Processing Publicly Available Data: What are Your Obligations?

Does Your Business Obtain, Collect and Process Personal Data From the Public Domain?

It’s one year on since the General Data Protection Regulation 2016/679 (GDPR) came into force and as we predicted, data protection authorities are tightening supervision and are no longer being as forgiving of errors, as they have been in the last year. 

The GDPR protects personal data and endeavours to ensure it remains private. However, the Polish Data Authority, UODO, has recently imposed its first fine for a violation of the GDPR on a Swedish data aggregation company, Bisnode - for processing data that was publicly available!

What happened?

Bisnode used publicly available databases and registers in order to obtain personal data about entrepreneurs and business owners to perform its data aggregation services. Of around 7.6 million records of personal data, Bisnode sent notices advising of the data processing to around 700,000, since for these subjects it had their email addresses. For the remaining data subjects Bisnode only had mobile numbers and postal addresses, so instead of contacting them, it simply displayed a privacy notice on its website. 

Its reasoning for doing this was that it would have been disproportionately onerous to send privacy information by post or text - the cost would have been around EUR 7.7 million for post alone, which was greater than its previous years’ turnover. Additionally, it would have placed a massive burden on the company’s staff and resources to conduct the operation. So much pressure, that Bisnode claimed it could have threatened its continued operations as a business in Poland. 

Despite this, UODO found that Bisnode had failed to comply with its obligations under the GDPR.

The rules set out that companies must contact individuals and explain to them how they will be processing their personal data if the subjects have not given the data to the companies themselves directly (Article 14 of the GDPR).

The exception to this rule is if the effort of contacting the individuals would be disproportionate to the processing, or if it could impair the objectives of the processing.

Seems like Bisnode followed the rules, right?

UODO’s Reasoning

UODO explained that in its view, Bisnode was wrong with its rationale that contacting the affected individuals would involve a disproportionately large effort. It said that Bisnode had displayed a clear knowledge of the GDPR and its responsibilities as a controller, and the fact that it had continued to carry out processing personal data went totally against its obligations.

There had been no damage caused to the data subjects whose information had been processed, but to UODO, this was irrelevant!

Many of the data subjects were unaware that their data was being processed and by failing to inform them of this, Bisnode deprived them of their rights under the GDPR as they didn’t have the opportunity to object to their personal data being processed.

To UODO, the action that had been taken (contacting only those who they could by email) was insufficient. It argued that for the other data subjects’ whose addresses and mobile numbers were only available, notification did not have to be sent by registered mail with the high costs and efforts that Bisnode complained about - there were other easier, cheaper options. 

Are data protection authorities done being nice?

UODO issued a fine of EUR 220,000 to Bisnode. Its justification for such a high fine was that it wanted to warn other companies: don’t avoid your obligations, and risk a fine, in the hope that the fine might be less than the administrative costs of following the rules in the first place!

However, in its judgement, UODO kept Bisnode anonymous. It was not until Bisnode released a statement on its website advising it had been the offending company that the identity of the culprit was known.

This shows that while data protection authorities are cracking down on compliance, the aim is still not to put companies out of business, rather to ensure that individuals’ data is protected.

Are you compliant?

UODO’s decision has set the bar high for controllers’ obligations when processing publicly available personal data. The main guidance for now, if you are to engage in a practice like this - using data scraping, for example - is that you must tread carefully.

Tips and tricks

Contact individuals if you are going to be processing personal data about them and they have not given you this data directly. This may be, for example, information that has been gleaned from social media profiles or professional networking sites.

If it is possible and reasonable for you to contact them, individuals need to understand what the effect will be on them when the personal data is processed, how it will be processed, how long it will be processed for, and so on. 

Make sure to document any decisions, especially if your decision is that it is too onerous to alert data subjects, explaining your reasoning.

Just because the information is available publicly, doesn’t mean you avoid the obligations as a controller to ensure your treatment of the information is safe and private!

As always, if you have any questions about your obligations as a data processor or any other legal enquiries, please don’t hesitate to get in touch.

Article by Lily Morrison, Legal Consultant @ Gerrish Legal, July 2019