Belgium: DPA imposes fine on provider “pink boxes”: free products vs. free consent and other interesting take-aways
On 27 January 2021, the Belgian Data Protection Authority (“BDPA”) imposed a EUR 50,000 fine and an obligation to change its data processing activity on the company “Nationale Dienst Voor Promotie van Kinderartikelen NV”/”Service National de Promotion des Marques Enfantines SA” (“Family Service”, its tradename).
Family Service distributes the famous “pink boxes” in Belgium. These “gift baskets” are provided to (future) mothers and contain samples, special offers and information sheets on “child products”. Family service, however, also licenses and sells personal data of these mothers (and their children – according to the BDPA’s interpretation) to its business partners for direct marketing purposes.
Family service was sanctioned for various breaches of the GDPR (the list is quite impressive), including a lack of transparency towards its customers about selling and licensing their personal data. The company shared data of more than 1 million customers with business partners, without having obtained valid consent (or without being able to rely on another legal basis).
The press article of the BDPA with link to the decision, is available in French and Dutch. Below, we provide an overview of the two main infringements: lack of legal basis and breach of the transparency obligation. Additionally, we provide some key takeaways from this decision.
- Lack of transparency on selling/licensing personal data
Whilst it seems obvious to many that in exchange for free samples, personal data will be processed for marketing purposes, data controllers indeed have the responsibility to be fully transparent towards data subjects.
In this case, the BDPA stated that Family Service breached the transparency obligation. Four specific topics are to be highlighted:
- “disguising” as a “not-for-profit organisation”
The BDPA initiated an investigation after a complaint against Family Service. The complainant indicated that she was under the impression that Family Service was a government agency or non-profit organisation (due to its company name, the fact that hospitals provide its boxes, etc.). The BDPA on numerous occasions states that the mere fact that the complainant was under this impression demonstrates that Family Service was not transparent enough regarding its processing activities.
- Level of transparency – similar to advertising
The BDPA emphasizes that Family Service should be as transparent on the data sharing as it is on providing the “free” samples. It seems that the BDPA raises the bar unreasonably high, as it demands from data controllers to provide information on the processing activities in the same manner as it would provide “advertising”.
According to the BDPA, Family Services should also have explicitly used wording like “data selling” and “direct marketing” in its communication. Sugar-coating or camouflaging direct marketing-related processing activities should be avoided.
- Defining the purpose of the processing activity
When defining the purpose of the processing activities, it is also interesting that the BDPA states that Family Service should have explicitly mentioned that it receives remuneration for providing the personal data to its business partners. Whilst one could argue that “providing the personal data to business partners for direct marketing purposes” could be sufficiently transparent, the BDPA considers that the “purpose” of the processing activity of Family Service is not merely providing the data, but also receiving a remuneration for this.
- List of recipients – business partners
The BDPA refers to the guidelines of the European Data Protection Board, where it states: “if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named”. Merely providing a list of “categories of recipients” (as required under article 13 GDPR) is therefore considered insufficient by the BDPA.
Family Service tried to rely on the protection of its “company secrets”, but the BDPA states that no explicit legal basis (e.g. in relation to business secrets) exists that limits the obligation to provide full transparency (i.e. provide the full list of recipients relying on the consent obtained by Family Service).
Interesting side note is that the BDPA also stated that where the recipients would only provide products without asking for anything in return, data subjects should not be informed on the full list of recipients. In this case, the BDPA states that where data are being sold, “it is by definition mandatory to provide the list of partners based on article 5 j° 13 GDPR”.
- Lack of a lawful legal basis
Family Service relied on “consent” for the processing after 25 May 2018. For the processing activities prior to that date, it relied on its “legitimate interest”. Although some interesting elements are taken into consideration by the Inspection Service and Litigation Chamber of the BDPA when analysing this second legal ground, we limit our analysis to the processing activities based on consent.
The consent was considered not to be informed (see above), nor freely given and/or specific. Moreover, the BDPA considered the “consent withdrawal mechanism” to be unlawful.
- Free consent vs. “free” samples/products
Recital 42 GDPR states: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.
In its press release, the BDPA emphasises that “consent cannot be considered free if the failure to give consent means the loss of the benefits associated with receiving the pink box”. This raises questions, as the Court of Appeal/Market Court previously annulled a decision by the BDPA (in the context of loyalty cards), stating that losing the opportunity to receive additional benefits is not to be considered as a “detriment” (published here, in Dutch only).
The BDPA states that the facts of this case are sufficiently different – as providing the boxes is the core service provided by Family Service, not an additional benefit like those provided in the context of a loyalty card. Several other arguments are invoked, such as the statement that (future) mothers cannot obtain the benefits by any other means (which seems to be a bold statement by the BDPA).
The BDPA, referring to recital 43 GDPR, also states that consent is not specific enough and therefore not provided freely, as the consent is inextricably linked to both the service of providing the boxes and the data selling/licensing.
It will be interesting to see what the Market Court’s position will be in this regard (in case Family Service files an appeal). This will be of interest for many companies offering “incentives” to data subjects to subscribe/consent.
- Right to withdraw consent
Interesting side note is that the BDPA also states that the data subject should be able to withdraw consent at the moment it is provided (this is a strange concept and it seems to be based rather on the concept of objecting to a processing activity based on legitimate interest – e.g. by providing an opt-out box where the data is collected). Interesting to note is that an “account page” was provided by Family Service, providing the possibility to withdraw consent. This seems to be considered as insufficient by the BDPA.
- Summary: some key takeaways
Contrary to what the BDPA states in its press release, it does not simply apply the rules as clarified in its prior recommendation on direct marketing. The position taken by the BDPA (and – in the future, possibly – the “court of appeal”/ “Market Court”) should therefore be carefully examined by companies that are selling or licensing personal data.
Below, we provide an overview of some key take-aways for companies that sell or license personal data. As explained above, you should:
- provide unambiguous information towards data subjects on your data selling/licensing;
- re-evaluate explicitly mentioning the names of data recipients/business partners in your privacy statement;
- re-evaluate the consent mechanism used, taking into account the “benefits” provided to data subjects when providing consent.
Moreover, you should also:
- make sure strong contractual arrangements are in place with business partners / recipients of data – to avoid complaints by data subjects;
The complaint that initiated the investigation was filed after non-compliance with the right to object by a third party (a business partner of Family Service). As this company was based in the Netherlands, the BDPA’s Inspection Service stated that it was not competent to investigate this business partner, as it does not have a branch in Belgium.
- re-evaluate your retention periods;
The personal data was processed for 18 years, which was considered unlawful by the BDPA, as it was disproportionate considering the initial consent and the reasonable expectations of the data subjects (as this consent was mainly linked to baby products).
The BDPA’s decision covers a lot of ground. Several procedural aspects are interesting as well (regarding the language of the procedure, the use of arguments typically invoked in criminal cases, the elements that are considered to impose fines, such as the impact of COVID-19, etc.). You can find several of the BDPA’s policies which further explain these procedural elements here. Please feel free to contact your DLA Piper contact if you have any questions regarding any of the above.