On May 14, 2020, the Belgian Data Protection Authority imposed a €50,000 fine on an international dating website (“dating platform” or the “company”) for lack of legal basis of the data processing operations carried out to provide an “invite a friend” feature.
In particular, it considered that consent of non-users of the dating platform was necessary before letting the user send them invitation emails.
No less than 23 data protection authorities were involved in the decision-making process under the one-stop-shop and consistency mechanism. Therefore, this sanction, representing 0.5% of the company’s worldwide turnover, should be taken seriously by organisations using similar features.
The sanctioned company offers a platform to meet new people in the private sphere (friends or relations) and has 4.5 million active users per month worldwide, of which 1.5 million are in the EU.
This dating platform offers its users, in particular at the time of registration, a feature allowing them to invite their friends or contacts.
Users can import their directories from different service providers (Outlook, Google mail, Yahoo, Facebook, Telenet, Skynet). The user does not have to select a service provider and can ignore the “invite a friend” feature in its entirety.
If the user wishes to invite his/her contacts, he/she will be directed to the web page of his/her provider (yahoo etc.) and if he/she agrees, all addresses in the address book will be uploaded in the company’s servers.
The user can then select among his/her contacts, the ones to whom he/she wishes to send an invite.
Until July 12, 2019, all the uploaded contacts were pre-selected, with the possibility for the user to untick all the checkboxes in one click. Since then, the contacts are no longer pre-selected and the user can either select the recipients or select all of them in one click.
The Belgian authority asked the company on what legal basis the storage of address book and the sending of invitation emails to their contacts whether existing members or not, were based.
2. The company considers the user’s consent as the correct legal basis for providing the “invite-a-friend” feature
According to the company, the user’s address book information was processed for the sole purpose of making the “invite a friend” feature available and user’s consent was therefore sufficient to carry out the necessary processing operations (i.e. uploading the address book, storage and sending invitation emails).
Indeed, the company believed that it was not necessary to obtain the consent of the recipients, especially on the ground that these invitations emails were not direct marketing emails subject to the e-privacy directive 2002/58 but rather personal communications as set out in the WP29 (i.e. former European Data Protection Board) 2009 recommendation on social networks.
3. The authorities disagreed and drew a line between contact data of existing users and non-users of the dating platform
The authorities stated that the user’s consent was not sufficient to carry out the data processing activities and they pointed out that such consent was, in any event, not valid because the contacts were pre-selected. According to the Authorities, it is up to the user to tick the boxes and choose the contacts to whom he/she wishes to send an invite.
Furthermore, the legal basis of the processing operations is different depending on whether the data are those of existing users (3.2.) or non-user contacts (3.1.).
3.1 Concerning the processing of personal data of non-user contacts
3.1.1 Non-user contacts must give their consent to receiving invitation emails
The authorities pointed out that only the data subject whose personal data are processed can give valid consent to the processing of his or her data (except cases of minors or persons represented).
Sending invitations emails to non-member users is also considered as direct marketing emails subject to Directive 2002/58/EC. Indeed, the defendant could not rely on the WP29 2009 opinion regarding the personal communication exception raised by the defendant insofar as the WP29 had changed its position in 2014 (see below).
As a result, relying on users’ consent is not the correct legal basis for sending invitations emails to non-user contacts and the dating platform should have obtained the non-users contacts’ consent.
3.1.2. Legitimate interest is the legal basis for verifying whether contacts are existing users or non-users (“compare and forget”)
According to the Authority, the company could have relied on its legitimate interest to collect data from contacts (non-users), but only to verify whether these contacts were existing users of the dating platform. If the contacts were not existing users, the platform should delete their data immediately (“compare and forget”).
To reach this position, the authorities based their decision on two WP29 previous opinions.
The authorities referred to the WP29 Opinion 5/2009 on online social networks stating that social media networks have no legal basis for the processing of data of non-users other than legitimate interest.
However, the authorities stressed the fact that this legal basis cannot be relied upon to extract contact details from address books to create a profile on the social network platform or to inform the person that the social network has his or her data and invite him or her to sign up.
Indeed, in its opinion No 06/2014 on the notion of “legitimate interest”, the WP29 states, in an example, that the contact details of non-users can only be used to check whether they are already members of the site. This is a more restrictive position than the one provided in the abovementioned opinion which considered the sending of invites as personal communications provided some conditions were met).
Thus, the authorities considered that only “compare and forget” processing operations could be carried out on the basis of the company’s legitimate interest.
3.2 Concerning the processing of personal data of contacts who are already members of the dating platform
According to the authorities, existing users’ consent is not required for sending them invitation emails.
Indeed, this type of processing operations may be based on either the company’s legitimate interest or the performance of a contract between the user and the platform.
However, in the present case, the company failed the legitimate interest balancing test or could not rely on the performance of a contract as long as the contact list was pre-ticked. Indeed, this practice of sending mass emails does not respect the principle of data minimisation (Article 6 GDPR) and the concept of data protection by design and by default (Article 25 GDPR).
The “invite a friend” feature requires non-users’ consent to receiving invitations emails. It is not either possible to send them an email to obtain this consent or to create profiles while waiting for them to register. This consent requirement calls into question the sponsorship systems used by many organisations.
However, the company has a legitimate interest in processing the data of these contacts to check whether or not the user’s contacts are existing members of the dating platform. However, it must delete the data of non-user contacts immédiatly following this check (“compare and forget”).
The company may use the “invite a friend” feature on the basis of its legitimate interest or the performance of a contract, as far as existing user contacts are concerned (i.e. no consent required)
Since 23 authorities were involved in the drafting of this sanction, it is recommended that data controllers review their practice regarding sponsorship or any other similar invitation system and find new mechanisms either to obtain the consent of third parties (which seems very difficult to obtain) or to ensure that invitations are sent without any intervention on their part.