Article, GDPR

Can Legitimate Interests Ground Justify Web-Scraping of Personal Data for Direct Marketing Purposes under the GDPR?

by Ali Talip Pınarbaşı, LLM

 

WHAT IS DIRECT MARKETING? HOW IS WEB-SCRAPING USED FOR DIRECT MARKETING?

 

As grabbing the attention of the customers became harder by  digital advertising, reaching out to customers directly has become more vital for businesses. Examples of such  direct communication includes cold-calling, cold-emailing, postal mail and point of sale marketing. All these methods constitute direct marketing.

The distinguishing feature of direct marketing is that the prospective customer does not initiate a communication; the first step is taken by the seller and the seller usually calls on the customer to take a certain action such as subscribing to newsletters or making a purchase.

Every direct marketing campaign, be it via email marketing or telemarketing, requires access to vast amounts of contact data of customers such as e-mails and phone numbers.

However, such contact data does not magically appear on the databases of the marketers, so they need to extract such data from various sources including websites and online directories.

This is where the web-scraping methods come into play: web-scraping is a technology used to extract the contact details of individuals from websites and online directories. Following the extraction of these data, the marketers then contact individuals to promote their products/services.

For example, an insurance company may want to advertise its new car insurance product to people who have been in car accidents before. To send e-mails or make calls to those people, the insurance company will have to collect the contact details of these individuals. This company can use web-scraping technology to collect their contact details.

 

LEGITIMATE INTERESTS CAN BE THE LEGAL BASIS FOR SCRAPING OF PERSONAL DATA FROM THE WEB FOR DIRECT MARKETING PURPOSES

When the data-controller extracts personal data from the websites or directories, it is likely that she does not have the consent of the data subjects. Therefore, data controllers must justify their scraping activity under another lawful basis for processing of personal data, which will inevitably be the ‘legitimate interests’ basis.

However, it is quite common to come across an article on the internet which posits that GDPR completely prohibited web-scraping and unless there is consent, the processing is unlawful and will lead to hefty fines.

One recent example supporting this prevalent view is French Data Protection Authority’s(CNIL) guidance which rejected the possibility that legitimate interests can justify scraping of personal data. The reasoning behind this position is that data subjects do not expect to receive direct marketing communications from a third-party data controller when they share their personal data with a data controller.

In other words, the Guidance rejects the reliance on legitimate interests ground to justify we-scraping based on one single criteria: the expectations of the data subject.

However, as will be explained below, legitimate interests assessment cannot be reduced to a single determining criteria because it requires taking into account all factors and circumstances.

The following reasons demonstrate why the legitimate interests ground can be used to justify web-scraping.

 

  1. Scraping of personal data from the web is a separate processing activity subject to GDPR and it is distinct from the direct marketing activity itself.

 

Consider a data controller who scrapes personal data from the web and then use this data for direct marketing purposes such as sending cold e-mails to individuals. In this scenario, both the scraping activity and cold e-mailing are two separate processing activities subject to GDPR, and both have the same purpose: direct marketing.

As the scraping of personal data is done for direct marketing purposes, GDPR’s rules for processing of personal data for direct marketing purposes should apply to this scraping activity.

Recital 47 of GDPR states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Considering the GDPR’s approach, rejecting the reliance on legitimate interest ground to justify web-scraping for direct-marketing purposes seems like a bizarre result which does not align with the wording of GDPR.

 

  1. Data controller has the discretion to conduct legitimate interest analysis to justify web-scraping, GDPR does not categorically exclude web-scraping of personal data.

 

Stating that the web-scraping can only be justified on the basis of consent makes web-scraping activities completely illegal under the GDPR, as the consent is almost practically impossible to obtain in web-scraping activities. In other words, rejecting the reliance on legitimate interests means prohibiting a data processing activity that the GDPR did not prohibit.

To the contrary, GDPR explicitly states that processing of personal data for direct marketing purposes can be lawful based on legitimate interests. If the purpose of a web-scraping activity is direct marketing, then it does not make sense to say that consent can be the only lawful basis to justify the scraping activity.

