Who We Are

Inquiry into LinkedIn Ireland Unlimited Company

Area: Cross Border Private Company

Topic: Legal Basis

Articles: 5, 6, 14, 13

DPC Reference: IN-18-08-3

Decision Date: 22 October 2024

This Decision concerns an Inquiry by the Data Protection Commission (the DPC) into LinkedIn Ireland Unlimited Company (LinkedIn), a data controller with its main establishment in Ireland. The Decision relates to a complaint-based inquiry, which was commenced on 20 August 2018, following a complaint made by the French non-profit organisation, La Quadrature Du Net (the Complaint).

The Complaint was initially made to the French Data Protection Authority, on behalf of affected data subjects pursuant to Article 80(1) GDPR, and later transmitted to the DPC as lead supervisory authority for LinkedIn. The Complaint asserted that LinkedIn had processed certain personal data relating to the data subjects, for the purposes of behavioural analysis and targeted advertising (BA & TA), without a valid legal basis and in an unfair and non-transparent manner.

The DPC commenced a statutory inquiry (the Inquiry), on 20 August 2018, to examine LinkedIn’s compliance with Articles 5(1)(a), 6(1), 13(1)(c), 13(1)(d), 14(1)(c) and 14(2)(b) of the GDPR. The inquiry was commenced pursuant to Section 110 of the Data Protection Act 2018 (the 2018 Act).

Summary of Findings

The Decision concluded that:

  • LinkedIn could not validly rely on Article 6(1)(a) GDPR to process third party data of its members for the purpose of BA & TA, excluding analytics, on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
  • LinkedIn could not validly rely on Article 6(1)(f) GDPR for its processing of first-party data personal data of its members for BA and TA or third party data for analytics.
  • LinkedIn could not validly rely on Article 6(1)(b) GDPR to process first party data of its members for the purpose of BA & TA.
  • LinkedIn infringed Article 13(1)(c) and 14(1)(c) in respect of the information it provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) as lawful bases.
  • LinkedIn infringed the principle of fairness in Article 5(1)(a) GDPR.

Corrective Measures

Under Section 113(4)(a) of the 2018 Act, where the DPC adopts a decision (in accordance with Section 113(2)(b)), it must, in addition, make a decision as to whether a corrective power should be exercised in respect of the controller or processor concerned and, if so, the corrective power to be exercised. Article 58(2) GDPR sets out the corrective powers that supervisory authorities may exercise in respect of non- compliance by a controller or processor.

Having carefully considered the infringements identified in the Decision, the DPC decided to exercise certain corrective powers in accordance with Section 115 of the 2018 Act and Article 58(2) GDPR. The corrective powers that the DPC decided were appropriate to address the infringements in the particular circumstances were:

  • Issuing a reprimand to LinkedIn in respect of its infringements of the GDPR identified in the Decision (i.e. Articles 5(1)(a), 6(1), 13(1)(c) and 14(1)(c) GDPR).
  • Imposing an order to LinkedIn to bring its processing into compliance with the GDPR. This order requires:
    • firstly, that LinkedIn to bring its Privacy Policy into compliance with Articles 13(1)(c) and 14(1)(c) GDPR as regards information provided on data processed pursuant to Articles 6(1)(a), 6(1)(b) and 6(1)(f) GDPR, if those legal bases continue to be relied upon by LinkedIn for the purposes of BA & TA and analytics;
    • secondly, that LinkedIn to take the necessary action to bring its processing of personal data for the purpose of BA & TA into compliance with Article 6(1) GDPR, in particular, to take the necessary action to address the findings in the Decision that LinkedIn did not validly rely in Articles 6(1)(a), 6(1)(b) and 6(1)(f) GDPR to carry out the identified processing.
  • Imposing three administrative fines totalling €310 million, which were effective, proportionate and dissuasive, as follows:
    • With regard to LinkedIn’s reliance on the lawful basis in Article 6(1)(a) GDPR, and in respect of LinkedIn’s infringements of Articles 5(1)(a) and 6(1) GDPR for the processing of third party data of its members for BA & TA without a valid lawful basis, a fine of €105 million.
    • With regard to LinkedIn’s reliance on the lawful bases in Articles 6(1)(b) and 6(1)(f) GDPR, and in respect of LinkedIn’s infringements of Articles 5(1)(a) and 6(1) GDPR for the processing of first party data of its members for BA & TA and third party data for analytics without a valid lawful basis, a fine of €110 million.
    • In respect of LinkedIn’s infringements of Article 13(1)(c) GDPR and 14(1)(c) GDPR, a fine of €95 million.

The DPC did not impose a separate fine for the infringement of the Article 5(1)(a) GDPR principle of fairness in circumstances where the infringement was based on conduct that the DPC had already fully taken into account in imposing separate administrative fines.

Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in July 2024, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections (for the purpose of Article 60(4) GDPR) to the draft decision.

For more information, you can download:

Inquiry into Meta Platforms Ireland Limited

Area: Cross Border Private Company

Topic: Data security

Articles: 4, 5, 32, 33

DPC Reference: IN-19-4-1

Decision Date: 26 September 2024

On 26 September 2024, the Irish Data Protection Commission (DPC) adopted a final decision in an own-volition statutory inquiry, concerning the processing of user passwords on the Facebook service by Meta Platforms Ireland Limited (MPIL). The inquiry was carried out in accordance with the Data Protection Act 2018 and Article 60 of the EU General Data Protection Regulation (GDPR). The DPC was competent to act as lead supervisory authority for the processing at issue, pursuant to Article 56 GDPR.

