In this client alert we discuss the recent letter from Dutch Data Protection Authority calling out to banks to reconsider any plans they may have to use personal data in transactional data for direct marketing purposes, as it considers such further processing for direct marketing purposes may violate the GDPR.
We believe that the DPA's letter may also have implications for other companies such as utility providers that use transactional data for direct marketing purposes and as such are advised to review their direct marketing and upselling schemes in consideration of the DPA's letter.
1. WHAT DID THE DUTCH DATA PROTECTION AUTHORITY SAY?
In a letter published on 3 July 2019 sent to the Dutch Banking Association (Nederlandse Vereniging voor Banken), the Dutch Data Protection Authority (Autoriteit Persoonsgegevens – DPA) calls out to banks to reconsider any plans they may have to use personal data in transactional data for direct marketing purposes. The DPA is of the view that such further processing of personal data - which the banks obtain by executing payment transactions - for direct marketing purposes may violate the General Data Protection Regulation (GDPR).
In the letter, the DPA expresses its reservations vis-à-vis the use by banks of transactional data for direct marketing purposes without consent from data subjects. It advises banks to reconsider any use of transaction data for these purposes.
We believe that the DPA's letter may have wider implications for companies that use transactional data for direct marketing purposes. We could see the DPA's considerations apply in similar fashion to utilities services, such as water, gas and electricity and perhaps also telecommunications. Companies operating in these industries are thus advised to review their direct marketing and upselling schemes taking into account the DPA's letter.
2. WHY DID THE DUTCH DATA PROTECTION AUTHORITY SAY THIS?
The letter is sent in response to complaints by consumers and questions in Dutch parliament following ING's amendment of its privacy statement and its announcement that it considers offering its customers additional products based on their transactional data.
3. HOW DID THE DUTCH DATA PROTECTION AUTHORITY COME TO THIS WARNING?
In its letter, the DPA explains the considerations and arguments underlying its warning extensively. In summary, the DPA considers the following:
a. Banks process personal data embedded in transactional data in accordance with article 6 (1)(b) GDPR
The processing is necessary for the performance of the agreement between the bank and the customer related to the customer's payment account.
b. In accordance with article 5 (1)(b) GDPR, banks may only collect personal data for specified, explicit and legitimate purposes and not further process such data in a manner that is incompatible with those purposes (the so-called purpose limitation)
Banks collect the relevant data through the execution of the agreements with their customers to process payment transactions (the transactional data is being generated by processing payment transactions) and not for direct marketing purposes.
c. If the further processing for another purpose is not based on the customer's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in article 23(1) GDPR, banks must consider certain criteria in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected (article 6(4) GDPR - the so-called compatibility test)
The DPA applies a restrictive interpretation when applying the compatibility test. It is of the view that having a payment account is practically mandatory for social participation (a payment account is similar to a utility) and does not presume affinity with other financial products. Furthermore, transactional payment data give a very detailed picture of a consumer as a result of digitalisation of payments and digitalisation in general. According to the DPA, such data is not only sensitive due to its financial nature, but it may even contain special or other sensitive personal data (for example payments at hospitals, pharmacies or to unions or political parties). As a consequence, this creates a reasonable expectation that such data will not be used for other purposes; the expectation of privacy increases when the sensitivity of the personal data processed increases. Additionally, when processing payment transactions, banks not only process personal data of its customers but also of other, third parties that are involved in the payment transaction (also referred to as silent party data). This is especially relevant where these third parties are data subjects themselves.
On the basis of the above the DPA concludes that a person who thinks and acts reasonably – considering the function of a payment account and the relationship with the bank in that respect - may reasonably expect that his personal data in transactional data will not be used for purposes other than execution of payment transactions, unless further processing for other purposes is based on his consent, a legal obligation or authority. The DPA reiterates that it is becoming increasingly difficult for a consumer to avoid the use of a payment account, and the (perceived) confidentiality related to purpose-based processing of transactional data will be lost when processed further for other purposes.
Given the aforementioned characteristics of a payment account, the development towards more extensive recording of payment transactions and the degree of sensitivity of the personal data which form part of transactional data, the DPA considers the impact on the customer's rights and freedoms considerable. It concludes that the transaction data cannot be processed for purposes other than the processing of the transaction, unless this further processing is done with consent or a legal right or obligation. The DPA further notes that the provision of information to those involved and the possibility of exercising the right to object are required pursuant to the GDPR and therefore cannot (partly) be regarded as appropriate safeguards as referred to in Article 6(4) of the GDPR.
In view thereof, the DPA calls on the banks which intend to further process personal data in transactional data without the customer's consent for direct marketing purposes, to reconsider their plans as such is likely to be incompatible with the purpose for which the data were originally collected. It reiterates that its analysis does not mean that a bank cannot (or no longer) develop direct marketing activities at all, but it must be carried out in accordance with the applicable rules.
4. SOME QUESTIONS TRIGGERED BY THE DPA'S WARNING
The DPA's warning triggers (quite) some questions which are relevant for parties active in payments – and possibly beyond the payment sector.
For example, does it apply similarly to other financial parties – not banks - processing payment data, such as (other) payment service providers? Following the recent implementation of the second Payment Services Directive (Directive (EU) 2015/2366 – PSD2) many new entrants are - about to - accessing the payments market, including account information services providers (AISPs) whose business model is based on processing payment account data for information purposes. Such AISPs are not executing payment transactions; they are providing account information services (pursuant to their agreements with their customers). Does this alter the DPA's argumentation? One cannot say that account information services qualify as a utility, so does this mean that a consumer who decides to apply for this service automatically has affinity with other financial products? And may thus receive direct marketing about other financial products from the AISPs? But then what about Amazon, Google, Uber, Facebook, or any other platform acting as an AISP; are they allowed to send their customers direct marketing about other services and products than financial products?
Perhaps intentional, the letter does not cover the scenario where a bank would provide an opt-out before the processing of payment transactions, i.e. when a user opens a bank account. In our opinion it could well be that given the right circumstances and safeguards (including a clear opt-out) a bank might be able to establish a legitimate interest for certain direct marketing uses.
In addition, we can see how the DPA's considerations could extend beyond the payment sector as well. Other sectors that might be affected by this letter would be the utilities sector (providing water, gas and electricity) and perhaps also the telecommunications sector. While the letter is intended for banks, the aforementioned sectors at are advised, at minimum, to review their current direct marketing and upselling practices against the relevant considerations of the DPA.
Our team of financial regulatory and data protection experts is more than happy to answer any questions you may have further to the DPA's letter or any related question you may have about the interplay between GDPR and PSD2.
For PSD2, please contact our international Payments team listed.
For GDPR please click here.