Djävulen finns i detaljerna
The Swedish data protection supervisory authority Integritetsskyddsmyndigheten (hereinafter “IMY”) has imposed a fine of 13 million SEK, the equivalent of about 1.1 Million Euros, on Bonnier AB, one of the largest Scandinavian media groups. The reason is that the group used personal data of customers and website visitors for profiling without their consent. The fine is part of an increasing activity of the IMY, which recently already imposed a fine against Spotify of 58 Million SEK (ca. 4.9 Million Euros). At the same time, the fine shows once again that data protection authorities across Europe are not joking when it comes to creating customer profiles for advertising purposes and impose fines if consent is not obtained.
Profiling at Bonnier and the IMY decision
In the Bonnier case, the IMY found that the group collected personal data and compiled it into user and customer profiles to use for marketing purposes. No customer consent was obtained for this. The company collected data from various sources, which was then used for targeted online advertising, marketing by post and telephone canvassing. The object of the profiling used for this purpose was data on purchases in various companies of the group and usage behaviour on the internet. In some cases, this data was also combined with other personal data from third party sources, such as data on the gender of customers, whether households own a car, postcode and statistical data related to the person’s place of residence, such as age, purchasing power and type of dwelling.
Bonnier took the position that profiling was justified on the basis of Article 6(1)(f) of the GDPR, as profiling was necessary for advertising purposes and the interests of the company outweighed those of the data subject.
The IMY, on the other hand, was of the opinion that the evaluation of user behaviour, solely on the basis of a website visit, was not covered by the legitimate expectations of data subjects. It was also not to be expected that usage data would be combined with data from another purchase situation or data from other registers in order to use them for telemarketing or direct marketing. In IMY’s view, consent is therefore required for such comprehensive profiling. „A balancing of interests cannot be used as a legal basis for such processing of personal data,“ says Ulrika Bergström, who led the IMY review.
It is noteworthy that the IMY, in the same course, announced that Bonnier can in future use Art. 6 (1) p. 1 lit. f GDPR as a legal basis if the company combines various personal data, which does not include the browsing history, and uses this data for marketing mailings or telephone sales. The reason for this is that the group has taken various measures to limit the intrusion into the privacy of data subjects.
Classification
The IMY’s decision is remarkable in two respects: Firstly, the authority was not known for excessive fines in the past years. The last fine before the current fine against Spotify in the millions (in Euros) was from 2021. This may also be related to a different understanding of privacy and data protection in Sweden. Websites such as hitta.se, eniro.se or ratsit.se (slogan: „offentligt information till alla“) make it possible to view the most detailed information about practically any person publicly on the internet. Public data there includes: full name, date of birth, address, change of address, municipality affiliation and in some cases even income and which vehicle is driven. Consequently, the IMY had to be „taken to the chase“ in the spotify case – after a complaint by noyb in 2019, nothing happened for three years until the NGO filed an action for failure to act with the Stockholm Administrative Court.
Secondly, the IMY explicitly states that profiling is possible without consent. This is a statement that has not yet been heard with such clarity from the German DSK („Datenschutzkonferenz“ – the Association of German Supervisory Authorities). This may be significantly related to the expectations of the data subjects, which are central to the weighing of interests pursuant to Article 6 (1) sentence 1 lit. f of the GDPR: if a large amount of data is publicly viewable anyway, its processing is more likely to be expected than if data for the creation of detailed customer profiles is purchased from third-party sources and combined with usage behaviour on the internet. It is important to note in this context that the Swedish supervisory authority cooperated with other European data protection supervisory authorities in the Bonnier case, so the decision definitely has significance beyond Sweden.
Basic information on and significance for profiling for advertising purposes in Germany
According to 22 (1) GDPR, a decision based exclusively on automated processing – including profiling and the sub-case of scoring – is generally prohibited. However, the provision only applies to decisions that have legal effect vis-à-vis the data subject or affect the data subject in a similarly significant way and thus, as a rule, not to advertising scoring.
section 6 (1) sentence 1 (f) of the GDPR can be considered as a permissive element for profiling if, taking into account the purpose of the processing, there is a legitimate interest of the controller, whereby, for example, legal, economic or ideal interests can be considered. In this context, the broadest possible interpretation of the legitimate interest is required under (Union) fundamental law and the right to freedom of occupation must be emphasised ( OLG Munich [High Court of Justice in Munich], judgment of 24.10.2018 – 3 U 1551/17, GRUR-RR 2019, 137 para. 30). When carrying out the balancing of interests, the purpose for which the personal measures are to be used is decisive. The analysis of customer data for the purpose of sending an addressed advertising letter represents a different level of interference with the rights of the data subjects than, for example, if data subjects are excluded from purchasing products or are given worse conditions due to an analysis of customer data. The reasonable expectations of the data subject (see also ECJ judgment of 11.12.2019 – C708/18 para. 58) and the foreseeability and customary nature of the processing as well as his or her relationship with the controller (recital (47) p. 2 GDPR) must also be taken into account.
The position of the FSC in OH Direct Marketing[1]that in the case of automated selection procedures for the creation of detailed profiles that „lead to additional knowledge gain“, the interest of the data subject in the exclusion of data processing generally prevails, does not find sufficient foundation in the law in this form. It already follows from Article 21 (2) of the GDPR that profiling can also be permissible on the basis of a balancing of interests, otherwise there would be no need to regulate a right of objection.
Conclusion
The IMY decision makes it clear once again that profiling for advertising purposes does not require consent without exception, but that the boundaries are fluid. In particular, informing data subjects as transparently as possible and implementing technical and organisational measures can help to ensure that the balancing of interests pursuant to Art. 6 (1) sentence 1 lit. f of the GDPR can work in favour of the data controller, who must carry out and maintain this balancing of interests on his or her own responsibility. The reference to what can objectively be reasonably expected is not an absolute limit. In particular, this characteristic must not be overstretched to such an extent that it is tantamount to determining the presumed consent of the data subjects. Ultimately, each use case requires its own consideration.