13 million kroner fine to Bonnier
The Swedish data protection authority, the IMY, is stepping up its activities. They can no longer be criticised for being passive, which has frequently been the case up until now, and there is every reason for companies with activities in Sweden to pay attention to the areas IMY focuses on . Below are some cases that may be useful for many.
The IMY has given Bonnier an administrative fine of 13 million kroner. This case is important because it criticises a practice that has been common. Furthermore, this case sheds light on how legitimate interest can potentially be used as a legal basis for profiling. This is also a topic of the decision on 4 July against Meta, which is discussed below.
Many actors collect information from websites and collate it with information from online purchases – for those who do this based on legitimate interest, it is high time to rethink one's practices.
The fine was issued due to Bonnier profiling its customers and website users without their consent. The IMY investigated how Bonnier collected and handled personal data for marketing purposes. The information was gathered from many sources and was used for targeted online advertising, postal marketing and telemarketing. For instance, this included the collection of personal data related to purchases made from various companies within the Bonnier Group, as well as the analysis of users' online activities – i.e. how visitors have navigated the company's websites. In some cases, the information was also collated with personal data obtained from external sources. These included details about the customers' gender and postcodes, as well as statistical information based on the person's area of residence, such as their stage of life, purchasing power and type of housing.
Bonnier has stated that they rely on a legitimate interest assessment for the processing of personal data. According to the aforementioned assessment, the company's relevant interests outweigh those of the data subjects, and the processing is necessary to carry out the relevant marketing.
However, IMY believes that customers should not have to expect that behavioral data be collected for marketing purposes solely based on a visit to a website. Nor can customers expect that behavioral data be assembled with information from a purchase situation or information obtained from other databases with the intention of contacting them for telemarketing or direct marketing. According to the IMY, such extensive profiling requires consent.
While determining the amount of the fine, IMY has emphasized that Bonnier has taken extensive measures to minimize violations of the data subjects' privacy. Since Bonnier has users in many countries, the decision has been made in consultation with other data protection authorities in the European Union (EU).
The case can be found here.
Tele2, CDON, Coop and Dagens Industri
IMY has assessed the lawfulness of four companies' transfer of personal data to the United States via Google Analytics; namely CDON, Coop, Dagens Industri and Tele2. The assessment was based on an edition of Google Analytics dated 14 August 2020 – that was before any of the players were using Google Analytics 4.
The investigation was prompted by the infamous 101 complaints made by the organisation None of Your Business (NYOB), in the wake of the Schrems II decision of 2020. The complaints simply stated that these companies did not have the legal basis for transferring the data to the United States.
All the companies used SCCs as the basis for transfer. The question was whether the data transferred was personal data, and if so, whether the companies had implemented sufficient security measures to ensure an adequate level of protection for the transfer of personal data . IMY was of the opinion that the data sent to the United States is personal data, as the information could be linked to other unique personal data that had been transferred. IMY also concluded that the technical security measures that the companies had implemented were not sufficient to ensure a level of protection in line with the GDPR.
IMY issued an administrative fine of SEK 12 million and SEK 300,000 against Tele2 and CDON respectively, as they did not implement the same in-depth technical security measures as Coop and Dagens Industri.
IMY's decision attracted much international attention as it was the first decision that imposed a fine for the violation. This is particularly interesting in light of the now adopted EU-US Data Privacy Framework, as shown below.