The Federal Administrative Court of Austria confirmed by its decision of 26 November 2020 the stance of the Austrian Data Protection Authority (“Datenschutzbehörde“) that so-called “party affinity” data may not be processed without the data subject’s consent. Most importantly, the Court clarified that data about an individual fall within the scope of “personal data” even if they only reflect probable and not actual characteristics of individuals.
Inferring probabilities about an individual from the data about his social group
An Austrian company – the complainant in the proceeding before the Court – was selling personal data for marketing purposes. It developed a product where addresses of individuals were enriched by other data that legal entities may need in order to target those individuals with promotional materials. The product included the following data: title; name and surname; address; date of birth; and the individual’s “party affinity”. Data on the individual’s political party affinity indicated the individual’s likely willingness to receive advertising from certain political parties.
The Company produced party affinity data based on an anonymous survey and on results of regional elections. By analyzing the information from these two sources, the Company produced aggregate data on the likely party affinity of specific social groups, depending on their formal education, place of living, etc. As a next step, the Company attributed the aggregate data pertaining to certain social groups to specific individuals belonging to those groups.
By such an operation, data on the likely willingness of persons having certain type of education or living in a particular region to receive advertising from the political party X became data on the likely willingness of a particular individual with, for example, university degree and living in the particular town to receive advertising from that party X. Once attributed to specific individuals, data on party affinity were sold to interested political parties.
The parties used the data to send marketing materials only to those individuals who would probably want to receive them. In that manner, the political parties wished to avoid sending the marketing material to individuals not interested in receiving them. Company did not obtain the data subject’s consent for these processing operations.
Likely party affinity is personal data
To prove the lawfulness of the processing operations, the Company argued that the party affinity data did not fall within the category of personal data so that the processing of these data did not trigger the application of the GDPR. According to the Company, party affinity data were based on the probability-related average calculations, and therefore did not amount to information about a specific individual. Following this line of reasoning, the Company submitted that the data on likely party affinity of an individual did not bring into light the individual’s political opinion, as a special category of data.
According to the Court, data on individual’s likely party affinity do fall within the concept of personal data.
In support of that conclusion, the Court relied on the criteria set out by the Article 29 Working Party in Opinion 4/2007 on the concept of personal data (as endorsed by the European Data Protection Board):
- content element: the data relate to a specific individual. Here, the fact that the party affinity data do not reveal actual stance of the individual but only his or her likely inclination does not affect the fact that those data do pertain to identified natural person;
- purpose element: data are or could be used to evaluate an individual, treat an individual in a specific way, or influence the position or behaviour of an individual. Here, the party affinity data were intended for treating individuals in specific ways so to achieve a specific purpose – avoiding the sending of marketing material to individuals not interested in receiving such material; and
- impact requirement: the use of data could have an impact on the rights and interests of an individual. It is sufficient that individuals are treated in different manners for this impact to be present. Here, some individuals received marketing material from the parties whereas the others did not receive such material.
The Court also held that from the likely party affinity of an individual it is possible to infer his likely political opinion, which then means that the supposed party affinity belongs to special categories of personal data. According to the Court, Article 9 of the GDPR seeks to protect individuals against specific risks which are normally associated with the processing of special categories of data. The data from which a special category of data, such as political opinion, can be inferred can trigger those risks. To support its position, the Court invoked certain commentaries of the Austrian data protection law.
“Substantial public interests” exception not applicable
Finally, the Court took a stance that party affinity data may not be processed without the data subject’s consent. This is due to inapplicability of other exemptions from the general prohibition from Article 9, paragraph 2 of the GDPR to processing the special categories of personal data. The Court specifically examined – and ultimately rejected – the possibility for the party affinity data to be processed for the direct marketing purposes based on a national law. According to article 9, paragraph 2, point (g) of the GDPR, special categories of data may be processed on the basis of the EU or a Member State law, provided that the processing is necessary for reasons of substantial public interest. Austrian Industrial Act (1994) authorizes traders to use, for marketing purposes, data specifically assigned to specific persons on the basis of marketing analysis. However, the Court found that Recitals 46, 52 and 55 of the GDPR did not recognize economic interests of marketing companies as public interests.
Comment
This judgement is one of the few judicial decisions rendered in recent years which establish that the concept of personal data includes more than facts about an individual. This concept also includes:
- data on opinions of other persons about individuals and data on assessments of individuals (as established by the CJEU judgement in the dispute between Peter Nowak and the Irish Data Protection Commissioner; find more about the judgement in our post here); and
- data on probabilities pertaining to individuals (as established in this case).
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]