Therefore, the data controller should be able to rely on legitimate interests basis to justify its web-scraping activity.

This of course does not guarantee that the web-scraping activity will be considered lawful in every circumstance. Web-scraping activity can still be unlawful if the conditions for legitimate interests are not satisfied.

Since we established that legitimate interests can justify web-scraping, now let’s look at how it would be applied in practice.

 

APPLYING THE LEGITIMATE INTERESTS TEST TO WEB-SCRAPING FOR DIRECT MARKETING

Legitimate interests test requires a balancing exercise where the interests of the data controller will be weighed against the rights and freedoms of the data subjects. While doing this balancing exercise, all factors and circumstances should be taken into account.

This balancing exercise can be exercised by applying a three-step test:

  1. What are the legitimate interests of the data controller ?

In such a competitive business environment, reaching out to potential customers to promote  its products and services are vital for every business.  Therefore, collecting the contact details of individuals to contact them for direct marketing purposes serves the commercial interests of the data controller. Two examples can be given for these commercial interests.

Firstly, web-scraping for direct marketing purposes cost far less compared to traditional marketing methods or running ads on digital media platforms. This is particularly true for small and medium-sized businesses which have a very limited marketing budget and have difficulties in reaching their target customers.

Secondly, web-scraping can be effective in finding a specific group of customers who might be more likely to engage with the business. For instance, web-scraping can help the business market its products/services to a particular group of people who belong a certain age group or who live in a specific region.

  1. Is web-scraping necessary?

This step require investigation into whether there are less intrusive ways to achieve the goal of marketing.

This will vary depending on the particular industry in which the business operates and the availability of other methods to reach customers as well as the impact on the privacy of the data subject.

For instance, if the data controller is planning to promote its farming equipment to farmers by cold e-mail or cold calling after scraping their contact information, this may pass the necessity test because this may be the most convenient way to reach the customer. This may be because it is almost impossible to reach the farmers on traditional media outlets or by running ads on digital platforms.

  1. Does individual’s interest override the interest of the data controller ?

This step requires a balancing exercise between the two sides. Following factors should be considered in this weighing exercise:

-If the potential privacy impact of the web-scraping on the individual is high, this may tip the balance in favor of unlawfulness of the web-scraping,

-Sensitive character of data,

-Reasonable expectations of the customer,

-Degree of intrusion of the processing.

Depending on the specific circumstances of the case, the result of the balancing exercise will differ.

For instance, let’s imagine two different scenarios where the personal data are scraped from the web for direct marketing purposes.

Scenario 1: Company A scrapes the e-mail addresses of thousands of high school students to promote its math course materials to them via cold emailing. However, it takes appropriate security measures on the data such as encryption and pseudonymization and does not share this data with third parties. Furthermore, it does not send spammy e-mails to each person, but it only selects a small number of relevant students to promote its products.

Scenario 2: Company does the same scraping activity as company A, but it does not apply the relevant security measures and shares the scraped data with third parties.

Comparing these two scenarios, it is crystal-clear that the privacy impact of the A’s scraping activity is almost minimal on individuals whereas the B’s scraping is likely to expose the personal data of the data subject to high-risk.

As can be seen, every web-scraping for direct marketing purposes has different implications on individuals and justifying them on the basis of legitimate interests requires a case-by-case analysis.

CONCLUSION

Legitimate interests ground can justify web-scraping of personal data for direct marketing.

While doing the legitimate interests analysis, all factors and circumstances should be taken into account such as privacy impact on the individual, commercial interests of the web-data controller and necessity of web-scraping instead of just focusing on one criteria such as expectations of individuals.

 

About the author

Ali Talip Pınarbaşı is a Legal Consultant based in Istanbul. He provides legal consultancy services on IP Law and Data Protection Law. He completed his LLM Degree in King’s College London, specializing in IP&IT Law.

Article, Commentary, Covid, GDPR

Location privacy and data retention in times of pandemic and the importance of harmonisation at European level

Patrícia Corrêa

In this time of pandemic, many countries are starting to actively monitor cellphone data to try to contain the spread of the new coronavirus. Governments are using location data to trace contacts or monitor and enforce quarantine of persons who have tested positive for COVID-19 or those with whom they have come into contact with.

