ING is going to send its customers personalized advertising based on their payment information. For example, the bank will call customers with a large amount of money in their checking account about its desired destination. To do this, ING Bank will analyze, among other things, where a customer pays, to whom he pays, and from whom he receives money.
It is not unusual for an organization to try to earn more from the data it needs to provide its service. Consider, for example, the tennis association, which last year sold members' contact information to sponsors and Rabobank, which likewise indicated it could use payment data for personalized marketing. ING announced in 2014 that it would use payment data for personalized advertising for third parties. These plans were eventually reversed after skeptical reactions from the Netherlands Authority for the Financial Markets (AFM) and the Netherlands Bureau for Economic Policy Analysis (CBP). Now ING is trying again, albeit limited to advertising its own services. The question is whether this more limited version can be done under (now tightened) privacy laws.
Clearly, customers did not consent to the use of payment data for personalized marketing(financial microtargeting). After all, consent under the General Data Protection Regulation (AVG) requires a "statement or an unambiguous active act." Unilaterally informing customers that the privacy policy has been revamped to allow for new processing does not meet this requirement.
This is not necessarily problematic. The ING correctly states that it can also process personal data if it has a legitimate interest. Indeed, the AVG explicitly mentions direct marketing as an example of a legitimate interest.
ING's choice of legitimate interest does limit its freedom to deploy personalized advertising. For example, consent would allow the ING to escape the ban on processing special personal data in Article 9 AVG, or the ban on automated decision-making with significant effects in Article 22 AVG. Unless ING can use other grounds for exception, the bank will have to use a more limited form of personalized advertising that falls outside these prohibitions. This means, for example, that ING cannot process health data to provide personalized advertising for health insurance, or target advertising for high-interest loans to people in debt. (1)
Also, with the consent of its customers, ING would not have to argue that processing for personalized advertising is compatible with the purpose for which data was originally collected, namely the proper functioning of the checking account. Making this argument will be difficult, given the nature of the relationship between ING and its customers, the fact that it can be difficult to switch banks and the lack of a link between the functioning of a bank account and personalized advertising.
The ING may be able to circumvent this obstacle by (re)collecting data based on a legitimate interest for direct marketing. Since ING, as evidenced by its previous privacy statements, has been processing payment data for marketing purposes for years, it is possible that the bank already has a database of more recent payment data collected on the basis of a legitimate interest for marketing. However, this leads to the more fundamental question: can personalized marketing based on payment data be based on a legitimate interest at all?
For this to happen, it is not sufficient that the ING cites a legitimate interest. In addition, the processing must be necessary for this purpose and strike the right balance with the interests and rights of others. ING has taken a number of measures that make such a balance more likely. For example, the bank does not share personal data with others and only uses the data to offer its own services. This already rules out a number of sensitive scenarios. For example, it does not allow political parties to target advertising to individuals who pay dues to another party.
Of course, this does not mean that there is a balance between ING's interest and the customer's interest. After all, the customer is already contributing to ING's corporate interest by paying for the account. For many other banks, processing payment data alongside this is not necessary for personalized marketing. For example, ASN bank states in its privacy statement that it mainly checks whether a customer already purchases certain products from the bank and which pages he visits. For that matter, it is also highly questionable whether use of all debit and credit transfers complies with the data minimization principle.
Besides the question of what the added value of using payment data is for ING, there is the fact that debits and credits are sensitive data. From this, for example, it can be deduced where someone works, what their hobbies are, whether they are in debt and even whether they are in the bar. Moreover, this data can be used to influence individuals when they are about to make particularly important decisions. ING itself, for example, says it wants to target individuals who are likely to take out a mortgage.
Therefore, the AP calls it "unlikely" that processing of financial data for direct marketing can be placed under a legitimate interest. (2) It seems unlikely to me, given the above points, that this is different for ING.
(1) https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612053
(2) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/internet-telefoon-tv-en-post/direct-marketing#kan-ik-een-beroep-doen-op-de-grondslag-van-gerechtvaardigd-belang-voor-direct-marketing-per-post-6835
This article can also be found in the AVG and e-Privacy dossier
