Meta Platforms Ireland – Order (Poland, 2024)

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were approximately 260 different ads, where her name, surname and image was published, combined with a fake information about her, for example information about her death or crime committed. The ads were accessible to many users of Facebook and Instagram, including the family of data subject. The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request. In parallel, the data subject filed a complaint with the Polish DPA (UODO). The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR. According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR. The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about her. Because of that, data subject’s privacy, reputati