including her image and name, in juxtaposition with obviously false information about her alleged death, her alleged beating by her husband and her alleged detention by the police. The complainant also stated that as of the date of filing this complaint, she had detected as many as 263 advertisements (which many
times numbered from 2 to 6 versions), and this number is steadily growing, as she
receives daily signals from users of the above-mentioned portals, friends and
family, that they have seen an advertisement featuring her on these portals. This
kind of information strongly affects her sense of security, her dignity, her privacy, and negatively affects the emotional state of those close to her and her
acquaintances who react to such momentous information about the Complainant.
The Complainant also claimed that it had taken action against the Company by
sending a summons on July [...] 2024 to remove advertisements and sponsored
materials and to stop displaying ads that use the Complainant's image.
As evidence of the violation of data protection regulations, the Complainant
submitted a printout of the advertisements displayed on the profile "S.", available at: [...], a printout of advertisements displayed on the profile "O.", available at addresses: [...] and [...], printout of display ads on the "T." profile, printout of display ads on the "H." profile,
printout of display ads on the "M." profile, printout of display ads on the "V." profile, printout of display ads on the "H." profile, printout of display ads on the "Y." profile, printout of display ads on the "G." profile, printout of display ads on the "J." profile; printout of display ads on the "B." profile."; printout of display ads on the "R." profile; printout of display ads on the "S." profile; printout of display ads on the "M." profile; printout of display ads on the
"M." profile; printout of display ads on the "N." profile; printout of display ads on the "A." profile; printout of display ads on the "M." profile; printout of display ads on the "V." profile; printout of display ads on the "L." profile.
Pointing to the above, the Complainant requested, among other things, that the
Company be ordered to completely restrict processing, including a ban on processing the Complainant's personal data in the form of broadcasting advertisements with the Complainant's image and name containing false information about the Complainant (so-called "fake news"), including, in particular, false information regarding the alleged death of the Complainant, the alleged beating of the Complainant by her husband and the alleged detention of the Complainant by the police, imposing an administrative monetary penalty on the Company under Art. 83 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the EU L 119 of
4.05.2016, p. 1, Official Journal of the EU L 127 of 23.05.2018, pp. 2 and Official Journal of the EU L 74 of 4.03.2021, p. 35), hereinafter referred to as
RODO, adequate to the circumstances and scale of the breach of personal data protection regulations. According to the findings of the President of the Office for Personal Data Protection, despite the Complainant's aforementioned request to the Company dated [...] July 2024, the Complainant's personal data continues to be provided by the Company in the manner questioned in the complaint. This is because the data continues to appear in advertising available at [...]. The processing of the Complainant's personal data by the Company, which is disputed by the Complainant, is "cross-border processing" within the meaning of Article 4(23)(a) of the RODO, according to which cross-border processing means the processing of personal data that takes place in the Union in the course of the activities of organizational units in more than one Member State of the controller or of a processor in the Union with organizational units in more than one Member State.
As the Company's registered office is in Ireland, the competent authority to act in the case as the lead supervisory authority, with respect to this cross-border processing of the Complainant's data, pursuant to Article 56(1) of the RODO, is the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
However, according to Article 66(1) of the RODO, in exceptional circumstances, if the supervisory authority concerned considers that there is an urgent need to take action to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65, or from the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on the territory of its Member State for a specified period, not exceeding three months. The supervisory authority shall immediately inform the other supervisory authorities concerned, the
European Data Protection Board and the Commission of these measures and the reasons for their adoption. In turn, according to the wording of Article 70 (1) of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), if in the course of the proceedings it becomes probable that the processing of personal data violates the provisions on the protection of personal data, and further processing of personal data may cause serious consequences that are difficult to eliminate, the President of the Office, in order to prevent such consequences, may, by means of a decision, oblige the entity alleged to have violated the provisions on the protection of personal data to restrict the
processing of personal data, indicating the permissible scope of such processing.
Pursuant to Article 70 (2) of the Personal Data Protection Act, in the order referred to in paragraph (1), the President of the Office shall specify the duration of the restriction of the processing of personal data no longer than until the date of issuing a decision concluding the case.
As is clear from the above provisions, the basis for the adoption of provisional
measures by the supervisory authority concerned in the territory of its member state under Article 66(1) of the RODO is the urgent need to take action to protect the rights and freedoms of data subjects. Provisional measures under national law are provided for by the aforementioned Article 70 (1) of the Law on Personal Data Protection in the form of the issuance of an order obliging the entity alleged to have violated the provisions on personal data protection to restrict the processing of personal data, while the prerequisite for their application is the following the probability of a violation of data protection regulations and the risk of causing serious and difficult-to-remove consequences.
In the opinion of the President of the Office for Personal Data Protection, in
the present case the above prerequisites for the issuance of the aforementioned
order were met. The urgency of the interim measures must be assessed against the need to protect the rights and freedoms of data subjects. The negative effects on data subjects and their fundamental rights and freedoms are very significant in the present case.
