EDPB Seeks Comment On Online Services Guidance
Posted on April 23, 2019
The European Data Protection Board is seeking comment about proposed guidelines that impact websites that provide online services. This might include services a user pays for, or where the fee is indirect (the services being funded through advertising dollars, for example). The EDPB guidance points out that these services typically fall under the provision of GDPR that permits processing of personal information when it is “necessary to perform a contract.” In that regard, the guidance attempts to scope out processing that is necessary in the contractual realm. Information might be processed under one of the other legal basis that exists under GDPR, as the EDPB highlights throughout the guidance, including legitimate interest and consent. This guidance thus provides businesses with ideas about when processing might fall under the “necessary for a contract” basis as opposed to another legal basis.
In the proposed guidance, the EDPB points out that just because a particular use of information is outlined in a contract, this does not make such use “necessary.” Instead, the EDPB looks to the purpose of processing and the context of the contractual relationship. If there are less intrusive ways to process information, then the use is, according to the EDPB, not “necessary.” The EDPB provides examples, including where a user purchases something from an eRetail company by credit card, to be delivered to the user’s home. In this situation processing both the credit card number and getting the home address is “necessary.” But, if the person wanted to pick the product up, then gathering the home address would not be “necessary.” Expanding on the example, if this same eRetailer wants to create a profile of the user’s “tastes and lifestyle choices” it will need to rely on a legal basis outside of the contractual one, according to the guidance. Similarly, using information to understand usage of an online platform would not be use “necessary to perform a contract,” and instead would fall under an alternate legal basis, like (according to the EDPB) legitimate interest or consent.
PUTTING IT INTO PRACTICE: Those interested can provide comments by 24 May to EDPV@edpb. europa.eu (comments will be published on the EDPB website). In the meantime, the proposal provides a useful overview of what the EDPB considers processing that is “necessary” for the performance of a contract, and when a company would need to rely on another legal basis.
UK ICO Settles with Marketer Over Unsolicited Email Messages
Posted on April 9, 2019
Grove Pension Solutions Ltd is a UK-based company that helps people get “pension releases,” i.e. getting money out of their pensions. The company uses a vendor to conduct lead generation. That vendor would identify individuals who had given consent to get messages on a variety of third party websites (including for example, soapboxsurvey.co.uk). None of the individuals had a relationship with Grove, and the consents did not specifically name Grove. Grove sent almost 2 million messages to individuals following this process, after obtaining advice that doing so was compliant with applicable laws.
The ICO disagreed, and in its Monetary Penalty Notice, indicated Grove had violated UK law, which holds that companies cannot send unsolicited direct marketing emails unless certain exceptions apply. None of those exceptions were applicable in this instance, however, according to the ICO. In reaching its conclusion the ICO stressed that “indirect consent” is not sufficient for texts, emails or automated calls; this includes the insufficiency of a reference to getting messages from third parties generally (as was done here). The ICO recognized that Grove’s actions were not done deliberately to violate the law, that the total number of complaints were minimal, that the time frame was fairly contained, and that Grove cooperated with the ICO. For these reasons, a monetary penalty of £40,000 was deemed sufficient.
PUTTING IT INTO PRACTICE: This case is a reminder that companies should take care to ensure that they have obtained appropriate consent for sending marketing messages.
     Eye on Privacy 2019 Year in Review 38