The Decision considered particular aspects of the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the EU, as expressed in the GDPR’s specific data protection rules concerning personal data breaches, and the obligation to ensure the security of personal data.

Background to the Inquiry Process

MPIL uses cryptographic and encryption techniques when storing users’ passwords, and does not store the individual characters that make up a password. On 21 March 2019, MPIL informed the DPC that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems. On 24 April 2019, the DPC commenced an own-volition inquiry in response to this issue.

Summary of Findings

 Number  Article of the GDPR  Findings
 1  Article 4(12) The Data Protection Commission found that each of the instances of plaintext password logging, as identified by MPIL on 7 January 2019 and 31 January 2019, constituted a personal data breach within the meaning of Article 4(12) GDPR.
 2  Article 33(1) The Data Protection Commission found that MPIL infringed Article 33(1) GDPR by failing to notify a personal data breach to the Data Protection Commission without undue delay and within 72 hours of the discovery on 31 January 2019 of the passwords stored in plaintext.
 3  Article 33(5) The Data Protection Commission found that MPIL infringed Article 33(5) GDPR on two occasions by failing to document the personal data breach discovered on 7 January 2019 and by failing to document the personal data breach discovered on 31 January 2019.
 4  Article 5(1)(f), 32(1) The Data Protection Commission found that MPIL did not comply with the requirements of Article 5(1)(f) GDPR and Article 32(1) GDPR (in particular having regard to Article 32(1)(b)) by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

 

Corrective Measures

Where the DPC makes a decision under Section 111(1)(a) of the Act, it must also make a decision under Section 111(2) as to whether a corrective power should be exercised in respect of the controller or processor concerned, and if so, the corrective power to be exercised.

Having considered the infringements of the GDPR as set out above, the DPC decided to exercise the following corrective powers, in accordance with Article 58(2) GDPR:

  • a reprimand, pursuant to Article 58(2)(b) GDPR, regarding the infringements identified in the Decision; and
  • three administrative fines totalling €91 million, as follows:
    1. In respect of MPIL’s infringement of Article 33(1) GDPR, a fine of €8 million.
    2. In respect of MPIL’s infringement of Article 33(5) GDPR, a fine of €8 million.
    3. In respect of MPIL’s infringements of Articles 5(1)(f) and 32(1) GDPR, a fine of €75 million.

The purpose of the reprimand is to formally recognise the serious nature of the infringements in order to deter future similar non-compliance by MPIL and other controllers or processors carrying out similar processing operations. The infringements concerned the personal data of tens of millions of Facebook users. Furthermore, the DPC found both infringements contributed to a risk of fraud, impersonation, spamming and potential financial or reputational loss in respect of the data subjects.

In deciding to impose three administrative fines totalling €91 million, the DPC gave due regard to the factors set out in Article 83(2) GDPR. The DPC also considered that administrative fines totalling €91 million met the requirements set out in Article 83(1) GDPR of being effective, proportionate and dissuasive.

Prior to its adoption, the DPC submitted a draft of its decision to the Concerned Supervisory Authorities in June 2024, as required under Article 60(3) of the GDPR. The Concerned Supervisory Authorities did not raise any objections under Article 60(4) GDPR to the draft decision. Four comments were received from CSAs with regard to the draft decision. The DPC had regard to these comments, and to a final submission by MPIL, when finalising the decision for adoption.

For more information, you can download:

Inquiry concerning Mediahuis Ireland Group Limited

Area: National Private Company

DPC Reference: IN-21-2-6

Decision Date: 7 June 2024

The decision in this inquiry relates to a balancing between the fundamental right to data protection and the fundamental right to freedom of expression and information.

Summary of Inquiry

The DPC has completed a complaint based inquiry into MIG’s processing of personal data in relation to a series of news reports in the print and online editions of the Irish Independent, Herald and Sunday Independent newspapers. The purpose of the inquiry was to examine if any obligations on the controller arising under Articles 5(1)(a), 5(1)(c), 5(2), 6 and 9 GDPR had been engaged and, if engaged, whether MIG infringed those obligations in publishing the personal data relating to the Complainant as contained in the relevant newspaper articles.

As a preliminary issue, the DPC examined the jurisdiction of the DPC to conduct an inquiry into a media outlet in light of the exemption set out in section 43 of the Data Protection Act 2018 (‘the 2018 Act’). That section implements the requirements of Article 85 GDPR, to provide that ‘Member States shall by law reconcile the right to the protection of personal data pursuant to [GDPR] with the right to freedom of expression and information.’ The section exempts certain processing of personal information for journalistic purposes from compliance with certain provisions of the GDPR where compliance with the provision would be incompatible with the purpose of exercising the right to freedom of expression and information. The GDPR provisions to be considered include those related to the rights of data subjects, the obligations of controllers and the powers and functions of supervisory authorities.

The DPC held that the DPC has the power to use the provisions of the 2018 Act to inquire into a complaint which raises issues concerning potential infringements of the GDPR and which also directly and centrally engages a data controller’s freedom of expression right. 