In fact, in the questioned advertisements displayed by the Company on the F.
social network, personal data of the Complainant in terms of her name and surname are made available, as well as untrue information about her so-called "fake news", from which it appears that she was arrested, broke the law, and was beaten by her husband, and worst of all, information about her alleged death is displayed in them. There is no doubt that the aforementioned information about the Complainant
constitutes her personal data within the meaning of Article 4(1) of the RODO, according to which personal data means any information about an identified or identifiable natural person ("data subject"), and an identifiable natural person is one who can be identified directly or indirectly, in particular on the basis of an identifier such as a name. Indeed, in the disputed fake news displayed by the Company in advertisements on the social network F. The Complainant is a person identified by name. The applicant is a well-known person, she is a Polish journalist and TV presenter (T.), entrepreneur, philanthropist and investor. She owns the O. Foundation, of which she is president, and is also vice president of R. In 2022, she organized with Mr. J.C. W. "T.". In February 2023, she created the O. art foundation, which oversees all art projects carried out by O. and R., and provides a starting point for philanthropic activities. In 2023, she received the K. for outstanding contributions in philanthropic and charitable activities (cf. https://[...]). The content cited is untrue, violates the honor and dignity of the Complainant, as it slanders her for conduct or characteristics that are unlawful, as a result of which she was allegedly arrested.
In addition, the content invoked harms other people's opinion of the Complainant,
undermines their confidence in her as a public figure, or the above-mentioned effects may cause. It should be noted that the Complainant, by virtue of the aforementioned charitable activities, is a well-known, recognizable and respected person. Therefore, the invoked advertisements may cause a negative opinion of the Complainant's person or undermine confidence in her. It can be assumed that the invoked advertisements would not have appeared if the Complainant were not a public, publicly known person, since information about just such a person enjoys widespread interest, and because of such qualities of this person she became the target of attack. In addition, the content contains extremely drastic information about the beating and death of the Complainant, as well as crafted photos of her image as a result of the alleged beating by her husband. The above, due to the untruthfulness and the extreme severity and the drastic nature of the content presented by the Company, as described above, fully justify the urgent need for the President of the Office for Personal Data Protection, the supervisory authority in the field of personal data, to take immediate action to protect the fundamental rights and freedoms of data subjects. Moreover, this content, despite the fact that it harms the "S." defined by the Company, and which advertisers airing ads on the Company's technologies must adhere to (see https://[...]), have not been removed by the Company, while according to its preferred standards it should do so. Indeed, as the Company declares in the aforementioned community standards, quote: "(...) We want to ensure that the content displayed on F. is authentic. We believe that authenticity creates a better environment for sharing content (...)" and also quote: "(...) We are committed to ensuring safety on F. We remove content that may contribute to the risk of physical harm to individuals. Threatening content can intimidate, exclude or silence, and is therefore not allowed on F. (...)" as well as quoted: "(...) We believe that all people are equal in dignity and rights. We expect users to respect other people and to refrain from attacking or demeaning others (...)"(see https://[...]).
Despite the indicated declarations of the Company, false information about the
Complainant, extremely drastic and severe continues to be displayed on F., hence the urgent reaction of the supervisory authority, is fully justified in this case.
Moreover, in the present case, it has been fully probable that through the contested processing of the Complainant's personal data by the Company, involving the inclusion of her data, including false information about her in the advertisements presented by the Company on the aforementioned portal, it is possible that the Company may have violated data protection laws. Indeed, the Company is a joint controller of the Complainant's personal data processed in the aforementioned manner, within the meaning of Article 26 of the RODO,
according to which, if two or more controllers jointly determine the purposes and means of processing, they are joint controllers who, through joint arrangements, transparently determine the respective scopes of their responsibility for fulfilling their obligations under this Regulation. According to the regulations presented by the Company on the portal F. community, the Company and you are joint data controllers in accordance with Article 26 of the RODO to the extent of Joint Data Processing as defined by the Terms and Conditions of the relevant product. The scope of joint data processing includes the collection of personal data as defined by the Terms and Conditions of the relevant product and their transfer to the Company (cf. https://[...]). Moreover, as the aforementioned regulation states quote: "(...) The advertiser creates ads for display on F. and I. and on other sites and mobile apps, and then uploads them using our ad management tools. F. then displays the ads. We take into account the advertiser's goal, the expected audience and the advertisement when selecting t h e appropriate ads to display. We do not provide advertisers with information about your identity and we do not sell them your data (...)" (cf. [...]). Furthermore, according to the Company's claims in the aforementioned website, cited: "(...) Protecting the privacy of individuals is a key element for the design of our advertising system. When displaying ads on M. Products, we display relevant and useful ads to you without sharing your information with advertisers. We do not sell your personal information or share information that directly identifies you (such as your name, email address or other contact information) with advertisers without your explicit consent. We
