The DPA stated that it received a “significant amount of complaints” after the Dutch bank (not named) announced last month it would start showing advertisements for financial products offered by the Dutch bank to customers based on their spending habits. The complaints prompted the DPA to investigate.
Together with its request for reconsideration, the DPA provided an outline of factors to assess whether the use of transaction data for marketing purposes can be considered compatible with the purpose of performing financial transactions for customers:
- Under the GDPR, personal data must be collected for a specific purpose and not further processed for a different purpose if that further purpose is incompatible with the original purpose.
- This is the so called “purpose limitation” principle. According to the DPA, banks collect transaction data for the purpose of enabling financial transactions pursuant to the contract between the customer and the bank.
- The DPA then specifically held that a bank does not collect transaction data for the purpose of direct marketing (contrary to the Dutch bank’s privacy statement).
The DPA subsequently concluded that the purpose of direct marketing is incompatible with the purpose of enabling financial transactions. It supported this argument by pointing out that having a bank account is a requirement for participation in modern society and that the mere fact that someone has a bank account cannot be used to infer interest in other financial products. This, in combination with the fact that financial transaction data can be very sensitive, leads the DPA to conclude that it is not within the reasonable expectations of customers that their data would be used for direct marketing purposes. The DPA therefore found that since the purposes are incompatible, using the transaction data for direct marketing purposes is only possible if a customer gives consent.
Too strict an interpretation by the DPA?
The DPA’s analysis is interesting due to the fact that the Dutch bank explicitly indicated that it would also collect the financial data for marketing purposes, in addition to processing financial transactions. However, according to the DPA’s assessment this is not possible due to the principle of purpose limitation. While this may have been true for data collected in the past, the Dutch bank clearly announced that it was also going to use future transaction data for direct marketing. The DPA therefore seems to imply that personal data cannot be collected for multiple purposes at once, unless those purposes are compatible.
Said our Dutch data privacy expert:
This is an interesting interpretation as the GDPR states that personal data must be collected for specified purposes and not further processed in an incompatible manner. It does not state that it must be collected for compatible purposes and not further processed. The DPA’s interpretation would, somewhat impractically require data subjects to provide the same data multiple times if required for multiple, yet incompatible purposes.
It is unclear why the DPA focussed on the principle of purpose limitation in assessing the legality of the Dutch bank’s plans. Perhaps the more obvious question to assess here would have been whether it is possible to rely on legitimate interest instead of consent for the analysis of transaction data for direct marketing purposes.
Several Dutch banks immediately announced that they are suspending their direct marketing analyses pending further discussion with the DPA on the subject.
These “legitimate interest” and “consent” issues will keep popping up so a short summary
Under GDPR there are six lawful bases for processing personal data. But for marketing purposes, the two most popular are consent and legitimate interests.
– For consent, the individual must have given clear consent
– For legitimate interests, processing must be necessary for your legitimate interest or your customers
Consent must be:
– freely given
– specific
– informed and unambiguous
– unbundled
– granular
– named
– documented
– easy to withdraw
Consent has become something of an obsession, and is seen by many as a kind of gold standard. But under GDPR, no lawful basis is more important than any other.
So what are the pros and cons of consent?
Pros:
– Unambiguous
– easier to implement
– perceived as a gold standard
Cons:
– It’s a one-off opportunity, if you ask for consent and it is not given, there is nowhere to go, it’s sudden death.
– Response rates will be depressed relative to legitimate risks interests as opt-in is required.
And legitimate interests? The examples expressed in the legislation and its comments, and what’s being claimed “out in the wild”:
– Fraud detection and prevention
– Compliance with foreign law
– Industry watch lists and self- regulatory schemes
– Information, system, network and cyber security
– Employment data processing
– General Corporate Operations and due diligence
– Product development and enhancement
– Communications and marketing
It is that last point on the above list that surprises many. GDPR is clear, Recital 47 states it in black and white: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Complexity is added by a different regulation – PECR (the e Privacy and Electronic Communications Regulations which sit alongside the GDPR). This requires that in most cases people have to give consent to receive emails, but there is a line that refers to soft-in. I’ll discuss that in a subsequent post.
So, what are the pros and cons of legitimate interests?
Pros:
– Flexible and not purpose specific
– long term security over processing of data
– risk based approach to compliance
Cons:
– To justify legitimate interests, it is harder to demonstrate compliance,
– It means you take on more responsibility for protecting the interests of individuals