By Pablo Rivas and Marta Jaureguizar in our Madrid Office
On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft. The AEPD fined the individual who had created a profile in a sexually-oriented social network using personal details of a third person, including that person’s name, surname, phone number, and photo. Notably, the AEPD did not proceed against the online host of the impersonator’s content.
The impersonation was found to be a processing of the impersonated individual’s personal data without his/her consent, constituting an infringement of the Spanish Data Protection Act 15/1999, of 13 December 1999. While online impersonation has been the subject of judicial actions in Spain, this was the first exercise of the regulator’s authority under the data protection law.
Online impersonation, especially of celebrities, is commonplace on web sites and social networks. This new decision by the AEPD offers a new avenue of recourse for impersonated people and one that, given the substantial fining ability of the AEPD, should give pause to those contemplating impersonation.
The decision also may suggest that social networking sites and other hosts of impersonators’ content may not be the target of the AEPD’s enforcement actions, since in the recent action, the DPA went directly after the impersonator and not the host site of the impersonator’s content.
The Decision of the Spanish Data Protection Agency is published in Spanish and can be found here.