A stricter regime for profiling07 June 2016
German Data Protection Authority Imposes €200,000 Fine for Targeted Advertising Without Adequate Consent
Dr. Stefan Schuppert in the Hogan Lovells Munich office prepared this entry. Stefan is a member of the Hogan Lovells Privacy practice and the IP, Media & Technology group and advises companies in the fields of information technology and new media concerning intellectual property, contract law and data protection.
On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent. The case – which attracted much negative publicity in Germany, including page 1 headlines and "top spots" in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany.
Between 2005 and 2010, Hamburger Sparkasse disclosed its customers' bank account data regarding incoming and outgoing payments to customer consultants on a regular basis. In addition, the bank used customer, sociodemographic, account balance, and product use data to create personality profiles of its customers. For this purpose, the bank made use of modern neuromarketing and brain sciences techniques. The customers were classified in different categories, such as “adventurer” or “connoisseur." Based on this information, the bank extended custom-tailored offers to its customers. The customers hade not been informed of and had not consented to the bank's activities.
The BDSG was amended in 2009 to introduce a stricter enforcement regime and to increase the maximum violation to €300,000 for each instance of unlawful processing of personal data. According to the Hamburg DPA, the disclosure of bank account data to the external consultants as well as the creation of customer profiles constituted serious breaches of the BDSG, warranting the steep €200,000 fine. According to the DPA, the fine may well have been even higher had the bank not cooperated rapidly in the disclosure of the incidents and made a strong commitment to comply with data protection law in future.
This case shows that the disclosure of bank account data is highly "sensitive" and German regulators have been and remain seriously concerned whenever consumer, personality, or other profiles of a person are aggregated without valid consent. Indeed, according to the head of the Hamburg DPA, Prof. Johannes Caspar, the intent was to send a clear signal to the market against the use of modern neuromarketing and comparable methods in violation of data protection law. The case also clearly illustrates that German regulators are willing to enforce the new data protection regime and are well prepared to impose significant fines upon companies rather than giving them merely a warning notice.
To avoid such sanctions and negative publicity, banks and other company's using neuromarketing techniques should be transparent and base respective activities on informed consents which are freely given. Also, the case demonstrates that cooperation with authorities is highly advisable.
The decision of the Hamburg DPA may also attract attention beyond Germany and influence the interpretation of data protection laws in other countries, in particular with respect to the compliance of neuromarketing and brain sciences techniques with data protection laws. Due to the sensitivity of such activities, it is likely that regulators in the EU will follow the approach taken by the Hamburg DPA.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016