Pablo Rivas and Marta Jaureguizar write:
On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft. The AEPD fined the individual who had created a profile in a sexually-oriented social network using personal details of a third person, including that person’s name, surname, phone number, and photo. Notably, the AEPD did not proceed against the online host of the impersonator’s content.
The impersonation was found to be a processing of the impersonated individual’s personal data without his/her consent, constituting an infringement of the Spanish Data Protection Act 15/1999, of 13 December 1999. While online impersonation has been the subject of judicial actions in Spain, this was the first exercise of the regulator’s authority under the data protection law.
Read more on Hogan Lovells Chronicle of Data Protection.