The text discusses two landmark decisions by the Polish Data Protection Authority (DPA) regarding Meta's use of data from two public figures in deepfake advertisements on Facebook and Instagram. These cases highlight the strict enforcement of data protection laws in Poland, particularly in the context of unauthorized data use and the impact on individuals' privacy and reputation.

The Polish Data Protection Authority (DPA) recently issued two significant decisions regarding Meta Platforms Ireland Limited's processing of the personal data of two public figures. The cases revolve around the unauthorized use of personal data for displaying deepfake advertisements on the interfaces of Facebook and Instagram.

In the first case, the Polish DPA acted following a complaint filed by a well-known businessperson. The complaint involved the unauthorized dissemination of the individual's image in an ad campaign using deepfakes on Meta's platforms, promoting a fictional financial platform. The advertisements falsely attributed statements to the individual, suggesting they endorsed a scheme guaranteeing profits for Polish citizens. These false advertisements posed a major threat to the data subject's reputation, leading to a loss of trust in their professional activities. The Polish DPA found that Meta did not verify the data used in the advertisements, creating a substantial risk to the individual's privacy and professional reputation. Citing the urgency of the situation and the potential for irreparable harm, the Polish DPA applied interim measures under Article 66(1) of the GDPR and Article 70(1)(2) of the Polish Data Protection Act. Meta was ordered to cease displaying the advertisements for three months, limiting their distribution within Poland. Given Meta's jurisdiction, the Irish Data Protection Authority will ultimately handle the case.

The second case involved a complaint filed by a public figure, a journalist, whose personal data and image were used in deepfake advertisements, falsely claiming that she had died, been imprisoned, or was subjected to domestic violence. The number of these advertisements was reported to be growing, with daily notifications of new instances being flagged by the data subject. The unauthorized use of her image for displaying deepfake ads not only impacted the journalist's privacy and dignity, but also caused emotional distress to her family and friends. The Polish DPA once again found that Meta had failed to take adequate measures to prevent the misuse of personal data. The Polish DPA also applied interim measures in this case and ordered Meta to stop displaying deepfake ads containing the journalist’s image for three months. The case is also pending further investigation by the Irish DPA.