Although privacy professionals will typically acknowledge that the EU is way ahead of the US when it comes to data privacy protections, for those outside the field it may seem a bit odd to focus on a decision by the Belgian Data Protection Authority.
As the decisions around EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive continue to develop, their impact can be felt worldwide.
Earlier this month, the Belgian DPA fined social media platform Twoo 50,000 euros, finding that its “tell-a-friend” feature violated privacy laws. How so? Consider this: a typical tell-a-friend feature requires you – the user – to provide the email address of a friend, at which time the platform (in this case, Twoo) sends an electronic communication to your friend, typically for marketing purposes. The key act in this scenario is your submission of your friend’s email address (i.e., personal data) to the platform.
Under the GDPR, a business could use your friend’s email address either with your friend’s consent or for a “legitimate business purpose.” But assuming the email is a “commercial electronic communication,” the ePrivacy Directive requires consent. And unfortunately for Twoo, the Belgian DPA found that the existing user’s consent was insufficient. Thus, unless the recipient was also an existing user (and had, therefore, already provided consent), Twoo’s use of the recipient’s email address was unlawful.
It remains to be seen how this ruling will impact similar features on other platforms, but it serves as an example of how various website functions may not be acceptable under current law even if those functions are relatively common.
For more information on data privacy matters, please contact a Kerr Russell attorney.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider: