The author serves as the external DPO for a large multinational group that received, in a single day, massive DSAR requests from Weople on behalf of several customers. Because he’s directly involved in the case, he won’t disclose the details, but here outlines similar cases and what DPOs should consider when coping with such requests.
Starting from the early months of 2019, a number of large-scale Italian retailers submitted to the Italian Data Protection Authority, the Garante, very similar complaints concerning massive data subject requests received from Italian startup Weople, whereby such a company exercised, on behalf of the data subjects that subscribed to its services via a mobile app, the right to data portability in connection to the personal data collected by the retailers' loyalty programs. The transfer of such data was to go directly to Weople.
In a nutshell, in order to promote the services of the platform, including the exercise of the right to portability on behalf of the data subjects, Weople promises its subscribers benefits proportional to the amount and quality of personal data conferred to the platform and collected through different sources (basically the loyalty programs where the data subjects have a subscription), which the platform exploits to create commercial value.
The two main issues raised by the Garante were:
- The merchantability of personal data.
- The transfer of the personal data to the database of an intermediary and a consequent risk of duplication of the databases subject to the portability.
The Garante decided to refer any decision on the above-mentioned issues to the European Data Protection Board, provided that the activity of Weople can potentially produce effects in more than one EU member state. As outlined by Garante Chairman Antonello Soro in his letter addressed to the EDPB:
"As you will see, it is a highly important issue that, although it was brought in Italy, requires a general discussion that should involve more than just one single data protection authority. ... The company is requesting, on behalf of the data subjects, the personal data held by important business entities, in particular in the large retail sector, in order to bring them together in their own database for data enrichment process. The matter is thus related to the 'merchantability' of the data, with the additional problem of exercising the right to data portability by delegated powers and, therefore, with the non-remote risk of possible duplication of the databases subject to the portability."
In a news release concerning this case issued in August 2019, the Garante invited the organizations that receive requests for data portability from Weople to, in the meantime, operate in compliance with the principle of accountability provided for by the EU General Data Protection Regulation and to assess whether to comply with such requests or motivate a possible refusal.
"Data portability and remuneration to data subjects/app users in exchange for their personal data" is on the EDPB's agenda. A final decision has not been issued yet.
In the meantime, the "hot potato" was passed back by the Garante to the data controllers.
The dilemma for any organization is, on the one hand, ensuring that the rights of the data subjects are guaranteed in accordance with the "guidelines on the right to data portability," issued by the (now-defunct) Article 29 Working Party: According to Section 20 of the GDPR, data subjects "have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided," and the GDPR does not prevent an individual from exercising his/her rights via a third party. In addition, the data controller should not put in place any legal, technical or financial obstacles that slow down or prevent the transmission of the personal data to the individual or to another organization.
On the other hand, according to the principle of accountability — in case of requests for the transfer of personal data made by an intermediary — the data controller must assess whether the transfer of such personal data is grounded on a legal basis and, in any case, whether the recipient is entitled to receive such data.
From a different perspective, a massive transfer of data from the database of one company to the database of another company (which could, in theory, be a competitor), may affect the intellectual property rights and trade secrets of the organizations that receive such a request.
Any privacy professional who has experienced the building of an efficient customer relationship management system knows very well that the collection and organization of customers' personal data requires a lot of time and money.
So, where does that leave us?
The key point is assessing if the request of the intermediary correctly mirrors the intentions of the data subjects.
To this end, the data controller should:
- Identify the data subjects whose rights are exercised by the intermediary.
- Check if the intermediary is entitled to exercise rights on behalf of the data subjects and, in particular, if the data subject has validly conferred the necessary powers to the intermediary.
- Assess if the data subjects were made fully aware — in accordance with Section 13 of the GDPR — of the transfer of their personal data to the platform of the intermediary and of the purposes of such data transfer.
If such steps are not sufficient to clear up all the doubts, a data controller should be considered entitled to require clarifications on the data protection impact assessment (which the intermediary should have carried out in order to validate the data processing at issue) and on the relevant outcomes. At the end of this process, the data controller should have all the necessary information to make a reasoned decision.
The opaquer the process implemented by the intermediary in order to obtain the powers from the data subject, the higher the risks that the intermediary does not have the powers necessary to submit a valid request. And such a process has to be especially transparent if the personal data at stake will be processed by the intermediary for monetization purposes.
In any case, given the extreme peculiarity of the business model developed by Weople, it is appropriate to wonder if the fulfillment of such massive requests without any charge can be considered fair and in line with the spirit of the GDPR.
It's sort of like the Italian card game "Rubamazzo" (literally "Steal the Deck," something similar to "Go Fish"), in which the final goal is to get as many cards as possible from the other players. Well, if such a model of business ends up being validated, it is not so difficult to predict that a growing number of organizations will implement apps or similar tools allowing them to play "Rubamazzo" (or, better, "Duplicate the Deck"), leveraging the right to data portability as a new Trojan horse.
If you want to comment on this post, you need to login.