October 30, 2020

Volume X, Number 304


October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

EU Privacy Law May Require Individual Third Party Consent for Sale of Customer Email Lists

Parties to transactions involving personal data in Europe are well-advised to investigate whether individual consent or the offer of opt-outs are required to avoid the risk of fines and other sanctions imposed by the DPA or local courts.

More and more middle market US companies are pursuing cross-border mergers and acquisitions. While most US business executives are very familiar with the cultural and social differences that impact cross-border deal making, they may be less aware of significant differences in the laws and regulations that impact cross-border transactions.

In 21st century deal making, what’s come to be known as “data protection law” is perhaps the most fraught with peril for the unwary—especially in Europe. Personal data is protected by the EU 1995 Data Protection Directive and relevant national law. Individuals thus “own” their personal data, not companies. These data protection laws are generally not well understood in the United States and, to make matters worse, a substantive EU data protection reform is currently underway that may affect US companies, even if they are not located or registered in the European Union (EU). For more details on this reform, read our January 2015 LawFlash “EU Data Protection Reform Update.”

The DPA Ruling

A recent case before the Bavarian Data Protection Agency (DPA) illustrates this issue. As part of an asset deal, a company in Bavaria sold bulk email addresses to a buyer without the prior consent of the individuals, and without the possibility of individual opt-outs (see Sec. 7(2) German Fair Competition Act). This provision prohibits sending advertisement emails to individuals with whom the sender has no business relationship. The DPA, in a July 30, 2015 ruling, also found serious legal obstacles regarding the sale of the data sets under the Federal Data Protection Act (BDSG), including the following:

  • The bulk data sale was not covered by the so-called “list privilege” under Sec. 28(3)(2) (1) BDSG, which allows for a data transfer without individual consent (under certain conditions) for advertisement, marketing, or polling purposes.

  • An asset deal by itself is not a “prevailing company interest” that would justify the data transfer pursuant to Sec. 28(1)(2) BDSG.

The DPA in this case imposed a substantive fine on the seller and buyer for transacting in these data sets (email addresses) illegally.

Further Implications

The issue goes beyond the mere sale of email lists. Parties to a transaction involving personal data (such as names, email and physical addresses, phone numbers, or financial information) in Europe are well-advised to investigate whether the acquisition or transfer is covered by a European legal concept known as the “list privilege” for advertisement, marketing, or polling purposes. If the “list privilege” doesn’t apply, individual consents of the data subjects (or at least the offer of customer opt-outs for marketing emails) are required. Otherwise, both the buyer and the seller risk fines and other sanctions imposed by the regional or national DPA, or local courts.

The Bavarian DPA states that the BDSG requirements may also impact insolvency cases where data sets of customers are sold. Bypassing the rules means that individual customers may (and frequently do) directly complain to a DPA and trigger a proceeding. In addition, there may also be notification requirements for the transfer under national law. In specific cases, even prior consent of a DPA may be necessary.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume V, Number 237



About this Author

Dr. Axel Spies, Telecommunications and technology lawyer, Morgan Lewis
Special Legal Consultant

Dr. Axel Spies has advised clients for many years on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing. He counsels on international data protection (EU General Data Protection Regulation), international data transfers (Privacy Shield), healthcare, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery, Dr. Spies is frequently quoted in the media for his telecommunications and privacy knowledge.

Andrew Ray, Corporate attorney, Morgan lewis law firm

Andrew Ray is the leader of the firm’s interdisciplinary corporate practice in Washington, DC, where he  represents public and private companies, financial sponsors, and management teams in a broad range of industries, including technology, financial services, life sciences, real estate, and the not-for-profit sector. Various industry publications recognize Andy as a leader in both M&A and in communications law, among other fields. He recently led the team representing Oculus VR in its $2 billion sale to Facebook, which was named the M&A Advisor M&A Deal of...