On June 6, 2020 the Spanish data protection authority, the AEPD (Agencia Española de Protección de Datos), published a fine imposed on Telefonica Moviles España, S.A.U. – a telecom provider. This case is likely to be of particular interest to many service-oriented organizations. Briefly what happened is this: the complainant was a customer of the telco; a fraudster called the telco pretending to be the complainant, and ordered several phone lines installed, at the complainant’s expense. The telco provided the services; the complainant had the services cancelled after proving they were fraudulently ordered, and then submitted a complaint for unlawful use of personal data. The AEPD didn’t particularly delve into these details, and established that the processing by the telco was unlawful. Simply put, they processed the claimant’s data without any lawful basis. They thought they had consent, but they didn’t. This ought to be strict liability; either they have consent or they don’t. But the AEPD notice suggest that had they made a duly diligent effort, they would not have been liable or, at the very least, would not have been fined. AEPD summarized thus (translation based on Google Translate): “In short, the defendant has not provided any document or evidentiary element that shows that the entity [telco], in such a situation, had deployed the minimum diligence required to verify that indeed its interlocutor was the one that it claimed to hold. Respect for the principle of lawfulness that is at the core of the fundamental right to the protection of personal data requires that it be established that the person responsible for the treatment deployed the necessary diligence to prove that point… Diligent compliance with the principle of lawfulness in the processing of third-party data requires that the controller be in a position to prove it (principle of accountability).” AEPD thus saw this as simply unlawful processing: there was no consent nor any other Article 6 legal basis. It is not clear why the attempt at verification is relevant. In other words, even if the telco had made reasonable attempts to verify the identity of the data subject, and was still tricked, then it would still be missing a lawful basis. However, at the very least, a bona fide effort at verifying the identity would mean that a fine would not be appropriate. In this the AEPD was following its own precedent in Madrileña Red De Gas SAU. Either way, this is an opportunity to relate to the need for identity verification under GDPR. Interestingly, GDPR does not relate to the need to verify the data subject’s identity in such a case. Rather, the need to verify the identity of the data subject is implied. Article 7(1) requires that “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” In other words, being able to demonstrate that a person has consented includes being able to demonstrate that the person who consented is in fact the data subject. GDPR does relate to identity verification in the context of obtaining consent from children (Article 8(2)), namely that “The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” WP29 expanded on the difficulties involved in identity verification of children (Opinion 259 at para 7.1.4): “WP29 acknowledges that there may be cases where verification is challenging (for example where children providing their own consent have not yet established an ‘identity footprint’, or where parental responsibility is not easily checked. This can be taken into account when deciding what efforts are reasonable, but controllers will also be expected to keep their processes and the available technology under constant review.” This WP29 opinion highlights the importance of having verification processes, of considering the changing technological landscape in that regard, and of reviewing it intermittently. In the next post, we will discuss specific of identity verification; in the meantime, some takeaways from this important ruling:
Conduct an assessment on the verification procedures in your organization.
Document these, and assess them periodically.
Consider carefully having a tiered approach: for different level of data processing, have additional layers of verification.
Most organizations think of identity verification as a fraud matter, which it is. But it is also a data protection matter. Involve the DPO.