This week I’m excited to share a deep dive into a landmark ruling by the Swedish Data Protection Authority (IMY) against Bonnier News AB. This is the first publicly known case in Sweden where IMY explicitly referenced Article 5(3) of the ePrivacy Directive in its reasoning for a GDPR fine.
Credits to Martin Brinnen for sharing the ruling.
Background of the Case
- Authority: Swedish Data Protection Authority (IMY, Integritetsskyddsmyndigheten).
- Company Fined: Bonnier News AB.
- Fine Amount: SEK 13,000,000 (approx. €1.15M).
- Period of Violation: November 7, 2019 – June 11, 2020.
- Legal Basis: Primarily a violation of GDPR Article 6(1).
- Court Decision: The Administrative Court of Stockholm upheld the fine, dismissing Bonnier News’ appeal.
Summary of IMY’s Decision
IMY ruled that Bonnier News processed personal data without a valid legal basis under GDPR. Specifically, the company:
- Created Behavioral Profiles: The profiles were built from website activity data.
- Shared Data Internally: These profiles were shared with affiliated companies to target personalized advertising.
- Used for Multiple Purposes: Data from customer databases was also used for telemarketing and postal marketing.
Key Question:
Was the “simple behavioral profile”, which didn’t include direct personal identifiers, still considered personal data? IMY concluded that it was, given that even indirect identifiers (like cookie IDs) enable tracking of individuals over time.
Key Legal Issues and Court Reasoning
A. Defining “Personal Data”
Bonnier News’ Argument:
The behavioral profiles consisted only of anonymized data:
- Website visited (URL, content tags).
- Device type and browser information.
- Partial IP address (at a country level).
- Time spent on pages.
- A randomly generated cookie identifier.
They argued that without direct identifiers, these profiles could not be linked to specific individuals.
IMY’s Counter:
- The cookie ID is an online identifier as defined by GDPR.
- Even if direct identifiers are absent, the data can still be used to influence user behavior (e.g., targeted ads).
- Recital 30 of the GDPR explicitly includes cookies as personal data.
Court's Ruling:
The court agreed that the profiles were personal data since they allowed for tracking of individual behavior over time, even when identification was indirect.
B. Lawfulness of the Data Processing
Bonnier News’ Defense:
The company relied on GDPR Article 6(1)(f) (Legitimate Interest) as the legal basis.
They argued that:
- Advertising revenue supports vital journalistic activities.
- Users were informed about the data collection.
- Data processing was minimized and secured.
IMY’s Position:
- Legitimate Interest cannot serve as a legal basis for cookie-based tracking when explicit consent is required.
- The ePrivacy Directive (Article 5(3)) mandates consent for the collection of data via cookies (and other technologies).
- The privacy rights of individuals outweigh the company's interest in targeted advertising.
Court's Ruling:
Consent is mandatory for behavioral tracking under ePrivacy Directive Article 5(3). Even though Bonnier News obtained consent at the point of data collection, the subsequent processing required its own legal basis, Legitimate Interest was not acceptable.
C. Justification for the Fine
Bonnier News’ Defense:
The company claimed to have acted in good faith, following existing guidelines.
They argued that the guidelines used by IMY were issued after the period of violation.
They noted:
- No sensitive data was involved.
- The overall impact on individuals was minimal.
- The investigation’s lengthy duration created legal uncertainty.
IMY’s Justification:
- Negligence, not intent, is enough under GDPR Article 83 to warrant a fine.
- The violation affected a large number of users across several affiliated companies.
- Undermining the consent requirement (a core GDPR principle) can have far-reaching negative implications on data protection rights.
Court's Ruling:
The fine was proportionate and justified given the scope of the violation and the number of individuals affected.
The Crucial Role of the ePrivacy Directive
This case is groundbreaking as it is the first major ruling to specifically invoke Article 5(3) of the ePrivacy Directive. Here’s what this means:
- Explicit Consent is Key: The ruling reinforces that cookie-based (and other tracking technologies) data collection requires prior, explicit consent.
- No Bypass via Legitimate Interest: Even if initial data collection is consented to, further processing cannot rely on Legitimate Interest as a legal basis if it conflicts with the ePrivacy (explicit) consent requirement.
- Impact on Future Enforcement: This sets a strong precedent for future cases in Sweden and across the EU, tightening compliance requirements for behavioral advertising.
For more on ePD 5(3):
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Implications for Companies in Sweden and Beyond
This ruling has far-reaching implications:
Stricter Enforcement: Swedish companies should brace for increased GDPR investigations and fines.
Reevaluation of Advertising Practices: Relying on Legitimate Interest for targeted advertising is no longer viable.
Internal Data Handling: Companies must:
- Ensure explicit user consent is obtained before any behavioral tracking.
- Minimize personal data processing.
- Regularly conduct Data Protection Impact Assessments (DPIAs).
- Review data-sharing practices with affiliated companies.
Conclusion
The IMY ruling against Bonnier News AB marks a new era in Swedish GDPR enforcement and underscores the primacy of explicit consent in data processing. By specifically invoking Article 5(3) of the ePrivacy Directive, this decision sends a powerful message, not only within Sweden but across all of Europe, that businesses cannot sidestep their obligations under data protection law by leaning on the broad provisions of Legitimate Interest.
European-Wide Impact:
- Harmonizing Enforcement Standards:
Although this case originated in Sweden, its implications resonate throughout the European Union. It serves as a clear signal that national data protection authorities across Europe are moving towards a more uniform and rigorous interpretation of both GDPR and the ePrivacy Directive. Companies operating anywhere in the EU must now re-evaluate their data collection and processing practices to ensure full compliance with these increasingly strict standards. - Precedent for Future Rulings:
The decision sets a precedent that is likely to influence future enforcement actions not only in Sweden but in other EU member states. Regulators from various countries can look to this ruling as a benchmark, particularly when assessing the validity of consent in cookie-based tracking and behavioral profiling. This could trigger a wave of similar investigations and fines across Europe, emphasizing that the safeguarding of personal data is a priority that transcends national borders. - Reinforcing the Need for Explicit Consent:
At its core, the ruling reinforces that cookie-based tracking and other forms of behavioral advertising require prior, explicit consent from users. The narrow interpretation of Legitimate Interest in this context underscores that data protection principles cannot be diluted by convenience or economic interests. European companies must therefore invest in robust consent mechanisms and review their data handling practices, ensuring they are transparent, proactive, and user-centric. - Catalyst for Policy and Industry Change:
This decision not only aligns national practices with broader EU data protection goals but also acts as a catalyst for change within industries. Companies across Europe will need to adapt quickly, rethinking their strategies for digital marketing and data utilization. Additionally, policymakers may use this ruling to further refine and harmonize data protection laws, creating a stronger, more consistent framework for all member states.
In summary, the Bonnier News case is a landmark moment that elevates data protection to a new level of importance across Europe. It is a reminder that as digital technologies evolve, so too must our commitment to upholding the rights of individuals in the digital age. Businesses must prioritize compliance with explicit consent requirements or face significant financial and reputational risks. This ruling is not just about one company or one country, it is a clarion call for all European enterprises to ensure that privacy is at the heart of their operations.
Thank you for reading. I look forward to your thoughts and comments on this pivotal development in European data protection and remember if you or your organization needs help with technical compliance, I am happy to help.
Best regards,
Ronni K. Gothard Christiansen
Creator, Aesirx.io