Neither the GDPR nor the fundamental right to protection of an individual’s personal data contained in Article 8 of the EU Charter of Fundamental Rights are subordinate to the freedom of expression right.  Article 85 GDPR and section 43 of the 2018 Act expressly recognise the latter right, but also recognise that it must be weighed in individual cases against data protection rights. In some circumstances it may take precedence over certain GDPR provisions, including those related to the principles of processing (apart from the principle of integrity and confidentiality) contained in Article 5 GDPR and the requirement for lawfulness of processing contained in Article 6 GDPR.  The regulatory powers and functions granted by the GDPR may be avoided only to the extent that the exercise of those powers and functions would be incompatible with the exercise of the right to freedom of expression and information.  The potential incompatibility of certain GDPR provisions (including the supervisory and enforcement powers of the DPC) with the exercise of freedom of expression and information does not prevent, or is not inconsistent with, the DPC conducting an inquiry in order to assess the very applicability of the section 43 exemption.  Further, if the DPC finds that the exemption applies to the particular circumstances, then the DPC must carry out a further analysis to examine the extent to which section 43 curtails the exercise of the provisions listed in section 43(2) of the 2018 Act in the particular case.

In this inquiry, the DPC conducted a detailed analysis on the facts of the complaint, in which it carried out a balancing exercise to determine whether the processing of the complainant’s personal data by MIG in exercise of its right to freedom of expression and information for journalistic purposes was permitted because the application of certain GDPR provisions to prevent that publication would have been incompatible with such purposes. This required an assessment of where a fair balance lies between the freedom of expression right and the Complainant’s right to protection of her personal data.

The DPC examined the legal basis for journalistic expression in terms of the Irish Constitution in Article 40.6.1°(i), which sets out that the ‘education of public opinion’ is ‘a matter of such grave import to the common good’ and that the press has a ‘rightful liberty of expression’, along with the text of Article 10 of the European Convention of Human Rights, which highlights that the ‘exercise of the right to freedom of expression may be subject to formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society.’ The DPC analysed precedents from Irish decisions on conflict between the right of free expression and the right to privacy or data protection. The DPC then went on to apply case law of the Court of Justice of the EU and of the European Court of Human Rights in determining the appropriate balance of competing human rights.

Having regard to the totality of the evidence before it, the DPC found that the exemption under section 43(1) of the Data Protection Act 2018 applies to the reporting by MIG about which complaint was made by the Complainant, and the DPC therefore dismissed the Complaint under section 112(1)(b) of the Data Protection Act 2018.

