On May 19, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) announced that the Litigation Chamber had imposed a €50,000 fine on a social media provider for unlawful processing of personal data in connection with the “invite-a-friend” function offered on its platform.
Upon the Executive Committee’s request, the Belgian DPA’s Investigation Service investigated a social media platform’s data processing activities related to the functionality it offered its members to invite their contacts. To offer this “invite-a-friend” functionality, the social media provider collected and stored personal data concerning its members’ contacts for the purpose of sending invitations to connect on the platform. In this case, the Belgian DPA acted as “lead supervisory authority” under the EU General Data Protection Regulation’s (the “GDPR”) “one-stop-shop” mechanism and worked in close cooperation with 23 concerned data protection authorities in 16 EU Member States.
First, the Belgian DPA’s Litigation Chamber indicated in its decision that the social media provider is responsible, as data controller, for ensuring that it has a valid legal ground for its processing of personal data in connection with the “invite-a-friend” functionality offered on its platform. The social media provider relied on its members’ consent to legitimize the processing of their contacts’ personal data to send those contacts (both existing members of the platform and non-members) an invitation to connect on the platform. However, the Belgian DPA’s Litigation Chamber concluded that the social media provider did not obtain valid consent from the concerned contacts and did not have an alternative legal ground under the GDPR to lawfully process its members’ contacts’ data. In light of this, the processing of personal data in connection with the “invite-a-friend” function is considered to be unlawful due to a lack of legal ground.
In its decision, the Litigation Chamber recalled that consent must be provided by the data subject himself (except in certain situations, e.g., with minors). Therefore, the social media provider could not rely on the consent obtained from its members to legitimize the processing of personal data of contacts who were not members of the platform and thus never consented to the processing of their contact information. With respect to contacts who are members of the platform, the Litigation Chamber indicated that, at least at the beginning of the process, users were presented with pre-selected boxes at the stage where they are able to invite contacts. The Litigation Chamber emphasized that consent obtained through pre-selected boxes does not meet the standard for valid consent under the GDPR. With respect to the validity of consent, the Litigation Chamber also stated in its decision that the practice of sending an initial, non-promotional email to obtain an individual’s consent for receiving electronic marketing is not in line with the GDPR. This is noteworthy, as this practice had been accepted in Belgium.
In addition to assessing the validity of consent, the Litigation Chamber explored the possibility of the social media provider relying on its legitimate interests as a legal ground for the data processing activities in connection with the “invite-a-friend” functionality. In this respect, the Litigation Chamber concluded that the conditions for relying on the legitimate interests ground were not satisfied in the case at hand, as the data of members’ contacts was not limited to what is strictly necessary to send invitations, and it was retained for a period of three months. According to the Belgian DPA, the social media platform should have run a comparison of the data to identify which contacts were existing members and delete data of non-members.
In light of these considerations, the Litigation Chamber decided to impose a sanction of €50,000 on the social media provider for its unlawful processing of personal data concerning members’ contacts.