The Dutch Data Protection Authority (Dutch DPA) recently imposed a fine of EUR 525,000 on the Royal Dutch Tennis Association (KNLTB) for sharing the personal data of its members with two of its sponsors in June 2018 on the basis of its own commercial interests.
Before the Dutch DPA initiated its investigation in 2018, Dutch sports associations seemed to be of the understanding that the KNLTB’s practice was allowed. The reason for the assumption was that the Dutch DPA had issued a publication, which was online until 2015, in which it stated that sports associations could share member data if their players’ member council approved the sharing. According to the guidance, individual consent of the members would not be necessary and thus the sharing could be based on a sports association’s legitimate interests.
However, in 2019, the Dutch DPA published new guidance on the interpretation of legitimate interests, which excludes, among other things, commercial interests as legitimate interests. The KNLTB appears to be the first organization affected by the Dutch DPA’s strict – and widely discussed by academics and lawyers – interpretation.
In this blogpost, we describe the main implications of the Dutch DPA’s fine and interpretation of legitimate interests – which could affect processing activities of commercial organizations throughout Europe.
Playing sports in the Netherlands means in most cases a mandatory membership to the relevant Netherlands sports association, such as the KNLTB for tennis players. When signing up with a local tennis association, personal data is shared with the KNTLB to, among other things, receive a player registration card that is necessary to get access to tennis courts, receive tennis lessons, and take part in competition. Once the KNLTB receives personal data from a player, it reaches out to the player via email, to inform the player of the KNLTB’s data sharing with its two sponsors. The email contains the option to opt-out of such data sharing. This type of data sharing was also approved by the tennis players’ member council on behalf of all tennis players in 2017.
The purpose of such sharing is to add value for the members and maintain accessibility to the sport of tennis, the KNLTB says. The personal data is used, for example, to send discount vouchers for tennis equipment to the tennis players by regular post. A couple of tennis players filed a complaint at the Dutch DPA, who initiated an administrative investigation.
Why did the Dutch DPA impose a fine?
In short, the Dutch DPA concluded that the KNLTB could not rely on its legitimate interests for sharing data with its sponsors as its interest was solely of a commercial nature.
Legitimate interests is one of the six legal grounds on which personal data can be processed. Based on regulatory guidance (for example from the ICO), an organization can rely on this legal ground after performing a legitimate interests assessment (LIA). This entails assessing whether (i) the interest at hand is legitimate, (ii) the processing is necessary for the interest pursued, and (iii) the interests of the tennis players do not outweigh the interests pursued by KNLTB.
The Dutch DPA concluded that the KNLTB’s data sharing does not meet the first prong of the LIA because the monetization of members’ personal data is not an interest that has a basis in law. The sharing of the data would not follow from a legal norm that applies to the KNLTB, which the Dutch DPA says is necessary for an interest to be legitimate. The Dutch DPA also pointed out that the interest does not represent a pressing need to process the tennis players’ data. Importantly, the Dutch DPA stated that any (solely) commercial purpose (e.g., interest in gaining profits) in itself could not qualify as a legitimate interest.
Since the Dutch DPA concluded that the KNLTB’s interests are not legitimate, the second and third prongs of the LIA (necessity and balancing of interests) were not explored by the Dutch DPA.
Why is the fine controversial?
The Dutch DPA’s rationale in the KNLTB case is in line with its 2019 publication on legitimate interests. The main criticism of this publication is that it seeks to apply too strict a threshold for the first prong of the LIA (i.e., legitimacy).
With respect to this case specifically, there has been criticism from a procedural point of view, that it would be more appropriate for the Dutch DPA to use other enforcement measures instead of imposing a fine. For example, the Dutch DPA could have sent the KNLTB a warning letter to explain that the data sharing is no longer allowed – as it did in 19% of its investigations in 2019. Using measures other than its fining authority would be especially appropriate since its new legitimate interests guidance was published after it initiated its investigation of the KNLTB. We further explore these two main points of criticism below.
Legitimate interests interpretation
Existing case law and regulatory guidance show that the threshold for the first prong of the LIA (legitimacy) is – contrary to the Dutch DPA’s recent view – rather low. In its legitimate interests guidance, the Article 29 Working Party indicates that an interest need only be acceptable under the law to be legitimate. This interpretation seems similar to the Dutch DPA’s interpretation that the interest should follow from a legal norm but deviates from it when put to practice. Commercial activities are in general acceptable under the law but do not necessarily follow from a legal norm – other than (potentially) the generic right to entrepreneurship.
The lower acceptable under the law threshold is also applied by the European Court of Justice (CJEU), the text of the GDPR, and European DPAs. A few examples are shown below.
- ICO: “The types of legitimate interests may include commercial interests…”
- Dutch DPA in 2016 in a published decision on wifi-tracking: “… wifi-tracking can, by itself, be a legitimate commercial interest …”
- Recital 47 GDPR: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
- CJEU Satamedia (C-73/07): “A degree of commercial success may even be essential to professional journalistic activity … [which is] not limited to media undertakings and may be undertaken for profit-making purposes.”
These examples show that commercial interests could qualify as legitimate interests according to the CJEU and regulatory guidance. If this acceptable under the law threshold would be applied by the Dutch DPA, it could very well be that the KNLTB’s commercial interests would qualify as legitimate interests and that the first prong of the LIA would be satisfied. It would be a stretch to argue that the interest of sharing discount vouchers to tennis players would be unacceptable under the law.
If the Dutch DPA’s follow from a legal norm threshold becomes the new standard in Europe, it cannot be excluded that organizations could no longer rely on their legitimate interests for certain commercial processing activities. For example, under these stricter standards, DPAs could argue that the interest in (direct) marketing in general does not explicitly follow from a legal norm.
Before the Dutch DPA initiated its investigation, there seemed to be consensus amongst Dutch sports associations that the KNLTB’s practice was acceptable. This view mainly followed from the Dutch DPA’s previous guidance on data sharing by sports associations that was online until 2015. This guidance was also referred to in a legal handbook of NOC*NSF, the Dutch umbrella organization for sports associations and the Dutch Olympic Committee.
There had not been any publications from the Dutch DPA between 2015 and the start of the KNLTB investigation, stating that its previous guidance could no longer be relied upon. The Dutch DPA furthermore stated in its publication on the KNLTB fine that the legal regime on legitimate interests has not been changed since 2015.
A basic principle of Dutch administrative law is that organizations should be able to rely on publications and acts of authorities, such as the Dutch DPA. It could in this light be argued that imposing a fine was not the most suitable enforcement measure. In our view, more suitable measures would have been sending a letter to sports associations or issuing a new publication stating that from that point on, sports associations can no longer rely on their legitimate interests for the data sharing with sponsors. Especially since the chairman of the Dutch DPA indicated in December 2018 that he knew that other Dutch sports associations also shared member data with sponsors based on their legitimate interests, and that the underlying investigation was intended to warn these sports associations to change their practices.
The KNLTB could object and appeal to the fine. It remains to be seen whether a judge will uphold the fine, especially given the legitimate interest and procedural considerations described in this blog post.