Key Extracts from the Analysis

  1. The DPC has the power to use the provisions of the 2018 Act to inquire into a complaint which raises issues concerning potential infringements of the GDPR and which also directly and centrally engages a data controller’s freedom of expression right.  Neither the GDPR nor the fundamental right to protection of an individual’s personal data contained in Article 8 of the EU Charter are subordinate to the freedom of expression right.  Article 85 GDPR and section 43 of the 2018 Act (‘Section 43’) expressly recognise the latter right, but also that it must be weighed in individual cases against data protection rights, and may even take precedence over certain GDPR provisions, including those contained in Articles 5 and 6 GDPR [1] and the regulatory powers and functions granted by the GDPR to the extent that the exercise of those powers and functions would be incompatible with the exercise of the right to freedom of expression and information.  The potential incompatibility of certain GDPR provisions (including the supervisory and enforcement powers of the DPC) with the exercise of freedom of expression and information does not prevent, or is not inconsistent with, the DPC conducting an inquiry in order to assess the very applicability of the Section 43 exemption.  Further, if the DPC finds that the exemption applies, then the DPC must carry out a further analysis to examine the extent to which Section 43 curtails the exercise of the provisions listed in section 43(2) in the particular case.
  2. Article 85 and Section 43 make it clear that such restriction of the GDPR provisions would only be necessary in circumstances where the ‘compliance with the provision would be incompatible with [exercising the right to freedom of expression]’. By stating explicitly within the text of Section 43 that Article 5(1)(f) GDPR does not fall within the scope of any potential exemption, it is clear that Section 43 is not intended to exclude the full competency of the DPC to regulate compliance with the GDPR in all cases of journalistic processing.  It is accepted that the DPC would not have power to invoke certain aspects of its supervisory powers (and in particular its enforcement powers) as provided for under Chapter VI of the GDPR in some circumstances; but any such circumstances would need careful analysis to justify any restriction in the application of GDPR provisions provided to vindicate the data protection rights of data subjects. It is clear that the DPC may use its inquiry mechanism under the 2018 Act in order to conduct such assessments.
  3. This balancing assessment is a function granted to the DPC by Section 43 itself. It is within the power of the DPC to determine by inquiry whether the exemption under section 43(1) in fact applies to the processing activities of any controller, including MIG, by considering:
  • the purposes of the processing, i.e. is it for the purposes of exercising the freedom of expression right, for journalistic purposes and/or for the purposes of academic, artistic or literary expression; and
  • whether compliance with aspects of the provisions exempted under section 43(2) would be incompatible with exercising the right to freedom of expression and information or for the purpose of academic, artistic or literary expression.
  1. This Inquiry is the mechanism by which the DPC has considered it appropriate to conduct the relevant assessment in this case, using its powers under section 110 of the 2018 Act, given that the issues were raised as a result of a complaint made to the DPC.  The inquiry mechanism allows the DPC to make its assessment, and (in accordance with the requirements of fair procedures) present each side’s position (data subject and data controller) to the other and allow the parties concerned the facility to provide their reasoned views to the DPC.  If the DPC is satisfied that the exemption applies to the processing activities in question, having regard to the above factors, it can confirm if a controller has properly applied the exemption to the relevant processing activities and if the controller is exempted from complying with particular obligations under section 43(2) in respect of those processing activities. Therefore, the exemption cannot be used at the outset to exempt or prevent such analysis by the DPC as appears to be suggested by MIG, nor does it dictate the manner or mechanism by which this assessment is to be conducted.
  2. The test to establish the need for an inquiry is not whether the DPC has formed a view that there is a ‘suspected infringement’ of a relevant enactment. Rather, under sections 109(5), 109(5)(e) and 110 of the 2018 Act, and when the DPC considers that a complaint cannot be resolved amicably, it can cause such ‘inquiry as it thinks fit’ to be conducted into the complaint (section 109(5)(e)) and, in relation to the inquiry jurisdiction under section 110, the DPC ‘may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted.’
  3. The DPC therefore has a broad discretion both as to whether to carry out an inquiry and as to the form and scope of such an inquiry. Once an inquiry has as its purpose ascertaining whether there has been or is an infringement of the GDPR or of the 2018 Act, the DPC may in undertake an inquiry.
  4. Section 43 of the 2018 Act (Data processing and freedom of expression and information) is the provision by which Irish law gives effect to the requirements of Article 85 GDPR.  It provides:-  
  • The processing of personal data for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression, shall be exempt from compliance with a provision of the Data Protection Regulation specified in subsection (2) where, having regard to the importance of the freedom of expression right in a democratic society, compliance with the provision would be incompatible with such purposes.
  • The provisions of the Data Protection Regulation specified for the purposes of subsection (1) are Chapter II (principles), other than Article 5(1)(f), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries and international organisations), Chapter VI (independent supervisory authorities) and Chapter VII (cooperation and consistency).
  • The Commission may, on its own initiative, refer any question of law which involves consideration of whether processing of personal data is exempt in accordance with subsection (1) to the High Court for its determination.
  • An appeal shall, by leave of the High Court, lie from a determination of that Court on a question of law under subsection (3) to the Court of Appeal.
  • In order to take account of the importance of the right to freedom of expression and information in a democratic society that right shall be interpreted in a broad manner.
  1. Therefore, a two-part test is applicable to determine whether the exemption in Section 43 applies to processing of personal data:
  • First, the processing in question must be for the purpose of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression.
  • Second, compliance with the relevant provisions of the GDPR must be incompatible with those purposes, having regard to the importance of the freedom of expression right in a democratic society.
  1. The question for the DPC in relation to this issue is whether the particular reporting of the particular personal data and special category data of the Complainant in this case was for the purpose of exercising the freedom of expression right. If so, the DPC must consider whether compliance with the GDPR provisions set out in section 43(2) of the 2018 Act would have been incompatible with that right, noting also that the freedom of expression right is to be given a broad interpretation by the DPC (per section 43(5) of the 2018 Act).  This assessment for the purposes of section 43(2) of the 2018 Act requires the DPC to assess the compatibility of the exercise of freedom of information and expression against certain GDPR rights and obligations, including (in the context of this Complaint):
  • the requirement for data processing to be fair and lawful (Article 5(1)(a) GDPR),
  • the requirement for the controller to ensure that the personal data processed by it is adequate, relevant and limited to what is necessary in relation to the purposes of processing (Article 5(1)(c) GDPR),
  • the requirement for the controller to be accountable for its data processing by being able to demonstrate compliance with the principles of processing set out in Article 5 GDPR (pursuant to Article 5(2) GDPR),
  • the requirement for the controller to have a lawful basis for its data processing as contained in Article 6 GDPR,
  • the requirement for the controller to meet one of the conditions contained in Article 9 GDPR in respect of any special category data processed, and
  • the obligation to be subject to enforcement action or sanctions by the DPC as provided for under Chapter IV of the GDPR.
  1. The balance between media publications in exercise of freedom of information and expression and the right of privacy of the individual about whom information is published will favour the freedom of expression where the information is published in the public interest.  This public interest has been interpreted as being an interest in publishing or disclosing information that contributes to a debate of general interest.  This is sometimes contrasted with the publication or disclosing of information which is merely interesting to the public (e.g. being titillating or at the level of mere gossip) but which does not contribute to any debate of general interest.
  2. Article 85(1) GDPR requires that the right to protection of personal data pursuant to the GDPR must be reconciled with the right to freedom of expression and information, including processing for journalistic purposes. Section 43 requires an assessment of whether, inter alia, processing for journalistic purposes …shall be exempt from compliance with a provision of the [GDPR] specified [including processing principles and rights of the data subject] where, having regard to the importance of the right of freedom of expression and information in a democratic society, compliance with the provision would be incompatible with such purposes. This requires a balancing exercise of the obligation to respect a data subject’s personal data rights against the right of the public to be informed by the media about matters of public interest.
  3. The European Court of Human Rights has said that the role or function of the person concerned and the nature of the activities that are the subject of the report and/or photo constitute important criteria. In that regard, the Court said that a distinction has to be made between private individuals and persons acting in a public context, as political figures or public figures. Accordingly, whilst a private individual unknown to the public may claim particular protection of his or her right to private life, the same is not true of public figures … A fundamental distinction needs to be made between reporting facts capable of contributing to a debate in a democratic society, relating to politicians in the exercise of their official functions for example, and reporting details of the private life of an individual who does not exercise such functions. Whilst in the former case the press exercises its role of ‘public watchdog’ in a democracy by imparting information and ideas on matters of public interest, that role appears less important in the latter case. Similarly,  although in certain special circumstances the public’s right to be informed can even extend to aspects of the private life of public figures, particularly where politicians are concerned, this will not be the case – even where the persons concerned are quite well known to the public – where the published photos and accompanying commentaries relate exclusively to details of the person’s private life and have the sole aim of satisfying the curiosity of a particular readership in that respect. In the latter case, freedom of expression calls for a narrower interpretation. [2]
  4. It is true that the balance will not always favour the freedom of expression right. The ECtHR and the Irish courts have considered that the balance may tip in favour of an individual’s rights (which in many of the cases was their right to privacy), especially where the person was not a public figure and/or the matters reported concerned private activities of the individual (e.g. extra-marital affairs or an individual’s private sexual life). [3]
  5. The DPC does not accept that rules about standards and burdens of proof are relevant to the identification of public interest in media publications. Newspapers are not in the same position as the court and do not decide on the application of legal rights.
  6. The fact that medical information is at play is relevant to, but not determinative of, the balance to be struck between freedom of expression and the right to privacy. Medical information does require a very high level of protection. However, in this case, there was a clear nexus between the personal data published, including the special category data, and the debate in the general interest. Therefore, contrary to the Complainant’s submission, the DPC finds that the fact that the publications included data concerning health does not automatically determine the result of the balance against the right of freedom of expression and information.

