Public Information & GDPR – I can do what I like with it…wrong!
There seems to be this idea floating around that if the data is collected from publicly available sites then it is fair game for marketers. If someone has created a profile on LinkedIn for example and their email address can be harvested (say by a recruiter or data miner connecting with you) then this public information can be wrapped up, collated with other datasets and sold as a commercial product to other businesses. Those who engage in this practice may be doing so unlawfully, here’s why…
Collecting public information is Processing
It’s worth going back to the definition of processing which can be found in GDPR Article 4.(2). It states: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. As highlighted, “collection” of data, even from a public source is processing.
Article 6 of GDPR requires that processing must have a lawful basis. There are six lawful bases:
- Performance of a Contract
- Compliance with a Legal Obligation
- Vital Interests
- Public Interest
- Legitimate Interest
Even when collecting data from public information source Controllers and Processors must still have a lawful basis for processing. This lawful basis must be documented. Now clearly, in the case of harvesting, consent for marketing is not going be able to be obtained ahead of time and so the most likely lawful basis a Controller is going to rely on for marketing is Legitimate Interest. For legitimate interests to be applied as a lawful basis the processing must comply with legal and ethical standards or industry standards (the purpose test). The processing necessity must also be weighed against the impact to the rights of the Data Subject (the balancing test). In particular, expectation the publicly available data would be used in this way, the nuisance factor, the effect and frequency of processing on vulnerable individuals. Again, this must be documented as part of your processing records, or may also form part of an Article 35 Data Protection Impact Assessment.
Ask yourself, would most Data Subjects be aware their data could be harvested when they created that online profile? Would they be happy for it to be used to send unsolicited marketing materials?
If you are collecting this information for the purposes of marketing then there is an absolute right under Article 21(2) for a data subject to object which states: “Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.” This means, when a Data Subject objects to marketing, the marketing must cease. This includes packaging their data into lists to be supplied to other companies’ marketing activities.
If the intent of the processing is to conduct direct marketing by electronic means then e-Privacy Directive may also apply. What this means is if you need consent to process under the e-Privacy Directive then it is the GDPR level of consent that must be obtained (consent is a subject for another article so we’ll not dwell too much here).
But I’ve collected it from a Public Information Source and will be relying on Legitimate Interests…I’m compliant, right? No.
The clever people who drafted the GDPR understood there are circumstances in which personal information could be collected without the prior knowledge of the Data Subject. In these cases, Article 14 (Information to be provided where personal data have not been obtained from the data subject) kicks in. This Article places an obligation on the Controller to provide certain information to the Data Subject, within a reasonable period after obtaining the personal data, but at the latest within one month. If this data is to be provided to a third party the latest time is at the time when the personal data is disclosed. Let’s look at a few examples:
Example 1 – Harvesting for marketing (internal use)
If Company A acting as a Data Controller harvested thousands of emails from public sites, Company A must, within a month, communicate with those Data Subjects and provide the information required in Article 14 of GDPR.
Example 2 – Harvesting for marketing (for resale use)
If Company A within 4 days of harvesting those emails then chose to sell that email list to a third party and on the same day sent that list to Company B. Company A must at the same time inform the Data Subjects this is what they have done.
Example 3 – Recipient of marketing data harvested without data subject knowledge
Following on from example 2 from the date of receipt of the email list, provided by Company A to Company B, Company B has one month to communicate to the Data Subjects with the information required within Article 14 of GDPR.
Enhancing public data with data collected from non-public sources – data enhancement
The key thing to understand is that when Data Controllers enhance public data with privately-obtained personal data, the combined data set is no longer public. If the lawful basis processing privately collected data did not include such enhancement activities – you simply cannot do it. If your privacy notice states your organisation will not pass on, or sell, personal data to third parties – you simply cannot do it!
There is no doubt that combining data from different sources can often create a more valuable source of data. In the Information Security world, this happens all the time. There are open-source threat libraries will catalogue bad IP addresses which organisations can combine with their private logs to determine if they have been the victim of a potential cyber attack.
But, what if a public source of data such as an electoral roll was combined by a political party to create a mailing list which they could sell on to a referendum campaign. The dataset may have been enhanced with phone numbers and other contact details but doesn’t specifically mention each data subjects’ affiliation with a political party. The point is, that referendum campaign knows exactly where they got that data from. This isn’t even hypothetical. In a report from the UK ICO “Investigation into the use of data analytics in political campaigns” (Nov 2018) this has already happened:
In response to our information notices, the Liberal Democrats stated that they had worked with a third party group which took subsets of the electoral register – which the party was entitled to access – and carried out a simple enhancement service, for example, adding phone numbers where available.
When there has been a lot of controversy about how voters may have been influenced during the UK Referendum on Membership of the European Union, it is absolutely critical that all political campaigns are compliant with the requirements of GDPR. In particular Article 14.
But I have millions of public information records, surely it’s not proportionate to inform everyone? Sorry, you do!
No matter how many records you have harvested you must still fulfil the requirements of Article 14 of GDPR. Don’t believe me? This was actually tested in April 2019 by the Polish Data Protection Authority (UODO). The decision is here (apologies it’s in Polish but I’m sure you can Google Translate if you want to read it in your mother tongue). Basically, a company in Sweden called Bisnode was fined EUR220,000 for not fulfilling its Article 14 requirements. It failed to inform a subset of Data Subjects whose details were collected from public sources. Bisnode has deemed it to be too expensive. The total dataset was around 7.6million records.
What about B2B, that’s out of scope for GDPR? Not really…
The UK Information Commissioner has been explicit that GDPR applies even in Business-to-Business marketing. It states on the ICO website:
GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg email@example.com
), the GDPR will apply.
I don’t think one can be any more explicit in their wording…
Exceptions, there’s always a loophole somewhere…
Article 14 para 5 does give 4 exceptions. The one I would hypothesise organisations would go to is exception (b) which deals with the concept of disproportionate effort. I would, however, suggest caution to those going down this route. As we have seen from the UOPD decision.
Data Protection Authorities place a high bar for what is considered disproportionate.
Biznode emailed the Data Subjects where that personal information was available. What Biznode (albeit unsuccessfully) argued was that it was a disproportionate cost to send the required article 14 information by snail mail or SMS to those Data Subjects whom Biznode didn’t have an email address but did have a physical address or phone number. The UOPD disagreed and that is why they ended up with a fine.
Public Information – Wrapping Up
Public information sources can be a veritable treasure chest for businesses to improve their services and offer new and innovative products but that doesn’t mean just because the information is just there for the taking, it can be used unconditionally. The key thing to remember is whether public or hidden, personal data always remains the property of the Data Subject. If you need help with ensuring your organisation is compliant with GDPR or e-Privacy Directive then get in touch. Fox Red Risk can help.
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 accountability article 25 article 28 article 35 awareness bcms breach ciso contracts controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Pentest Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso