Have you heard the one about the Spanish data protection regulator, the 1,911 year old child and the €270,000 fine? No? Phil Lee tells a sorry tale of financial services, data privacy and lax data capture controls that could so easily happen.
Topic: Privacy
Who: Spanish data protection regulator / Bankinter SA and Antevenio SA
When: 14 March 2008
Where: Spain
Law stated as at: 18 June 2008
What happened:
The Spanish data protection regulator has once again flexed its muscles, imposing a hefty €270,000 aggregate fine on Spanish companies Bankinter SA and Antevenio SA. This significant fine was imposed on Bankinter and Antevenio for a relatively minor breach of Spanish data protection rules and raises interesting questions about the self-funding nature of the Spanish data protection regulator.
Antevenio, an online advertising and marketing agency, operates a "permission marketing" database that allows Spanish residents to sign up (on an opt-in basis) to receive e-mails from third parties about products and services that may be of interest to them ("CorreoDirect"). Spanish residents can opt-in to the CorreoDirect service by subscribing online at www.correodirect.com. Antevenio claims that its database (which is registered with the Spanish data protection regulator) contains e-mail addresses for more than three million opt-in subscribers to the CorreoDirect service.
"1,911" year old receives credit card email
In 2006, Bankinter entered into a contract with Antevenio to allow Bankinter to promote its credit card product to CorreoDirect subscribers. Unfortunately for Antevenio and Bankinter, one of the recipients of Bankinter's marketing e-mails proved to be a minor aged just 9 years old.
Although CorreoDirect's terms and conditions expressly prohibited minors from subscribing to the service, the minor had managed to register his details with the CorreoDirect database. In completing the online registration form, the child specified his year of birth as "95", rather than "1995". Consequently, the CorreoDirect system calculated the child to be an incredible 1,911 years old (by deducting the child's year of birth, 95, from the current year, 2006) and failed to detect that he was a minor. (In any event, it appears that the child had inaccurately entered his year of birth – if 9 years old in 2006, his year of birth would have been 1997.)
The net result was that a marketing e-mail advertising one of Bankinter's credit cards was sent to the child, and a complaint was subsequently lodged with the Spanish data protection regulator, resulting in the whopping €270,000 fine.
"Age restrictions in terms and conditions not enough"
In its ruling, the Spanish regulator held that Antevenio had failed to put in place adequate mechanisms to prevent minors from subscribing to its CorreoDirect service; further, it said that simply relying on terms and conditions to prohibit minor use is not sufficient. The Spanish regulator has a point – a system that minors can circumvent simply by specifying a year of birth using two, rather than four, digits is unlikely to be effective. And how many website visitors actually read site conditions of use…
The Spanish regulator ruled that a key obligation of data controllers is to exercise due diligence when collecting and processing personal data. It held that an age of 1,911 should have rung alarm bells and Antevenio should have checked the individual's age and, absent parental consent, should have refrained from processing the child's data. All told, the Spanish data protection regulator ruled that Antevenio had been very naughty and that its disclosure of the minor's personal data to Bankinter was illegal. Consequently, it slapped Antevenio with a €210,000 fine.
The Spanish regulator was a little more sympathetic towards Bankinter, landing it with a mere €60,000 fine. The regulator held that Bankinter should have employed some efforts at least to ensure that the personal data supplied to it by Antevenio was lawfully collected with the consent of its data subjects.
Why this matters:
This decision once again serves to illustrate the alarming disparity between data protection enforcement standards across the EU. Under the current UK enforcement regime, it is unthinkable that illegal marketing communications sent to a single child would attract the kind of regulatory attention (let alone fine) faced by Antevenio and Bankinter. Whether this position will change over the coming months with the increased enforcement powers handed to the UK Information Commissioner by the Criminal Justice and Immigration Act 2008 remains to be seen.
"Country of destination" rule for commercial emails
What this decision emphasises is the need for marketers undertaking pan-European campaigns to assess compliance risk in each targeted jurisdiction. Whilst businesses must generally comply with the data protection rules in their country of establishment (or, failing that, the country where their servers are located), e-mail marketing communications must always comply with the data protection rules of the jurisdiction where the recipients are resident. In other words, if you are an English marketer planning e-mail marketing campaigns in France, Spain and Germany, not only will you will need to comply with English data protection law, but also French, Spanish and German data protection law as well. Getting it wrong, as this case illustrates, can have dire consequences.
Practical tips for collecting minor data
The decision also highlights the need for online marketers to take real efforts to guard against illegal collection and processing of child data. Practical tips that marketers may wish to take on board in this regard include:
- The permissibility of collecting and processing child data varies significantly from jurisdiction to jurisdiction. When conducting pan-European campaigns, the safest, "no risk" approach might be to simply not collect personal data from any person under the age of 18. For campaigns targeted at a specific jurisdiction, local counsel's advice should be sought as to the permissibility of collecting and processing child data in that jurisdiction.
- Reliance on website terms barring child access to and use of websites is not sufficient. Where child access to a website should be restricted (for compliance with data protection or other laws), the website operator should look to implement appropriate technical measures to prevent such access.
- Related to the above point, the Spanish ruling imposes a "due diligence" requirement on marketers to verify the age of data subjects who provide their details for marketing purposes. As a minimum, this should entail checking that personal data from minors has not been unlawfully collected and also checking any unusual data that has been submitted (such as specifying an age of 1,911 years!).
