EU Privacy Law May Require Individual Third Party Consent for Sale of Customer Email Lists
Parties to transactions involving personal data in Europe are well-advised to investigate whether individual consent or the offer of opt-outs are required to avoid the risk of fines and other sanctions imposed by the DPA or local courts.
More and more middle market US companies are pursuing cross-border mergers and acquisitions. While most US business executives are very familiar with the cultural and social differences that impact cross-border deal making, they may be less aware of significant differences in the laws and regulations that impact cross-border transactions.
In 21st century deal making, what’s come to be known as “data protection law” is perhaps the most fraught with peril for the unwary—especially in Europe. Personal data is protected by the EU 1995 Data Protection Directive and relevant national law. Individuals thus “own” their personal data, not companies. These data protection laws are generally not well understood in the United States and, to make matters worse, a substantive EU data protection reform is currently underway that may affect US companies, even if they are not located or registered in the European Union (EU). For more details on this reform, read our January 2015 LawFlash “EU Data Protection Reform Update.”
The DPA Ruling
A recent case before the Bavarian Data Protection Agency (DPA) illustrates this issue. As part of an asset deal, a company in Bavaria sold bulk email addresses to a buyer without the prior consent of the individuals, and without the possibility of individual opt-outs (see Sec. 7(2) German Fair Competition Act). This provision prohibits sending advertisement emails to individuals with whom the sender has no business relationship. The DPA, in a July 30, 2015 ruling, also found serious legal obstacles regarding the sale of the data sets under the Federal Data Protection Act (BDSG), including the following:
The bulk data sale was not covered by the so-called “list privilege” under Sec. 28(3)(2) (1) BDSG, which allows for a data transfer without individual consent (under certain conditions) for advertisement, marketing, or polling purposes.
An asset deal by itself is not a “prevailing company interest” that would justify the data transfer pursuant to Sec. 28(1)(2) BDSG.
The DPA in this case imposed a substantive fine on the seller and buyer for transacting in these data sets (email addresses) illegally.
The issue goes beyond the mere sale of email lists. Parties to a transaction involving personal data (such as names, email and physical addresses, phone numbers, or financial information) in Europe are well-advised to investigate whether the acquisition or transfer is covered by a European legal concept known as the “list privilege” for advertisement, marketing, or polling purposes. If the “list privilege” doesn’t apply, individual consents of the data subjects (or at least the offer of customer opt-outs for marketing emails) are required. Otherwise, both the buyer and the seller risk fines and other sanctions imposed by the regional or national DPA, or local courts.
The Bavarian DPA states that the BDSG requirements may also impact insolvency cases where data sets of customers are sold. Bypassing the rules means that individual customers may (and frequently do) directly complain to a DPA and trigger a proceeding. In addition, there may also be notification requirements for the transfer under national law. In specific cases, even prior consent of a DPA may be necessary.