The United States’ Government is in discussions with the tech industry about how to use Americans’ cellphone location data to track the spread of the novel coronavirus. In Iceland, authorities have launched an app that tracks users’ movements in order to help tracking coronavirus cases by collecting data about other phones in the area. In India, state authorities have also launched an application to track the movement history of persons tested positive, also providing the date and time of the visit to spots by the patients. In Brazil, at least one city is already using cellphone data to monitor gathering of people and take action to disperse them and soon federal government will follow. There are reports of similar approaches in many other countries as well.

At European level, Internal Market Commissioner Thierry Breton has held a videoconference with CEOs of European telecommunication companies and GSMA to discuss the sharing of anonymised metadata for modelling and predicting the propagation of the virus.

Does this approach necessarily put data privacy at risk? Is the trade-off between data privacy and public health necessary? Whereas it is true that in exceptional circumstances fundamental rights need to be balanced against each other, data privacy shall not be an insurmountable obstacle to the implementation of exceptional public health policies.

Some basics on data and metadata

Simply put, data consists of potential information that has to be processed to be useful. [1] Metadata, on the other hand, is “data about data”, comprising all the information about data at any given time, at any level of aggregation. It is structured information about an information resource of any media type or format. [2]

In order to safeguard privacy, personal data must be anonymised before its processing. Anonymisation refers to the process of de-identifying sensitive data while preserving its format and type [3] so it cannot be tied to specific individuals. Privacy can be also be assured by means of aggregation, which refers to the “process where raw data is gathered and expressed in a summary form for statistical analysis.”

Conditions for the use of location data

While in some countries the use of information to combat the COVID-19 outbreak seems to go beyond anonymised data (individual location and contacts tracking, for instance, requires device-level data), in Europe, so far, collaboration between telecommunication companies and governments appears to encompass only the exchange of anonymised data or databased models. On that level of data processing, the European Data Protection Board issued an approval statement based on some conditions, such as the anonymity of the processed data and the applicability of administrative controls, including security, limited access and limited retention periods.

On April 8, the European Commission issued a Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit from the COVID-19 Crisis, in particular concerning mobile applications and the use of anonymised mobility data. The Recommendation acknowledges the value of digital technologies and data in combating the COVID-19 crisis stating, however, that fragmented and uncoordinated approaches could hamper the effectiveness of measures aimed at combating the pandemic and violate fundamental rights and freedoms. It sets up a process for developing a common approach (Toolbox) to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on a pan-European approach for the use of mobile applications, coordinated at Union level and a common scheme for using anonymised and aggregated data on mobility of populations.

Regarding the use of mobility data, the Recommendation provides, inter alia, for safeguards to be put in place to prevent de-anonymisation and avoid reidentifications of individuals, including guarantees of adequate levels of data and IT security, and assessment of reidentification risks when correlating the anonymised data with other data.

The right to location privacy

According to the Article 4(1) of the GDPR, personal data comprises any information relating to an identified or identifiable natural person, including location data. Location data, as stated by the ePrivacy Directive, means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service. It can be tied to a known individual (e.g. a name linked to a cell phone subscription) or to an identifier associated with a specific device (anonymised data). In other cases, a dataset is modified to display the location of groups of people, instead of individuals (aggregated data).

Location privacy, hence, relates to the location information of an individual in a sense that prevents others to learn about one’s current or past location. [4] In other words, “This definition captures the idea that the person whose location is being measured should control who can know it.”

The right to location privacy encompasses two fundamental rights, both guaranteed by the Charter of Fundamental Rights of the EU: the respect for private and family life (Article 7) and the protection of personal data (Article 8). Notwithstanding its importance, fundamental rights are not absolute and can be restricted in exceptional situations. As stated by Article 52(1), restrictions on these rights can only be imposed when lawful, legitimate and proportionate.