[1]       Excluding Article 5(1)(f) GDPR.

[2]       Axel Springer AG -v- Germany App no 39954/08 (ECtHR 7 February 2012), [91].

[3]       E.g. Herrity v Associated Newspapers [2009] 1 IR 316; Von Hannover –v- Germany (Von Hannover I) [2004] ECHR 294; X (Infant) v Sunday World [2014] IEHC 696 (concerning details of an infant’s birth and questions about the infant’s paternity); and Nolan v Sunday World [2019] IECA 141 and paragraph 65 Bladet Tromsø and Stensaas v Norway App No 21980/93 (ECtHR,  20 May 1999) cited by the Complainant in her submissions on the Draft Decision.

Groupon Ireland Operations Limited

Area: Cross Border Private Company

Topic: DS Rights

Articles: 5, 6, 12, 15

Decision Date: 8 March 2024

On 8 March 2024, the Data Protection Commission (DPC) adopted a decision following its examination of a complaint received against Groupon Ireland Operations Limited (Groupon).

The complaint concerned an access request and an erasure request made to Groupon. In response to the requests, Groupon initially required the complainant to provide a copy of an ID document in order to verify their identity, which the complainant objected to. Groupon later facilitated the complainant’s requests without imposing such a requirement. However, having been provided with their personal data, the complainant was not satisfied that all of their personal data had subsequently been fully deleted in accordance with their erasure request.

The issues under examination in the DPC’s decision were the following:

  • Whether Groupon’s request for ID in order to verify the identity of the complainant for the purposes of their original access and erasure requests was compliant with Groupon’s relevant obligations under the GDPR.
  • Whether Groupon had appropriately demonstrated that the complainant’s personal data had been fully deleted in response to the erasure request

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In relation to whether Groupon had appropriately demonstrated that the complainant’s personal data had been fully deleted in response to the erasure request, the DPC’s decision finds no infringement. In relation to whether Groupon’s request for ID in order to verify the identity of the complainant for the purposes of their original access and erasure requests was compliant with Groupon’s relevant obligations under the GDPR, the DPC’s decision records findings of infringement as follows:

  • Article 5(1)(c) of the GDPR

The DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests, in circumstances where no such verification appeared to have been obtained or required in order to initially open an account and a less data-driven means of verification (namely, by way of the email address associated with the account) was available to Groupon.

  • Article 12(2) of the GDPR

The DPC finds that Groupon infringed Article 12(2) GDPR by initially requesting additional information as to the complainant’s identity at the time they made their access and erasure requests, in circumstances where it has not demonstrated that reasonable doubts existed concerning the complainant’s identity that would have necessitated that application of Article 12(6) of the GDPR.

  • Articles 15(1), 15(3) and 17(1) of the GDPR

The DPC finds that Groupon infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply with the complainant’s initial access and erasure requests at the time they were made without a lawful basis for not complying, in circumstances where Groupon’s request (as a prerequisite to responding to the initial access and erasure requests) for photographic ID has been found to be an infringement of Article 5(1)(c) GDPR.

  • Article 6(1) of the GDPR

The DPC finds that Groupon infringed Article 6(1) GDPR by continuing to process the complainant’s personal data following receipt of their initial request for erasure.

Corrective Powers Exercised:

In light of the infringements found, the DPC issued a reprimand to Groupon pursuant to Article 58(2)(b) of the GDPR.

