But the decision also requires it contact the close to six million people it did not already reach out to in order to fulfil its Article 14 information notification obligation, with the DPA giving the company three months to comply.
Local press reports that Bisnode has said it will delete the sanctioned records, presumably rather than shell out to send millions of letters. It also intends to challenge the UODO’s decision, initially in Polish courts — relying on caveats contained in Article 14 which relate to how much effort a data controller has to expend to contact people to tell them it’s processing their data.
Any legal challenge to the UODO’s enforcement decision could therefore end up clarifying some harder limits around covert scraping of personal data, if it reaches the CJEU — potentially affecting operators in multiple industries and sectors such as business intelligence, advertising and even cyber threat intelligence.
“The decision is seen as radical, as it interprets Article 14 literally,” Dr Lukasz Olejnik, independent cybersecurity and privacy advisor, and research associate at the Center for Technology and Global Affairs at Oxford University, tells TechCrunch.
“UODO has taken a very principled position, arguing that the company business model is fully based on processing scraped data, and that the company has taken a decision willingly.
While there are big and potentially costly implications for data-scrapers across various industries down the legal line, depending on how Bisnode’s appeal/s pan out, Olejnik adds a judicious caveat — noting that “each case might be different and have its specifics”.
There’s certainly no guarantee that the DPA’s decision will lead to a de facto ban on covert commercial data-scraping.
There is perhaps no small irony in a privacy watchdog choosing to ineffectively withhold the name of a company that had failed to inform a large number of private individuals that it covertly held their data.
Original article