Data sharing and GDPR compliance: Bounty UK shows what not to do
The UK Information Commissioner’s Office issued a massive judgment against a company for illegal data sharing. Here’s how to avoid the same fate.
In the United Kingdom, Bounty is a well-known but somewhat controversial provider of pregnancy and parenting packages, advice, apps, and maternity ward photos. In the past, they’ve drawn criticism about privacy concerns because of their practice of sending representatives into new mothers’ rooms to sell picture packages. Now, Bounty is in even bigger trouble, this time for data privacy reasons.
This month the UK’s top data protection agency, the ICO, announced the findings of an investigation into Bounty’s data sharing practices. Until April 30 of last year, just before the GDPR entered into force, the company sold 34.4 million user records with outside firms like Equifax (of data breach infamy) without informing the data subjects. The data even included the birth date and sex of newborns. The ICO fined the company £400,000.
Because Bounty ended the practice just before the start date of the GDPR, the practices violated the Data Protection Act 1998, not the GDPR. This fact capped the possible fine at £500,000. The GDPR fine for a similar violation could have reached £17 million (€20 million).
The director of the ICO’s investigations issued a scathing reproach of the company:
The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.
Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.
Data sharing requirements
There’s nothing inherently wrong with sharing people’s personal data with third parties. But you have to go about it the right way. Below are the relevant GDPR requirements if you want to share your users’ personal data outside your organization.
Be clear about your intentions
People have a right to know how their personal data will be used. GDPR Article 12 explains these requirements. These communications must be “concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
You must communicate this information at the moment you collect the data. Article 13 lists the information that must be provided and when.
You must have a lawful basis
GDPR Article 6 and Article 7 deal with the lawful bases for processing personal data. Most likely, in the case of selling user data to third parties, the lawful basis will be consent, which involves extra caution to ensure consent is properly sought and freely given. We’ve previously explained the GDPR consent requirements in detail.
It may seem obvious, but you must gain explicit consent for each of the processing activities you intend to carry out with people’s data. In the Bounty case, the company shared personal data with 39 organizations. Bounty members were unaware that their data would be shared with so many third parties. This infringed upon their ability to exercise their data privacy rights because they didn’t know where their data was being stored or how it was being used.
International data transfers
If you intend to share information with organizations in other countries, this triggers extra responsibilities covered in Chapter 5 of the GDPR. Specifically: “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.”
There’s no question the GDPR makes it more difficult to profit from other people’s personal data. But that’s the point of the law: it’s other people’s data; if you want to use it, you need to have a good reason, or just ask. Bounty’s data sharing practices clearly crossed the line, and they knew it. That’s why they ended the practice just before the GDPR drastically increased their exposure to fines.
That said, GDPR compliance doesn’t have to be difficult. We built this website to make it easier for businesses to comply. Our GDPR checklist and our overview of the law are great places to start. If you’re a business in the US, we have a checklist for you as well.