For more information, you can download a copy of the full decision at this link: Groupon Ireland Operations Limited – March 2024 (PDF, 599 KB).

Inquiry into Apple Distribution International Limited

Area: Cross Border Private Company

Topic: DS Rights

Articles: 12, 17

Decision Date: 7 March 2024

On 7 March 2024, following an inquiry in relation to a complaint received against Apple Distribution International Limited (Apple), the Data Protection Commission (DPC) adopted a decision.

The DPC commenced this inquiry on 2 November 2022 on foot of a complaint that Apple did not give effect to the Complainant’s rights and did not properly comply with its obligations under the GDPR. The Complainant contended that Apple failed to properly comply with an erasure request he submitted and had unlawfully retained certain personal data, in particular his email address.

The Complainant had made an erasure request to Apple in respect of his Apple ID on 3 March 2019. Apple confirmed to the Complainant on the same date that it was handling the erasure request to delete his Apple ID. This confirmation set out that, when the account was deleted, the data stored with Apple would also be permanently deleted. The Complainant was not informed by Apple at the time the erasure request was processed that it had retained a hashed value of his email address.

Apple submitted that it had retained a hashed value of the Complainant’s email address on the basis that the processing was necessary for the purposes of its legitimate interests, including in order to be able to demonstrate compliance with its security obligations under Article 32 of the GDPR; to prevent the recycling of namespaces by users; to protect its users against fraud and security breaches by third parties; and, to demonstrate compliance with a user’s request to delete their Apple ID. Apple stated that longer period of retention are subject to periodic reviews, and that periodic reviews are carried out of its retention practices. Apple informed the DPC it had convened with its security and engineering teams to review the period for deletion of the hashed email addresses at some fixed period of time and informed the DPC about a project which it had commenced.

The scope of the inquiry concerned an examination and assessment of the following:

  • Whether Apple had a lawful basis for retaining a hashed value of the Complainant’s email address on foot of processing an erasure request pursuant to Article 17 of the GDPR;
  • The period for which Apple intends to retain the hashed value of the Complainant’s email address;
  • Whether Apple met the requirements of Articles 12(1) and 17(1) of the GDPR with regard to the processing of the Complainant’s erasure request;
  • Whether Apple complied with the principles of transparency and the provision of information in terms of notifying the Complainant that a hashed value of his email address was retained following the processing of his erasure request.

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR. The DPC submitted its draft decision to the supervisory authorities concerned.

Following consultation and agreement from the supervisory authorities concerned, the DPC adopted its decision in accordance with Article 60(7) of the GDPR.

In its decision, following the investigation of the complaint against Apple, the DPC made the following findings:

  • The DPC is satisfied that Apple validly relied on Article 6(1)(f) of the GDPR as the lawful basis for retaining a hashed value of the Complainant’s email address in this particular case;
  • The DPC is satisfied that Apple has given due consideration to the principle of data minimisation in relation to the retention of the hashed value of the Complainant’s email address;
  • The DPC is satisfied that Apple met the requirements of Articles 12 and 17 of the GDPR with regard to the processing of the Complainant’s erasure request in March 2019;
  • In the absence of specifically informing the Complainant when he made his erasure request in March 2019 of its intention to retain a hashed value of his email address, and the legal basis and legitimate interests for so doing, Apple failed to meet the transparency requirements of Article 13(1)(c) and Article 13(1)(d) at that time.

Corrective Powers Exercised:

In light of the infringements of Articles 13(1)(c) and 13(1)(d) of the GDPR, the DPC issued a reprimand to Apple pursuant to Article 58(2)(b) of the GDPR, and the DPC ordered Apple, pursuant to Article 58(2)(d) of the GDPR to review and revise its document entitled “Apple ID Deletion Terms and Conditions” to address the transparency deficiencies identified in the DPC’s decision. In addition, with regard to Apple’s project, the DPC ordered Apple to provide details of completion of this project to the DPC by 31 December 2024.

For more information, you can download a copy of the full decision at this link: Apple Distribution International Limited Final Decision - March 2024 (PDF, 9.7 MB).

Inquiry into Airbnb Ireland UC

Area: Cross Border Private Company

Topic: DS Rights

Articles: 5, 6

Decision Date: 31 January 2024

On 31 January 2024, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (the DPC) adopted a decision.

The DPC had commenced this inquiry on 8 December 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the complainant’s ID (ID) in order to verify their identity in order to carry out an erasure request when he decided to discontinue with the registration process. The complainant alleged that during the course of his registration with the platform, Airbnb sought a copy of his identity to complete the registration process. The complainant had entered his email address and phone number. He had also ticked a box to be excluded from advertising emails. The complainant stated that once he was asked to submit his ID documentation, he decided to abort his registration process. He provided his email address and created a password to access an internal area within the platform and within this area he asked Airbnb to delete all of his personal data and ensure that none of his data was transferred to third parties. The complainant stated that he was told that it was not possible to delete his data without his ID. He stated that he did not consider Airbnb’s request to have any legal basis and that it was an infringement of his right to erasure of his personal data.