allow advertisers to provide us with information such as their business purpose and the type of audience they want to display ads to (for example, people aged 18-35 who live near the advertiser's store in P.). We then display their ads to people we think might find them relevant (cf. https://[...]). In case of doubts about the Company's co-administration with the advertiser of possible personal data contained in the content of advertisements presented by the Company, it is reasonable to refer here to the judgment of the Court of Justice of June 5,
2018 in Case C-210/16, i.e. the proceedings Unabhängiges Landeszentrum für
Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, with the participation of: Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht, in which the Court held that the operator of a Facebook fanpage co-manages personal data together with the Company, stating in particular quote: "(...) the administrator of a fanpage operated on Facebook, (...) participates, by taking steps to establish parameters depending in particular on its target users, as well as on the objectives for the management or promotion of its activities, in determining the purposes and means of processing the personal data of visitors to its fanpage. Therefore, in the present case, it should be considered that this fanpage controller is jointly liable at the Union level with Facebook Ireland for the processing of data within the meaning of Article 2(d) of Directive 95/46 (...)." Therefore, it is incumbent on the Company, as co-controllers of the Complainant's personal data, to process the Complainant's personal data in compliance with the legitimizing prerequisites enumerated in Article 6(1) of the RODO, and furthermore in compliance with the principles of data processing under Article 5(1) of the RODO, such as, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) of
the RODO), as well as the principle of accuracy (Article 5(1)(d) of the RODO). In addition, the Company, pursuant to Article 5(2) of the RODO, must be able to demonstrate compliance with the provisions of the RODO in the processing of the Complainant's personal data. Thus, the Company's making public the Complainant's personal data, including false information about the Complainant, in advertising content presented by the Company, in a manner that allows an unlimited circle of other persons/entities to become aware of it, may therefore result in the Company's violation of Art. 5(1) of the RODO and Article 6(1) of the RODO, as demonstrated above by indicating the manner in which the Company shared the Complainant's data, as well as the nature of that sharing, further contradicting the Company's regulations on the use of its services contained in the F
social network. However, the Company's publicizing of the Complainant's personal data, including the described false information about her, in the above advertising content violates Article 1 of the Charter of Fundamental Rights of the European Union, which states that. Human dignity is inviolable. It must be respected and protected, and by allowing access to the general public violates the fundamental right of the person concerned to respect for private and family life, guaranteed by Article 7 of the EU Charter of Fundamental Rights. Thus, in the case it has been made probable that the processing of the Complainant's personal data by the Company violates the provisions on the protection of personal data, as a result of which the first of the prerequisites for the application of the
provisional measure in the case under Article 70 (1) of the Law on the Protection of Personal Data, has been met. In the case, there is also a second prerequisite for issuing the above-mentioned order in the form of a probable threat to cause serious and difficult-to-remove consequences. Because of the Company's dissemination of false information about the Complainant's death and the domestic violence used against her, the content made public by the Company in the aforementioned advertisements on the social network F., may cause extremely severe consequences in the sphere of life and health, including mental health, and not only of the Complainant, but also of others. While the negative effects could potentially affect all users, it is particularly important to point out the many data subjects who require special protection when using the Company's services, such as the young, the elderly, and people with cognitive disabilities. False information, especially regarding the alleged death of the Complainant,
and containing a specially altered image of the Complainant as the victim of an alleged beating, can strain the delicate psyche of young people and be dangerous for them. Such information may also be shocking to the elderly in particular, for example, as it may prove to be too much for them. The case may result in the indelible effect of further processing of false information about the Complainant by other entities and further spreading of disinformation about the Complainant in Polish society. Therefore, the Company is urgently prohibited from releasing the aforementioned personal data of the Complainant contained in the advertisements displayed on the social networks F. and I. in the territory of the Republic of Poland for a period of three months from the date of delivery of this order to the Company, which is fully justified and necessary. The subsequent decision of the lead authority in the case will not remove the negative effects of unauthorized processing of personal data by others, especially with regard to the effects in the psychological sphere of individuals, as indicated above.
This fully justifies the application of the protection mechanism of Article 70(1) of the Data Protection Law in conjunction with Article 66(1) of the RODO.
In this state of facts and law, the President of the Office for Personal Data
Protection has ruled as in the operative part.
President of the Office
Personal Data Protection
Miroslaw Wroblewski
This order is final. Pursuant to Article 70 (3) of the Law of May 10, 2018 on the
Protection of Personal Data (Journal of Laws of 2019, item 1781), a party has the right to lodge a complaint with the Provincial Court against this decision Administrative Court in Warsaw, within 30 days from the date of delivery of this order, through the President of the Office for Personal Data Protection (address: Office for Personal Data Protection, 2 Stawki Street, 00-193 Warsaw). The entry fee for the complaint is PLN 200. The party has the right to apply for the right to assistance, including exemption from court costs.