Who: Das Bayerische Landesamt für Datenschutzaufsicht
Where: Bavaria, Germany
When: 30 July 2015
Law stated as at: 7 December 2015
What happened:
The Data Protection Authority (“DPA“) for the state of Bavaria has imposed a significant fine on both parties to an asset deal for the sale and purchase of customer email addresses. The seller and the buyer have not been identified but were each hit with an incontestable five-figure fine (the exact sum was not disclosed) for their failure to adhere to data protection laws when transferring the customer information.
In arriving at its decision, the Bavarian DPA acknowledged the significant inherent value of customer data to businesses and recognised that companies have a legitimate interest in seeking to realise the economic value in such data. According to the press release issued by the Bavarian DPA, however, both the rules of data privacy and the unfair and deceptive trade practices laws are often neglected in asset deals.
In the context of an asset deal – for example, the sale of a customer database – the Bavarian DPA held that prior consent to the transfer of personal data should be obtained from the customers concerned or, alternatively, the customers should be informed of the intent to transfer their personal information beforehand to give them the opportunity to object.
Double violation of two German laws
As both parties in this case qualified as “data controllers”, both had an obligation to ensure compliance with data protection requirements. Since the seller and the buyer each failed to obtain consent and/or give the customers sufficient information and an opportunity to object, the Bavarian DPA found both companies had violated German data protection laws.
The Bavarian DPA said that it had been made aware of the improper trade in customer information as a result of complaints made by customers about unsolicited marketing communications received from the buyer – a company unknown to them. As with similar legislation in the UK, the German Act against Unfair and Deceptive Trade Practices prohibits the use of customer data for marketing purposes without the express consent of the intended recipient.
In trading personal information that was subsequently used for marketing and advertising purposes, the seller and the buyer in this case had fallen foul of both data protection laws and the rules governing direct marketing communications.
The Bavarian DPA has emphasised that these types of privacy breaches relating to acquisitions of personal data will be carefully monitored and offenders will continue to be punished with financial penalties.
Why this matters:
Although based on applicable German laws, which have a tendency to dictate a stricter approach to circumstances like this than, say, the relevant laws and guidelines of the UK, the Bavarian DPA’s decision highlights the general importance of undertaking due diligence on the data privacy aspects of an asset deal.
From a UK perspective, the Information Commissioner’s Office (“ICO“) has issued Good Practice Guidance advising organisations on how to comply with their obligations under the Data Protection Act 1998 when buying and selling customer information.
The ICO guidance states that unless individuals have been told at the time of providing their personal information to the vendor that it may be sold, it will not normally be permissible for that information to be sold to third parties.
A more lenient view may be taken, however, where the selling business has gone bankrupt, is insolvent or is being closed down or sold. The ICO gives more detailed assistance on best practice in these scenarios in separate guidance, although both these advisory papers come with the health warning that they were published some years ago.
In particular UK marketers looking at acquiring or renting third party data should check more recent Direct Marketing Guidance from the ICO. This takes a strict view, for example, on the validity of third party consent.
As in Germany, both parties involved in the sale and purchase of personal information will be considered data controllers in their own right. The ICO’s advice is therefore pertinent to both buyers and sellers.
Assuming it has legitimately come by the customer database, the buyer of any customer information should be aware of the “purpose limitation” principle and obtain consent if it wants to use the personal information for a purpose that is “incompatible” with that originally disclosed on data capture.
It is clear that the ICO – and other DPAs across Europe – are increasingly focussed on the misuse of consumers’ information and improper marketing practices. Recent enforcement action by the ICO (as reported here) emphasises the importance of undertaking appropriate due diligence when any personal data is obtained from third parties, and when any such data is subsequently put to use.