The scope of the inquiry concerned an examination and assessment of the following:

  • Whether Airbnb had a lawful basis for requesting the complainant’s ID at the point of registration of an account.
  • Whether Airbnb had a lawful basis for requesting a copy of the complainant’s ID in order to verify his identity so that he could delete his account.
  • Whether Airbnb complied with the principle of data minimisation when requesting a copy of the complainant’s ID in order to verify his account and when processing personal data relating to same processing.
  • Whether Airbnb complied with the principles of transparency and provision of information at the point when the complainant’s personal data was collected from him.

As the processing under examination constituted cross-border processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR. The DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on 31 January 2024, records findings of infringement as follows:

  • Article 5(1)(c) of the GDPR
  • Article 6 of the GDPR

The DPC found that Airbnb did not validly rely on Article 6 of the GDPR as the legal basis for processing the complainant’s ID. Furthermore the DPC found that in the particular situation that arose in this complainant’s case, Airbnb’s requirement that the complainant verify his identity by submitting a copy of his ID in order to make an erasure request constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR.

In light of the infringements of Article 5(1)(c) and Article 6, the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR.

The DPC notes that Airbnb has discontinued the practice of requesting a copy of ID in order to verify identity in order to verify erasure requests.

The DPC also notes that following an order made in a previous DPC decision, Airbnb has revised its internal policies and procedures in order to prevent further infringements of Article 5(1)(c), similar to those that occurred in this case, occurring to data subjects in the future.

For more information, you can download a copy of the full decision at this link: Inquiry into Airbnb Ireland UC - January 2024 (PDF, 4.9 MB).

Inquiry into Microsoft Ireland Operations Limited

Area: Cross Border Private Company

Topic: DS Rights

Articles: 12, 17

Decision Date: 15 November 2023

On 15 November 2023, following an inquiry concerning a complaint received against Microsoft Ireland Operations Limited (Microsoft), the Data Protection Commission (DPC) adopted a decision.

The DPC commenced this inquiry on 29 June 2023, on foot of a complaint that Microsoft failed to comply with two erasure requests submitted by the complainant in March and October 2021.

The scope of the inquiry concerned an examination and assessment of the following:

  •  Whether Microsoft’s handling of the complainant’s erasure requests was compliant with Articles 12 and 17 of the GDPR.

As the processing under examination constituted 'cross border' processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.

As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.

The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on 15 November 2023, records findings of infringement as follows:

  • Article 12(4) of the GDPR

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the March erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action, in part, on the complainant’s erasure request.

  • Article 12(4) of the GDPR

The DPC finds that Microsoft infringed Article 12(4) of the GDPR in respect of the October erasure request when it failed to inform the complainant of the possibility of seeking a judicial remedy when it responded to them outlining the reasons for not taking action on the complainant’s erasure request.

  • Article 17 of the GDPR

The DPC finds that Microsoft infringed Article 17 of the GDPR by failing to erase personal data that were the subject of the complainant’s erasure request of October 2021 without undue delay.

Corrective Powers Exercised:

  • An order, in accordance with Article 58(2)(d) of the GDPR for Microsoft to revise its internal policies and procedures as regards the information to be provided to data subjects pursuant to Article 12, to ensure that, where it informs data subjects on foot of requests made under Articles 15 to 22 of the GDPR that it has decided not to take action on the request, that data subjects are informed in all cases of their right to seek a judicial remedy. Details of compliance to be provided to the DPC by 7 February 2024.

  • A reprimand to Microsoft Ireland Operations Limited pursuant to Article 58(2)(b) of the GDPR in light of the infringements found.

For more information, you can download the full decision at this link: Inquiry into Microsoft Ireland Operations Limited - November 2023 (PDF, 5.6mb)

Inquiry into Airbnb Ireland UC - 28 September 2023 (2)

Area: Cross Border Private Company

Topic: Legal Basis

Articles: 5, 6

Decision Date: 28 September 2023

On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision.

The DPC had commenced this inquiry on 22 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. In this particular instance the complainant had previously booked the same listing earlier that year on the Airbnb platform without the need for ID verification. Airbnb rejected the IDs submitted by the Complainant as the images of his ID were unclear. Ultimately however the complainant was successfully able to complete the booking by using another Airbnb account which Airbnb believe he shares with another person.

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether Airbnb had a lawful basis for requesting copies of the Complainant’s ID and photograph in order to verify his identity.

  2. Whether Airbnb complied with the principle of data minimisation when processing a copy of the Complainant’s ID and photograph in order to verify his account.

  3. Whether Airbnb complied with the Conditions for Consent by making the Complainant’s ability to complete his booking conditional on the Complainant submitting his ID and photograph in order to verify his identity.

  4. Whether Airbnb complied with principles of transparency and provision of information where the Complainant’s personal data was collected.

As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows:

  • Article 5(1)(c) and Article 6(1)(f) of the GDPR

The DPC found Airbnb did not validly rely of Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic IDs and supplemental image. Furthermore the DPC found that in the particular situation that arose in this Complainant’s case, Airbnb’s requirement that the Complainant verify his identity by submitting an unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR.

In light of the infringements of Article 5(1)(c) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following order against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances:

  • revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

For more information, you can download a copy of the full decision at this link: Airbnb Ireland UC Final Decision - 28 September 2023 (2) (PDF, 2 MB).

Inquiry into Airbnb Ireland UC - 28 September 2023

Area: Cross Border Private Company

Topic: DS Rights

Articles: 17

Decision Date: 28 September 2023

On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision.

