eIDs and loyalty cards: what companies should know
05 Dec 2024
In a well-reasoned decision issued on November 28th, the Belgian Data Protection Authority (DPA) condemned Freedelity’s activities.
Freedelity allows consumers to obtain commercial benefits in exchange for the data recorded on their electronic identity card ("eID card").
In practice, Freedelity engages in two data processing activities that must be considered inseparable:
(i) the collection of personal data; and
(ii) the pooling of said data. This involves sharing and automatically updating consumer information across participating businesses that had a previous interaction with the consumer. This helps said businesses keep their client data updated.
The DPA found that Freedelity’s technical infrastructure, further implemented on the participating businesses’ premises, resulted in joint controllership. The DPA highlighted the convergence in means and purposes.
The DPA identified no fewer than 5 infringements of the GDPR in this case, concerning:
(i) the lawfulness of the consent given by the data subject, the difficulty of withdrawing such consent, and the lack of evidence proving the lawfulness of the consent;
(ii) the limitation of volume and type of personal data processed; and
(iii) the excess in the retention period of these data.
In our view, the findings with regard to consent are consistent with the previous decisions of the DPA and do not contain any significant new learning. Insofar as there should still be debate, the mere progress across pages during an onboarding procedure or clicking on a green “Continue” button after inserting an eID card cannot be equivalent to the “unambiguous positive act of the data subject” under the GDPR.
With regard to the data minimization principle, Freedelity collected a significant amount of data, including:
(i) identification data of the data subject (name, first name(s), gender, place and date of birth, nationality, home address, eID card number, municipality of issuance of the eID card, validity date of the eID card, and the history of these data); and
(ii) contact data (email address, phone/mobile number, and history of these data).
Freedelity was not able to justify why all the datasets were needed, proportionate, and effective, thereby infringing the principle of data minimization.
In this regard, the DPA recalls a recommendation from the Privacy Commission (CPVP), which already in 2011 indicated that when using the identity card as a loyalty card, it is "in no case permissible to process and retain for this purpose either the cardholder's photo, their national registry identification number, their nationality, or their place of birth".
In the past, Freedelity (under its previous name Fidel ID) has already been condemned by the Court of Appeal of Brussels for using the national registration number (NRN) stored in the chip of the ID card to identify clients. The Court found that Fidel ID used the NRN without any authorization, whilst this was required by the Act of 8 August 1983 protecting the national registration number. The current decision of the DPA does not further elaborate on this topic, leading us to think Freedelity circumvented such a breach.
Furthermore, the DPA emphasizes that data such as the municipality of issuance of the eID card, the validity date of the eID card, and the history of these data have no relevance to the processing carried out by Freedelity and the businesses. On the contrary, only a few types of data would have been necessary for Freedelity (name, first name, and contact details such as postal address, email, or phone number).
Finally, the data retention period chosen by Freedelity, namely 8 years from the last activity of the data subject, was excessive. According to the DPA, a retention period of a maximum of 3 years would have been justified.
Our insights on the case:
despite being under scrutiny of the DPA and already condemned by Belgian Courts, Freedelity continued to process data extracted from the eID card. As they are not processing the RRN number (or at least this is not highlighted by the DPA), this practice does not seem to be illegal as such.
consent cannot be implied from the circumstance that a consumer scrolls through pages to follow an onboarding process.
consent cannot be a freeway to elude the application of general principles of data protection, such as data minimization or purpose limitation. At all times, companies should be able to demonstrate why they are collecting a specific dataset, even with consent.
too often in practice, companies maintain data retention policies that are excessively long. Determining a retention period is a fragile exercise between data subject reasonable expectation, statutory retention periods, and business needs, all three being relevant in this exercise.