Location privacy is also protected under the Article 8 of the European Convention on Human Rights and cannot be limited either, if not for derogation in time of emergency consisting of war or other public emergency threatening the life of the nation. In that case, the measures shall be taken strictly to the extent required by the situation and cannot be inconsistent with other obligations under international law (Article 15).

Data retention in EU context

In Digital Rights Ireland case, the ECJ declared the invalidity of the Directive 2006/24/EC, which required providers of publicly available electronic communication services or public communication networks to retain telecommunication data of individuals for the purposes of preventing, investigating and prosecuting serious crime. The ECJ took the view that the Directive does not “provide for sufficient safeguards … to ensure effective protection of the data retained against the risk of abuse and against any unlawful access…” According to the ECJ, although the Directive satisfies a valid objective of general interest (public security), it does not meet the principle of proportionality.

To date, there is no EU legislation regarding data retention. Filling up the void, the ECJ decided in Tele2 Sverige case on the scope and effect of its previous judgment on Digital Rights Ireland, establishing minimum safeguards that must be included in any national law regarding data retention. ECJ therefore concluded that national legislation that did not contemplate minimum safeguards would be precluded pursuant to Article 15(1) of ePrivacy Directive.

Despite the guidelines set out in the Tele2 Sverige judgement, a survey by Privacy International indicates that, as of 2017, a large number of Member States still had not yet made necessary changes to ensure national legislation compliance. This is especially important in this time of pandemic, as many States in Europe are recurring to private telecom companies to disclose retained location data in order to fight the COVID-19 outbreak.

Data retention and location privacy: the need for harmonisation

This scenario highlights the importance of harmonisation on the subject at European level, what would contribute to safeguard citizens’ privacy rights. That coordination between private companies and governments shall reveal how access to sensitive telecommunication data by public authorities will affect the retention of data for private purposes.

In the light of the COVID-19 pandemic, location data can be very useful for epidemiological analysis, medical research and measures against disease spread. This importance, however, does not preclude the respect for privacy rights. In that context, a European framework for data retention is paramount to location privacy, since it can effectively regulate what data can be retained, for how long, and what measures must be taken in order to reduce violations risks and making it is being stored and shared in legitimate and responsible ways.

Final remarks

The retention, processing and exchange of location data to handle the pandemic do not necessarily have to violate privacy. There are mechanisms that, although not infallible, minimise risks of breach in the processing of personal data, in particular aggregation and anonymization. Besides, even in exceptional cases in which personal identifiable information processing is needed, EU Regulation and case law have already set some boundaries, especially amounting to proportionality. What really matters is the approach authorities will choose to take after the outbreak subsides, so mass surveillance does not become the norm.

[1] POMERANTZ, Jeffrey. Metadata. Cambridge : The MIT Press, 2015. p. 21.
[2] BACA, Murtha (ed). Introduction to Metadata. 3. ed. Los Angeles : Getty Research Institute, 2016. p. 2.
[3] RAGHUNATHAN, Balaji. The Complete Book of Data Anonymization: From Planning to Implementation. Boca Raton, FL, USA : CRC Press, 2013. p. 4.
[4] ATAEI, Mehrnaz; KRAY, Christian. Ephemerality is the New Black: A Novel Perspective on Location Data Management and Location Privacy in LBS. In GERTNER, Georg; HUANG, Haosheng (ed. ) Progress in Location-Based Services 2016. Switzerland : Spring, 2017. p. 360.

 

The Author

Patrícia Corrêa is a Portuguese qualified lawyer currently pursuing a Master’s Degree in International and European Law at Universidade Católica do Porto, Portugal.

Arbitration, Article, Courts, GDPR

Tennant Energy vs. Canada: Diluting the Impact of GDPR in International Treaty Arbitration

Bhavit Baxi

The Permanent Court of Arbitration ‘PCA’ in Tennant Energy vs. Canada[1] ruled that EU General Data Protection Regulations (‘GDPR’) will not come within the material scope in investor-state arbitrations under Chapter 11 of North American Trade Agreement ‘NAFTA’, a treaty to which neither the European Union nor its Member States are the parties.

