Meta Platforms Ireland – Order (Poland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Meta Platforms Ireland faced scrutiny for using a person's data to create fake ads without permission. This is important because it raises concerns about how companies handle personal data and the consequences of not following privacy rules. Businesses must be careful about how they use people's images and information.
What happened
Meta used a person's name and image in fake ads without their consent.
Who was affected
The individual whose name and image were used in the fake advertisements on Facebook and Instagram.
What the authority found
The Polish data protection authority found that Meta violated GDPR by not processing the individual's data lawfully and transparently.
Why this matters
This case emphasizes that companies must adhere to strict data protection principles, especially when dealing with sensitive information. Businesses should implement better controls to prevent misuse of personal data in advertising.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were ads, where his name, surname and image was published, combined with a fake information about him, for example deep-fake video with data subject image soliciting an investment platform. The fake-ads aimed at creating a false impression that the investment platform was supported by the data subject and, hence, secure and worth investing in. The ads were accessible to many users of Facebook and Instagram. The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request. In parallel, the data subject filed a complaint with the Polish DPA (UODO). The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR. According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR. The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from Article 5(1) GDPR, in particular, the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR), as well as the principle of accuracy (Article 5(1)(d) GDPR), under a proper legal basis of Article 6(1) GDPR. Additionally, the affected data subject was a famous person
Outcome
Order
A binding order requiring the controller to take specific action.
Related Enforcement Actions (0)
No other enforcement actions found for Meta Platforms Ireland in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Order Date
5 August 2024
Authority
Urząd Ochrony Danych Osobowych
About this data
Cite as: Cookie Fines. Meta Platforms Ireland - Poland (2024). Retrieved from cookiefines.eu
Last updated: