The Agencia Española de Protección de Datos (AEPD) has ordered this precautionary measure against Meta, which also includes halting the collection and processing of data associated with these functionalities.
These functionalities are intended to be launched for all users of Meta's services who are eligible to vote in the European elections, with the exception of Italy, whose data protection authority already has an ongoing procedure regarding this matter.
The DPA has issued this measure considering that the data processing planned by the company is contrary to the General Data Protection Regulation (GDPR), specifically violating data protection principles such as lawfulness, data minimization, and storage limitation. Through these two functionalities, which aim to provide Facebook and Instagram users with information about the EU elections, Meta intends to process personal data such as the user's name, IP address, age, gender, and information on how they interact with these functionalities.
The authority believes that the planned data collection and retention by the company would seriously endanger the rights and freedoms of Instagram and Facebook users. In the authority’s opinion this would increase the volume of information collected about them, enabling the creation of more complex, detailed, and exhaustive profiles, leading to more intrusive processing. The provision of potentially personal data to third parties would constitute a disproportionate interference with the rights and freedoms of the data subjects. This loss of control poses a high risk that these data could be used by unknown controllers for unexplicit purposes.
This action by the authority is carried out under the procedure established in Article 66.1 of the GDPR, which states that, in exceptional circumstances, when a concerned supervisory authority – in this case, the AEPD – considers it urgent to intervene to protect the rights and freedoms of individuals, it may adopt provisional measures with legal effect in its territory, valid for a period not exceeding three months.
The European Commission announced at the end of April the initiation of a procedure against Meta to analyze, among other aspects, misinformation, the visibility of political content, and monitoring tools in the context of the upcoming elections, under the Digital Services Act.
In this context, the Agency believes that the urgent adoption of temporary prohibition measures for these functionalities is justified to prevent data collection, user profiling, and sharing with third parties, which should ensure that personal data cannot be used by unknown controllers for unexplicit purposes.
This temporary prohibition on the launch of these functionalities in Spain has a maximum validity period of three months.
The full document can be reached here https://www.aepd.es/documento/co-00083-2024-medida-provisional.pdf
Article provided by INPLP member: Belén Arribas Sánchez (BAS Abogados, Spain)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)