Factual Background

In June 2017, the Tennant Energy LLC instituted the arbitration proceedings against Canada which were in front of Permanent Court of Arbitration. Thereby Tennant Energy under Chapter 11 of NAFTA claimed the damages from Canada amounting to $ 116 Million relating to its investment in a wind project.

Since the beginning of the proceedings the preliminary issues of Data Protection were the prime focus of the discussions.[2] It was Argued by the Claimant that EU General Data Protection Regulation 2016/679 should be taken into account and the procedures developed to comply with it, since one of the tribunal members (Arbitrator) is based in the UK.[3] Canada, on the other hand, argued that the GDPR does not generally govern the arbitration proceedings because, among other things, the claim was made under a treaty to which neither the EU nor its Member States are a party. Therefore, the arbitration is outside of the material scope of the GDPR.[4]

Procedural order

The Arbitral Tribunal on 24 June 2019 informed both the parties via email very briefly in two paragraphs stating “Arbitration under NAFTA Chapter 11, a treaty to which neither the European Union nor its Member States are party, does not, presumptively, come within the material scope of the GDPR.”

Further Tribunal also clarified that Procedural Order would not make any reference to GDPR, however this would be ‘without prejudice to the importance of ensuring a high level of data protection’.[5]

Applicability of GDPR

The fundamental objective of GDPR is to protect natural persons with regard to the processing of their personal data. It regulates and safeguards the fundamental rights and freedom of natural persons and in particular the right to have their personal data protected.

On plain reading of Article 3 of General Data Protection Regulation 2016/679 it could be concluded that the regulation is applicable to Arbitral Tribunals seated in EU and also tribunals outside EU concerning EU data subjects.

In Tennant Energy vs. Canada it was argued[6] by Canada that since the Permanent Court of Arbitration  seats in the Netherlands, this grants certain immunities to  PCA and it should exclude PCA from the applicability of GDPR.

Article 44, Chapter V of GDPR, expressly states that it covers the transfer of data to international organizations or third countries in order to ensure that the level of protection of natural persons is guaranteed.  Moreover, a European Commission decision of ‘adequacy’ is necessary prior to the transfer of the personal data to third countries or international organizations.

Further  the guidelines issued by European Data Protection Board[7] on the territorial scope of GDPR, which more explicitly clarifies that GDPR can extend to data processing that occurs outside of the EU: “The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union. The EDPB, therefore, considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed. This approach is supported by Recital 14 of the GDPR which states that “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”  It was further submitted by the claimant[8] that one of the London-based arbitrator has confirmed in a data privacy notice that the GDPR applies to him, as he is is both a data “processor” and a data “controller”, pursuant to how the terms are defined in the GDPR. Thus, it could be prima facie concluded that by no means Canada can escape from the applicability of GDPR.

Conclusion

GDPR serves as a strongest medium to protect sensitive and privileged, personal and commercial information, in international disputes. However, the impact of GDPR in international treaty arbitrations still remains faded and it continues to be a big topic of debate in the arbitration arena. It seems that there is a great need of case law which could settle this issue.

Lastly, ICCA and the IBA have established a Joint Task Force on Data Protection in International Arbitration Proceedings. The task force is developing the guidance to facilitate arbitration professionals with regards to data protection in arbitration proceedings, which is due to be published later in the year.

 

The author

BLS-LLB (Hons.) Student at M.K.E.S College of Law, University of Mumbai, India.

 

 

[1] PCA Case No. 2018-54: Tennant Energy, LLC (U.S.A.) v. Government of Canada.

[2] Claimants Submission on confidentiality.

[3] Investor comments on the EU General Data Privacy Regulation; – Tennant Energy, LLC (U.S.A.) v. Government of Canada.

[4] Reply to Claimant’s Submissions.

[5] See 1.

[6] Tennant Energy LLC v. Government of Canada Response to the Claimant’s Submission on the European Union General Data Protection Regulation

[7] Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation

[8] Questions And Investor’s Response To Tribunal GDPR Questions And Data Privacy Questions June 4, 2019