Transparency is one of the basic principles of the GDPR. As a data controller, you have to offer transparent information as well as transparent communication to the data subjects. Nothing against that, right? As entrepreneurs, aren’t we used to that? Perhaps we see this a little too much as a “check the box” requirement, and we do not take enough account of the need for information of the data subjects. That is certainly the opinion of the Spanish supervisor, who immediately imposed a fine of EUR 2,000,000 on two banks for this.
The Spanish fury
Do we care much about what the AEPD (the Spanish data protection authority) has decided? Pretty much. The GDPR is a European framework, and each member state has its own independent authority that oversees its application. For Belgium, this is the Data Protection Authority (DPA). Belgian companies can therefore only be reprimanded by the DPA if they make a mistake as a data controller.
However, the DPA will apply the same basic rules as the AEPD (or other European supervisors such as AP in the Netherlands or CNIL in France) – so it is certainly important to also look over the wall.
The reality check of the AEPD position
That the fines imposed by a supervisor can be high is no longer news. However, what is interesting here is not the high amount of the fines, but the determination and motivation of the breaches.
That general legal standards must be interpreted is also quite acceptable. But when such interpretation leads to the setting of new and (almost) unfeasible standards, it leads to great uncertainty. Worse than the uncertainty is that it can completely erode the support for privacy-aware action.
Both decisions have a number of things in common: the type of entity affected by the sanctions (large companies, in this case banks); the breaches (transparency and the lack of a legal basis); and the timing. The total fines in the 2 decisions amount to 5 million and 6 million (of which 2 million each for breach of the transparency obligation).
Is this mere coincidence or should companies (banks or not) brace themselves for the coming storm? What is striking in both decisions is how the AEPD interprets the GDPR obligations with a level of stringency never seen before, thereby setting the bar very high for companies, but also immediately giving direction to the freedom of interpretation of other supervisors.
The clarification of the transparency obligation
The supervisor clearly wanted to make a point: the decisions take up more than 150 pages each. Extensive arguments have therefore been put forward to show that the information provided by the banks did not comply with the transparency principle, and thus with the minimum and mandatory information that companies must make available to individuals under Articles 13 and 14 GDPR.
However, the behaviours that the supervisor finds improper certainly do not appear to be obvious breaches of the GDPR, but rather a common practice.
Imprecise and vague terminology
According to the AEPD, the following terms and expressions (used by many companies in their privacy policies) are vague and imprecise. They would not provide the data subject with a clear understanding of the purpose and processing activities in question:
“Knowing you better and improving your experience”; “Offering you products and services … personalised for you”; “Improving the quality of products and services”; “Your data is yours and you have control over it”; “Making your experience more personalised”; “Products and prices more tailored to you”; “I do NOT want XXX to process my data to offer me products and services … personalised for me”; “I do NOT want XXX to pass on my data to Group companies so that they can offer personalised products and services for me”; “I do NOT want XXX to process my data to improve the quality of new and existing products and services “; “To properly manage the products and services you request and contract from us”; “To track the relationship we have with you and your financial development”; “At XXX, we process your personal data to provide you with the same level of quality at all times, so that we can offer you better treatment and service in accordance with your status as a customer”; “If you want to streamline the application process, we need . .”; “At XXX, we want your experience as a client to be as satisfying as possible, through a personalised relationship that is best suited to your client profile and needs. In order to achieve this, we need to get to know you better…”; “This analysis will allow us to get to know you better, assess new features for you… We would like to keep you informed about new XXX products and services, as well as provide you with tips and recommendations to better manage your financial situation. We may also send you information on XXX products and services with prices that better fit your profile, to inform you of what may be of interest to you as a customer”; “If you want XXX Group companies … to offer you products and services that are adapted in terms of characteristics and price, we will have to ask you for your permission to transmit data relating to your customer profile …”; “If you want the companies of the XXX Group … to offer you products and services which are customised in terms of their characteristics and price, we must ask you for your consent to transmit data relating to your customer profile … This information will be processed in order to try to improve the characteristics and prices of the products and services on offer”; “…so that, from XXX, we can better meet your expectations and increase your level of satisfaction”; “… As a bank, in order to be close to you as a customer and to be able to guide you during our contractual relationship, we could congratulate you on your birthday, wish you a good day or a happy holiday”; At XXX, we believe that you as a customer have a reasonable expectation that your information so that we can improve products and services and you as a customer can have a better experience”; “In addition, we believe that you also have a reasonable expectation to congratulate you on your birthday, to wish you a good day or happy holidays”; “To provide you with an adequate service and manage the relationship we have with you as a customer … “; “to personalise your experience”; “to produce our business models”; “to analyse the use of the company’s products, services and channels”; “to apply statistical and classification methods in order to correctly adapt your profile”; “to carry out statistics, surveys, actuarial calculations, averages and/or market studies that are of interest to the company or to third parties”; “commercial offers that are tailored to your needs and preferences”; “improve the design and usability of the products”; “information generated from the products themselves”; “analysis and study”; “study products and services”; “design products and services”; “for our own management”; “provide you with a better service”; “communicate your data to third parties with whom we have an agreement”; “reasonable expectation to receive”; “management needs”; “analysis, study and follow-up for the offer and design of products and services adapted to the profile”.
Legalese or lawyer’s talk
Moreover, according to the supervisor, the categories of personal data processed by the sanctioned companies are so broad and open that almost any kind of personal data (including sensitive data) could be included. It is a practice that can easily be found in most legal texts. For example, the processing of data relating to “products, services and channels of the company”; “account transactions”, using expressions such as “for example”, “etc.”, “among others”; derived data or relating to “income” is considered by the AEPD to be non-specific. According to the supervisor, this is particularly serious when the processing activities are based on the consent of the data subject, since in this way it is impossible to give a correct consent.
The impact: the genesis of a veritable reference work and, above all, more than just fines
However, in addition to the fines, an additional non-economic sanction was imposed that, in practice, amounts to the real sanction. The decisions oblige both banks to adapt their privacy documents, procedures and practices to the GDPR within six months.
In practice, this may entail that data processing activities based on the legal bases and/or information declared invalid or inadequate are ceased, and group companies that have received affected personal data are requested to delete them and stop processing them.
With the bar for transparency being set so high, it is certainly advisable to thoroughly review existing privacy policies to ensure that all legal requirements are met. In particular, companies (not just financial firms) should focus on taking the following key steps:
- Ensure that the privacy statement is sharply and unambiguously worded The aim should be to ensure that the language used is not only very clear, but also sufficiently comprehensive.
- Design clear consent mechanisms, leaving no room for confusion. Companies should be particularly careful when consent covers profiling activities, marketing activities and sharing of information with third parties (including members of the same group).
- Be oh so careful about the legitimate interest. Clear information must be provided about the actual, non-speculative and specific legitimate interests pursued by the data controller (as distinct from the purposes of the processing) and a proper balancing exercise must be carried out taking into account the reasonable expectations of the data subjects.
Written by Kris Seyen, Partner theJurists