An individual created a fake account on the Mercado Libre platform with the aim of evading the payment of commissions for the services offered by the company, using an identity document belonging to another person to formalize the sale of an item. Mercado Libre noticed the fraudulent maneuver due to the discrepancy in the personal information provided and proceeded to immediately suspend the account, also applying a restriction to prevent the money from the sale from being withdrawn. The offender was informed that it was impossible to carry out any transaction under his username, as it had been detected that the ID used to create the account belonged to another person, informing him of his name and surname.
The ID card holder filed a complaint with the AAIP against Mercado Libre for sharing his personal data without his consent.
The DNPDP drew up a report confirming that two serious infringements had been committed in accordance with point 2) subsections j) and k) of Annex I of DNPDP Provision No. 7/2005 and its amendments.
Mercado Libre argued:
- That the security standards provided for in AAIP Resolution 47/2018 are not mandatory;
- That the company took the necessary measures to mitigate any type of damage to the data subject as a result of what happened.
- That there was no specific damage to the complainant, as confidentiality was never breached, given that the data was public and freely available on the Internet, and therefore, according to Article 5, paragraph 2 of Law No. 25,326, it is not necessary to obtain the consent of the data subject for the processing of data obtained from sources of unrestricted public access and in the case of lists whose data is limited, among other things, to the name and national identity document.
The DNDP disagreed with the defendant company’s argument that the data was public and could be found through an Internet search, since only data relating to the complainant’s name and national identity document number was published there, and not his connection as the actual owner of an account on Mercado Libre.
Beyond that, the DNPDP accepted the defendant’s argument regarding the inapplicability of Article 10 to the present case, concluding that the duty of confidentiality corresponds only to the duty of security.
Regarding the duty of security, the DNPDP understood that Mercado Libre:
- (i) acknowledged in its first statement the unintentional error on the part of customer service personnel and proceeded to immediately train them;
- (ii) that it quickly rectified the reported information;
- (iii) that it apologized to the complainant and made itself available to them;
- (iv) that it proactively implemented corrective measures;
- (v) that it has supplemented the user registration process with additional technical and organizational measures for identity validation to prevent future incidents;
- (vi) that it has updated its Privacy and Confidentiality Statement; and that
- (vii) it has initiated a training plan for customer service areas on the confidential, secure, and responsible use of information.
In addition, the National Directorate took into consideration that:
- (i) the company has no previous sanctions, so it is not a repeat offender;
- (ii) the scope of the irregularity detected and the volume of processing carried out was not widespread, but rather a one-off situation;
- (iii) the irregularity did not cause any financial damage to the complainant and was quickly reported and resolved;
- (iv) Mercado Libre’s diligent and proactive action in implementing corrective mitigation measures; and
- (v) it proactively reported the security incident, provided the details associated with it in accordance with AAIP Resolution No. 47/2018, and cooperated with this supervisory authority.
In conclusion, the National Directorate for Personal Data Protection decided to revoke the report and not to sanction Mercado Libre, without prejudice.
