GDPR was always going to change the game – the EU set precedent last week by fining Swedish based digital agency Bisnode for violating Article 14 of the Data Protection Regulation.
In addition to the relatively small fine of €220,000, Bisnode is ordered to contact almost six million people it did not inform of it’s data-scraping activities. The company estimated it would cost around 8 million Euros to meet the registered postal costs to send out the letters in the order.
The cost of related admin beyond the postal outreach still remains unknown. Bisnode has three months to comply with the order in full.
In recent years, Governments and law enforcement have realised the real power of legislation isn’t in the front-line fines, but the orders which accompany them. Getting a money engine to spit out cash is trivial – forcing it to re-arrange itself really hurts.
It also returns power and influence back towards the political and legal institutions which licence businesses to operate. Crucially – it generates political and legal capital to be deployed later.
Limiting the PR fallout Bisnode confirmed to the press it will delete the illegally gathered data. It has also said it will challenge the decision, starting first in the Polish courts – citing clauses in Article 14 which moderate the effort required by data controllers to inform users of data processing.
“The decision is seen as radical, as it interprets Article 14 literally,” Dr Lukasz Olejnik, independent cybersecurity and privacy advisor, and research associate at the Center for Technology and Global Affairs at Oxford University, said in a statement to TechCrunch.
“UODO has taken a very principled position, arguing that the company business model is fully based on processing scraped data, and that the company has taken a decision willingly. UODO also argues that the company was aware of the obligation, as it did contact part of the people via email.”
While there are big and potentially costly implications for data-scrapers across various industries down the legal line, depending on how Bisnode’s appeal/s pan out, Olejnik adds a judicious caveat — noting that “each case might be different and have its specifics”.
The Data Protection Agency’s decision does not currently amount to a blanket ban on data scraping – however it does show GDPR will be used punitively on companies which do so covertly.
Data Harvesters must notify users.
Article 14 of the GDPR requires data controllers to inform users whose data is being processed especially when the information in question has not been directly obtained from them. IE when personal data has been scraped off the public Internet.
The person whose data has been scraped must be notified who has a copy of their data (including anyone with whom the data has been shared, and specifically any proposed international transfers); the types of data obtained; what processing will occur; and the legal basis for the processing.
This is a huge win for civil liberties and privacy, as well as data sovereignty for individuals using the Internet in the EU. However, it is a massive headache for most data processing and IT firms in the current generation. They can no longer simply harvest data quietly, and share it confidentially with their partners and associates, or process it without informing the person who is the subject.
More importantly, the legal notification of such data use creates an added cost and liability if these rules are not met. That gives pause to much larger firms who are already facing severe operational challenges, and potential fines. Think about Facebook, and Google – whose business models are almost entirely defined by gathering and reselling access to third party data.
Users must also be informed of their right to complain so they can object if they don’t approve of the proposed processing. The notification is also specific to the purpose – therefore if a company wants to do something new or different with the data later – they must send out a new Article 14 notice.
What went wrong
Bisnode scraped personal data from public registers and other public databases relating to millions of entrepreneurs and business owners — including their names, national ID numbers and any legal events related to their business activity. This is enough to raise eyebrows on it’s own.
While registered addresses and/or company addresses are standard in the public data email was not with only a fraction of email addresses present. The company decided to only sent emails to those people — fulfilling its Article 14 information obligation in their case. It did not send out letters or sms messages to the other millions whose data it collected – despite being aware of Article 14 obligation to do so. This decision seems to have been motivated by cost. Instead it posted a notice on it’s website – stating later they considered that to have met their legal duties.
The DPA disagreed forcefully — hence the penalty and other enforcement action.
Explaining its decision the watchdog says Bisnode clearly knew about its obligations under Article 14 and thereby made a conscious decision not to directly inform the majority of people whose personal data it had obtained for business purposes on cost grounds alone — when it should rather have accounted for its legal obligations related to data acquisition as a core component of business costs.
The UODO points out that GDPR’s Article 14 provision does not specify any particular means of fulfilling the obligation to inform. Registered letters weren’t required, neither were SMS’s per se: it just requires the data controller actually reach out. Bisnode’s response is one which suggests they were actively aware of and willing to ignore the law rather than adapt their business model.
The People’s Response
In a press release accompanying its decision, the UODO highlights also the sheer number of people who were unhappy with Bisnode scraping and using their data at all — saying: “Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.”
The fact is informing people that their data has been scraped for business and marketing purposes can and does result in them saying – “No, I don’t consent. Stop that.” This makes it much harder to build a complete database, and hamstring’s the company immediately. However it does stop at least some of those informed from being actively exploited.
Respecting people’s privacy rights in Europe means curtailing unsavoury business practices and it is telling that such a high proportion of those emailed objected. It also aligns with why the company might make a decision to not inform the rest of their scraped data subjects as they would likely lose a huge number of subjects from that effort.