The Agency orders a precautionary measure that prevents Meta from implementing the electoral functionalities that it plans to launch in Spain
- The AEPD orders the suspension of the implementation in Spanish territory of the Election Day Information and Voter Information Unit functionalities, and the collection and processing of data involved in their use
- This decision is based on exceptional circumstances, in which it is necessary to adopt measures to prevent the collection of data, the profiling of users and the transfer of information to third parties, thus preventing personal data from being used by unknown parties and for non-explicit purposes
- The temporary ban on the launch of these functionalities in Spain is valid for a maximum period of three months
- Meta has indicated that it intends to have these functionalities launched for all users of its services eligible to vote in the European elections with the exception of Italy, whose data protection authority already has an ongoing procedure on this matter
(31th May 2024). The Spanish Data Protection Agency (AEPD) has ordered a precautionary measure against Meta Platforms Ireland Limited so that, immediately and in view of the upcoming European Parliament elections, it suspends in Spanish territory the launch of the Election Day Information (EDI) and Voter Information Unit (VIU) functionalities, and the collection and processing of data involved in their use.
These functionalities are planned to be launched for all users of its services entitled to vote in the European elections with the exception of Italy, whose data protection authority already has an ongoing procedure on this matter.
The Agency orders this measure as it considers that the data processing planned by the company involves an action contrary to the General Data Protection Regulation (GDPR) that, at least, would breach the data protection principles of lawfulness, data minimization and storage limitation.
Through these two functionalities, which consist in providing information to Facebook and Instagram users about the EU elections, Meta intends to process personal data such as, among others, user name; IP address; age and gender or information on how it interacts with those functionalities.
The Agency considers that the data collection and storage planned by the company would put at serious risk the rights and freedoms of Instagram and Facebook users, who would see an increase in the volume of information Meta collects about them, allowing for more complex, detailed and exhaustive profiling, and generating more intrusive processing.
Making available to third parties data that could be of a personal nature would entail a disproportionate interference in the rights and freedoms of data subjects. This loss of control entails a high risk of such data being used by unknown controllers and for non-explicit purposes.
For its part, the European Commission announced at the end of April the opening of a procedure against Meta to analyze, among other things, aspects such as disinformation, visibility of political content and monitoring tools for the aforementioned elections, within the framework of the Digital Services Act.
Meta has its main establishment in Europe based in Ireland. This action by the Agency is carried out within the framework of the procedure established in Article 66.1 of the GDPR, which states that, in exceptional circumstances, where a supervisory authority concerned - in this case the AEPD - considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months.
In this context, the Agency understands that the adoption of urgent measures of temporary prohibition of these functionalities is justified in order to avoid data collection, user profiling and transfer to third parties, thus preventing personal data from being used by unknown controllers and for non-explicit purposes.
AEPD Circular on Political Opinions
The use of big data, artificial intelligence and the application of microtargeting in electoral processes can lead to the manipulation of individuals through exhaustive profiling and disinformation.
The Spanish Data Protection Agency's Circular 1/2019 on the processing of personal data relating to political opinions and sending of electoral propaganda by electronic means or messaging systems by political parties, federations, coalitions and groups of voters lays down in its Article 5 that only political opinions that have been freely expressed by individuals in the exercise of their rights to ideological freedom and freedom of expression recognized in Articles 16 and 20 of the Spanish Constitution may be collected, and that under no circumstances other types of personal data shall be processed from which, by applying technologies such as mass data processing or artificial intelligence, the political ideology of a person can be inferred.
(Unofficial courtesy translation)