The DPC had commenced this inquiry on 7 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. The complainant stated that he had concerns in relation to identity theft given the volume of personal data that he was required to submit in order to complete his accommodation booking. In this particular instance the complainant stated that Airbnb would not accept his booking until he verified his identity by providing a copy of his ID in addition to a newly taken photograph to ensure that the ID related only to the person making the booking. ID submitted by the Complainant was rejected as he had redacted certain information. Ultimately however the Complainant was successfully able to verify his identity by submitting a copy of his ID with only the online access code redacted.

In a further submission the Complainant stated that Airbnb initially misunderstood what he wanted to do and thought he wanted to erase his Airbnb account. He stated that Airbnb requested another copy of ID. In addition to the complaint regarding ID verification the Complainant also wanted Airbnb to delete his ID card, both redacted and unredacted versions.

The scope of the inquiry concerned an examination and assessment of the following:

  1. Whether Airbnb had a lawful basis for requesting a copy/copies of the Complainant’s ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform.

  2. Whether Airbnb complied with the principle of data minimisation when requesting an unredacted copy of the Complainant’s ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing.

  3. Whether Airbnb had a lawful basis for retaining a copy of the Complainant’s ID after it had verified his identity.

  4. Whether Airbnb complied with the principles of transparency and provision of information where the Complainant’s personal data was collected.

  5. Whether Airbnb received an Article 17 erasure request from the data subject and if so, whether Airbnb’s handling of the Complainant’s erasure request complied with the GDPR and the Act.

As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows:

  • Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR

The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and until 2 February 2021 a copy of the Complainant’s un-redacted ID documents, Airbnb infringed the principle of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e); by retaining, after the identity verification process was successfully completed and for the duration of the user’s account, a copy of the Complainant’s supplemental images, Airbnb infringed the principle of data minimisation and the principle of storage limitation; and that Airbnb’s processing and retention until 2 February, 2021 of identity documents that it deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation and the principle of storage limitation.

In light of the infringements of Article 5(1)(c), Article 5(1)(e) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances.

  • delete from all of its systems and records the supplemental photographs that the Complainant uploaded (keeping only a record that such documentation was submitted and the date of submission). Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

  • revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - 28 September 2023 (PDF, 3mb)

Inquiry into Airbnb Ireland UC

Area: Cross Border Private Company

Topic: DS Rights

Articles: 12

Decision Date: 14 September 2023

On 14 September 2023, the Data Protection Commission (DPC) adopted a decision in relation to a complaint against Airbnb Ireland UC (Airbnb), which was submitted to the Cypriot DPA, in its capacity as the concerned supervisory authority and thereafter referred to the DPC in its capacity as lead supervisory authority.

The DPC commenced this inquiry on 7 October 2022, on foot of a complaint that Airbnb did not properly comply with its obligations and the complainant’s rights under the GDPR. In particular:

  • That Airbnb did not properly comply with his erasure request,
  • That Airbnb unlawfully retained his personal data,
  • That it did not comply with the data minimisation principle, and
  • That Airbnb failed to comply with the principles of transparency and provision of information.

In this case, the data subject had submitted an erasure request to Airbnb. Airbnb responded to the data subject requesting that he verify his identity for the purpose of authenticating his erasure request, and once authenticated it informed the data subject that his personal data would be deleted unless it was permitted or required to retain data.

Airbnb did not further update the data subject in respect of his erasure request and as far as he was concerned his accounts and personal data had been deleted on foot of his erasure request. Airbnb ultimately retained the complainant’s accounts and did not delete any personal data in relation to the accounts on the advice of legal counsel following an alleged serious incident at an Airbnb listing that was the subject of a police investigation and legal proceedings.

The DPC first attempted through complaint handling to facilitate the amicable resolution of the complaint between the parties. However ultimately an inquiry and an Article 60 decision was required to bring the case to a conclusion.

Airbnb stated that it retained the complainant’s data on the basis of the legitimate interests of those involved in or otherwise connected with the underlying police investigation and legal proceedings, including the wider public interest in preserving the integrity of police investigations and judicial processes, and the legitimate interests of Airbnb, its users, partners and those otherwise associated with the platform in keeping the Airbnb platform safe.

In its decision, the DPC:

  • Was satisfied that Airbnb validly relied on Article 6(1)(f) as the lawful basis for the retention of the complainant’s personal data;
  • Found that Airbnb validly relied on Article 17()(e) and that it did not infringe Article 17(1) when it restricted the complainant’s right of erasure of his personal data;
  • Found that Airbnb’s retention of the complainant’s personal data in its entirety across a number of his accounts did not infringe the principle of data minimisation in Article 5(1)(c).

Following the investigation of the complaint against Airbnb Ireland UC, the DPC was of the opinion that, in the circumstances of the complainant’s case, Airbnb Ireland UC:

  • Infringed Article 12(4) of the GDPR with respect to its handling of the complainant’s erasure request by failing to inform him without delay and at the latest within one month of receipt of the request of the reasons for not taking action on it and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Following consultation and agreement from the supervisory authorities concerned, the DPC has now adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision of the DPC also applied the following corrective power:

  • The DPC issued a reprimand to Airbnb Ireland UC, pursuant to Article 58(2)(b) of the GDPR.

 

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - September 2023 (PDF, 8mb)