Who: The Belgian Data Protection Authority (BDPA), Twoo (defendant) and anonymous plaintiff
Where: Belgium
When: 14 May 2020
Law stated as at: 1 July 2020
What happened:
The BPDA fined a social media platform, Twoo, operating in several EU countries €50,000 for processing – without appropriate legal basis – the personal data of data subjects that weren’t users, but simply appeared in members’ address books as used in third-party apps, and who consented to the processing of their personal data.
Twoo’s platform contains an “Invite a Friend” feature: users registered with Twoo had the possibility to synchronise their address books used through other apps (for example, Whatsapp, Gmail, Messenger) and send their (unregistered) contacts an invitation to join Twoo. The recipients of this invitation were pre-ticked on Twoo’s platform so that the user just had to confirm that the invitations could be sent.
Once the use of the synchronisation feature is opted out, the user’s contact details (users and non-users) are retained by Twoo for a minimum duration of three months.
For these purposes, Twoo thought that they could simply rely on the existing user’s consent. In turn, the users’ e-mail invitation to the non-users among their contacts would fall under the “household processing exemption” and would not have to comply with GDPR.
After closing its investigation, the BDPA issued its decision with the following findings:
- Twoo could not rely on the “household exemption” in their capacity as data controller who had the responsibility of sending the invitations once the recipients are confirmed by the user. Such exemption is rather destined to the user (as a natural person) when using Twoo’s social networking website and who interacts with other users with no connection to a professional or commercial activity.
- Existing users’ consent to process personal data of other subjects cannot serve as a legal basis for processing, as consent can only be given by the one whose personal data is processed (subject to strict exceptions, e.g. parents for their minor child). This reasoning follows the one held by the Dutch data protection authority in an opinion given on Whatsapp in 2013.
- While not invoked by Twoo, legitimate interest could also not serve a legal basis for processing in that case. The BDPA acknowledges that encouraging an increase in the number of members using Twoo and allowing users to invite their friends for this purpose is in itself a “legitimate interest”. However, the processing of personal data by Twoo is not surrounded by the necessary safeguards (more data than needed is collected, and their retention period is unjustified) and doesn’t ensure an appropriate balance with the rights and interests of the data subjects.
- More precisely, the sending of invitation e-mails to non-users would only be allowed in the context of a “compare and forget” action, such as the address book of the data subject who consented to processing of their personal data should only be used by Twoo to identify those contacts that are already users (and already consented to processing of their own data) and allow the user to select those identified as non-users (solely based on their phone numbers or a limited set of data). The personal data processed under this action should be deleted right after having accessed the address book.
- Applying the European Court of Justice Planet49 case law, the BDPA found that pre-ticked boxes selecting the contacts to whom an invitation can be sent did not mean that Twoo’s users freely consented to the processing of their personal data.
Following the summary of the decision, the Belgian team of Osborne Clarke is currently preparing a series of articles around this milestone decision, so stay tuned for more!
Why this matters:
This decision is interesting as the BDPA applies recent case-law from the ECJ and gives an extensive explanation on how to assess whether “legitimate interest” can constitute an appropriate legal basis for processing personal data. It’s also one of the first cases where the BDPA worked with other DPAs and fined a foreign company a high amount.
