Earlier this spring, the Swedish Authority for Privacy Protection (“IMY”) issued an administrative fine of approximately EUR 724 000 against Klarna Bank AB (“Klarna”) following their investigation of the company, which showed that Klarna did not comply with several of the rules stipulated in the GDPR. What is especially interesting to note is that, although Klarna’s privacy notices cannot be claimed to have been of the highest market standards, many other commercial actors have chosen similar “pragmatic” approaches to the drafting of their notices. IMY’s decision show that the guidance provided by the European Data Protection Board (“EDPB”), which has been criticized for being too demanding in some respects, must be taken seriously. If the standards set out by IMY in the Klarna decision would be widely applied on the market, a vast amount of commercial actors would be deemed non-compliant.
One of the most central principles in the General Data Protection Regulation (“GDPR”) is the principle of transparency stated in Article 5.1. This principle requires that personal data must be processed in a transparent manner in relation to the data subject, and a data controller is thereby required to provide the data subject with information about the purposes and means of processing their personal data. Furthermore, on the basis of this principle, Article 12 in GDPR specifies how such information should be provided, i.e., what requirements the format of the information need to fulfil. Information must be provided to the data subject in a concise, clear and distinct, understandable and easily accessible form, using clear and unambitious language. The information should also contain certain content, depending on whether the personal data is collected directly from the data subject or via another source. Such content requirements are regulated by Article 13 and Article 14, and lists inter alia, that the data controller must inform about the purpose and legal basis for processing personal data. The way most companies find most effective to comply with these requirements is to make available a “privacy notice” on their website.
In the case with Klarna, IMY examined how Klarna informed data subjects about the processing of personal data on its website. In IMY’s decision, they stated that there are multiple shortcomings regarding the information provided. Klarna did not provide sufficient information regarding the purpose for which, and on which legal basis, personal data was processed in one of Klarna's financial services. Klarna also provided incomplete and misleading information about the recipients of different categories of personal data when data was shared with Swedish and foreign credit reference agencies.
In addition, Klarna did not provide sufficient information concerning which countries outside the EU/EEA personal data were transferred to or on where and how individuals could obtain information on the safeguards that applied to the transfer. IMY also notes that Klarna provided incomplete information about the data subjects' rights, including the right to delete data, the right to data portability and the right to object to how one's personal data is processed.
Regarding Klarna’s information on recipients of the personal data, IMY goes so far as to even claim that the information was directly misleading to the data subject. The information refers to the disclosure of the data subject’s payment behaviour to both Swedish and foreign credit reference agencies. According to Klarna’s written statements, individual customer payment behaviour data is only shared with foreign companies, but the information given to the data subjects could be interpreted as if this data was shared with both Swedish and foreign credit reference agencies. This breach was, according to IMY, material and serious to the extent it also constituted an infringement of Article 5.1 and 5.2.
Although several of the points made by IMY in its decision are not new to the legal discussion, they still highlight the importance of transparency and provides further guidance on the requirements of the information in a “privacy notice”. Once again, IMY establishes that the requirements of transparency are non-negotiable, and those that draft such notices will need to fit the great amount of necessary content it into a short, readable and concise format.
Article provided by INPLP member: Fredrik Roos and Astrid Svensson (Setterwalls, Sweden)
Dr. Tobias Höllwarth (Managing Director INPLP)