On 19 May 2020, the Belgian Data Protection Authority published two new decisions of the BDPA's Litigation Chamber, each handing down a fine for infringements of the GDPR.
The two cases were very different, but the combination makes for interesting lessons in relation to consent and legitimate interests. Other topics covered include the processing of health-related data, the use of "invite/tell-a-friend" functionality, whether to publish a DPIA and what to check in a privacy statement.
First case: social media network and "invite/tell a friend"
The first case concerned a social media provider that aimed to continuously increase its user base by encouraging both existing users and new joiners to invite their friends to the social media platform.
The social media provider claimed that the "invite a friend" functionality it had implemented was lawful, and that it even fell outside of the scope of the GDPR by virtue of the so-called "household exemption", which allows each of us as individuals to process personal data (e.g. on our friends and family) in the context of our private life, for our own personal reasons, without the need for us to each comply with the GDPR.
A) Main findings
First, the Litigation Chamber stated unequivocally that implementing "invite a friend" functionality made the provider a controller within the meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". In other words, the GDPR applied in full.
Next, the Litigation Chamber examined the legal grounds for the "invite a friend" system. As per such a system, the user gave the provider access to his or her list of contacts, so that a message could be sent to those contacts to join the social media platform or, if they were already members of the social media platform, to become part of that user's network of friends on the platform.
In this respect, the Litigation Chamber considered the following:
1. First, the user choosing to "invite a friend" could not give a valid form of consent to the processing by the provider of the intended recipient's personal data. The Litigation Chamber stated that only the data subject whose personal data are processed can validly consent to the processing of this data (save specific exceptions such as parental consent). In the event where the personal data provided concerns a third party, such third party must give his/her consent in accordance with the conditions set out in Articles 4.11 and 7 of the GDPR.
2. Next, under the GDPR, "legitimate interests" might in theory be a valid legal ground in relation to the processing of the personal data of a user's contacts. The "necessity" test would then only be met if:
a first check is carried out to identify if the user's contacts are existing users of the platform/website and have given their consent to the use of their contact details for the purposes of communication on the platform/website and
the contact details of non-users (as identified based on that check) are immediately deleted ("compare and forget").
In practice, this was not the case.
3. The Litigation Chamber referenced an opinion of the Article 29 Working Party (WP29) on online social networking (5/2009), which was in the words of the Litigation Chamber "in principle still relevant, as the legal ground of legitimate interests has not been substantially modified" as a result of the GDPR. That opinion 5/2009 states that "invite a friend" mechanisms on social media platforms are permitted if they meet 4 conditions (the combination of which transforms the message into a "personal communication"):
- no incentive is given to either sender or recipient;
- the provider does not select the recipients of the message (i.e. it's up to the user to select who receives the e-mail/message; the provider is not allowed to pre-tick all recipients);
- the identity of the sending user must be clearly mentioned;
- the sending user must know the full content of the message that will be sent on his behalf.
According to the Litigation Chamber, if these 4 conditions are met, no consent is required for an e-mail invitation to the user's non-member contacts or a message on the platform to contacts who are existing members, provided the other GDPR principles are complied with (including data protection by design & by default).
4. The social media provider regularly claimed that "others were doing the same thing" (with references to e.g. certain operating system providers, large social networking sites, etc.). The Litigation Chamber rejected these considerations at length: claiming that others do it is not a valid defence.
B) Additional considerations
Beyond the above elements relating to the "invite a friend" functionality in particular, the Litigation Chamber was led to examine a practice in relation to the seeking of consent to commercial communications by e-mail. If e-mail marketing requires consent, can this consent be obtained by a separate, non-marketing e-mail?
In Belgium, the Ministry of Economy validated this approach fifteen years ago, stating that consent could be requested by way of an informational – and not commercial – e-mail. In other words, if the social media provider wished to send commercial e-mails to a new recipient who had not yet consented thereto, it was authorised to send an informational e-mail to request consent to the sending of commercial e-mails.
Other authorities across the European Union have rejected this approach over the past few years, and now the Litigation Chamber has done so as well, stating that this practice (sending an e-mail to seek consent to e-mails for marketing purposes) is not allowed under the GDPR.
C) Conclusion
Based on the findings of infringements in relation to the legal grounds for the "invite/tell-a-friend" functionality, the Litigation Chamber imposed a fine of 50.000 EUR.
What could a similar organisation probably have done to avoid such a fine?
- Clearly identify which legal grounds apply and the justification for the choice made;
- Limit retention of the contact lists, ideally removing them immediately after checking ("compare and forget");
- Put in place a mechanism that meets the four criteria set out above.
Second case: insurer & legal grounds
The second case concerned an insurer providing notably health insurance services. In this case, the Litigation Chamber focussed mainly on the question of the legal grounds for the various processing activities described in the insurer's privacy statement.
A) Main findings
That privacy statement mentioned a range of purposes of processing, including for instance fraud prevention, analytics, marketing etc. However, the legal grounds linked to these purposes were unclear. Unspecified legitimate interests were supposedly a legal ground for some of these processing activities, and consent was even requested separately for specific purposes (despite claims during the proceedings that this was based on legitimate interests).
In practice, the Litigation Chamber held that the controller did not demonstrate any legitimate interest that would justify processing for those purposes, so consent was required.
In addition, the privacy statement did not meet some of the requirements of Art. 13 GDPR. For instance, the Litigation Chamber criticised the absence of any indication of data subjects' right of objection to the processing of their personal data (in relation to both direct marketing processing activities and other processing activities based on "legitimate interests" as a legal ground).
Moreover, and once more, the Litigation Chamber criticised the lack of any information on the specific legitimate interest invoked.
B) Additional considerations
The Litigation Chamber mentioned two items in passing with consequences going beyond this particular case:
First, responding to a request by the plaintiff for the insurer to provide a copy of its data protection impact assessment (DPIA), the Litigation Chamber stated that controllers are not required to publish DPIAs, although publishing at least parts of a DPIA is "particularly good practice".
Second, as regards the legal grounds for the processing of health data, a frequent question facing health insurers and their advisors was which legal ground to choose. The performance of a health insurance contract requires access to certain health-related data, which would suggest that "contract" is an appropriate legal ground under Article 6 GDPR. However, because this data is a "special category" of personal data, Article 9 GDPR also applies, and this article does not mention "contract" as a legal ground. Insurers might then be tempted to combine "consent" under Article 9 GDPR with "contract" under Article 6 GDPR; however, regulators have stated that the requirement that consent be "freely given" prevents the bundling of consent with a contract. Faced with this dilemma, several insurers have opted for precisely this combination, considering that the GDPR permits this particular form of bundling (based on Article 7(4) GDPR in particular) and that the regulators' opinions only cover Article 6 GDPR and not the combination between these two provisions.
This position appears to have been rejected by the Litigation Chamber, without (in our opinion) any clear justification or any reasonable alternative for insurers. Instead, the Litigation Chamber merely stated that there is a need for national legislation to foresee a specific legal ground for the insurance sector to allow the processing of health data in the framework of the (pre-)contractual relationship between insurance provider and insured person. The insurer was not fined on this point, but the decision appears unfortunate in that it will only lead to more uncertainty.
C) Conclusion
Based on the findings of lack of transparency and inappropriately documented and justified legal grounds, the Litigation Chamber imposed a fine of 50.000 EUR.
What could a similar organisation probably have done to avoid such a fine?
- Think carefully about which legal ground you wish to invoke for the processing activities, and be consistent across all forms or interactions with data subjects;
- Use Articles 13 and 14 GDPR as a checklist and ensure that the privacy statement contains all of the items referred to in those articles.