Blacklists and the data subject’s privacy interest

Share
Share on linkedin
Share on facebook
Share on google
Share on twitter

Blacklists are a commonly used tool for organisations to fend off problematic customers. In this blog, we will look at the legality of blacklists and the rights of the data subject from a privacy law perspective.

Blacklists can be an effective tool to protect businesses against problematic, “difficult” customers. Which is why they are commonly used for precisely this purpose, for instance, as a means for commercial organisations to identify defaulters and fraudulent customers, or in the case of organisations in the hotel business, to keep track of guests who in the past have been known to cause major nuisances.

Putting a person on a blacklist qualifies as a form of personal data processing in the sense of the GDPR. Thus, the GDPR’s applicability having been established, this also means that the data subject, ex Art. 21(1) of the GDPR, has the right to object to the processing.

And such objections may well be justified, as it is not uncommon for individuals to be put on a list without valid reason or kept on a list longer than necessary, thus undeservedly or for very long periods of time suffering the inhibiting effects of having been blacklisted. Recently in The Netherlands, for example, a lawsuit was filed against zwartelijstartsen.nl, a Dutch website listing physicians and health care providers allegedly having made medical errors. In its verdict, the court ruled that the site had to be taken offline, on the grounds of its personal data processing constituting a violation of the GDPR.

In this blog we will explore the following question: What does it take to make blacklisting a legitimate form of personal data processing? We will also be discussing a couple of practical examples to illustrate the various ways in which the balancing of mutual interests may turn out in a court of law when objections are submitted by the data subject.

Blacklists and the processing of personal data

The use of blacklists directly touches on the privacy interest of the data subject, which is why, for the practice to be legitimate, one of the six legal bases listed in the GDPR must apply in order for organisations to be allowed processing of personal data in a blacklist. In this context, the principle of ‘justified interest’ may fit the bill, where this justified interest could be defined as, among other things, safeguarding the organisation’s business continuity or the protection of staff and, where applicable, visitors.

This interest then needs to be balanced against the privacy interests of individuals eligible for inclusion in a blacklist. Any person to be included, in other words, has to have exhibited behaviour of such levels of undesirability as to actually put the organisation, its employees and possible third parties at risk. Which may vary from one case to another and which is where the requirements of subsidiarity and proportionality come in. Where less severe, less invasive means are also available to achieve the same goal, the drastic measure of using a blacklist may not be chosen.

If, on the other hand, there is proper substantiation of justified interest, while this can also be shown to outweigh the data subject’s privacy interest, organisations do have the right to create and maintain blacklists.

If a blacklist also contains criminal data, additional, very strict requirements apply, among them the obligation on the organisation’s part to apply for a permit from the DPA and to use a standard protocol.

Objecting to inclusion in a blacklist

Since, in the context of blacklists, the GDPR definitively applies, the data subjects also have a number of specific rights, listed in Chapter 2 of the GDPR. Particularly relevant to blacklists are the right of access, the right to rectification, the right to be forgotten and the right to object, the latter being the subject of the second part of this blog.

Having the right to object means that data subjects are entitled to object, for specific, private reasons, to the processing of their personal data. In which case the controller, i.e. the organisation maintaining the blacklist, is required to stop the processing, unless he can demonstrate compelling legitimate grounds for its continuation which override the interests of the data subject. Again, a case of balancing conflicting interests.

To present a practical example of such interest balancing, I will briefly discuss a lawsuit filed by a Dutch citizen on record with the Bureau of Credit Registration (BKR) against the Dutch bank ‘de Volksbank’. The person had a BKR-registration because of months of unauthorised overdraft on his current account. When, later, the person wanted to buy a house, he was unable to do so because as a result of his BKR-registration, the bank refused his mortgage application. In the ensuing lawsuit, he then demanded erasure of his data from the BKR-records, claiming that his interest in trying to buy a house outweighed the bank’s interest in maintaining the registration. In the end, the court disagreed, ruling that the purpose served by the BKR-registration – providing the registered person protection against over-crediting – could not have been achieved by less detrimental means.

What this adds up to is not that objecting to inclusion in a blacklist must be considered an exercise in futility. In another, generally similar case, the court did rule in favour of the plaintive, agreeing to his overriding interest in being removed from a debt register so as to be able to buy a house. Again, a case of careful interest balancing, this time with a different result. Here, the person filing the lawsuit was able to demonstrate having gone through a difficult phase of his life and having suffered from psychological complaints during the period in which the debts were incurred. At the time of the lawsuit, all debts had been taken care of and it could be clearly demonstrated that the person was doing well. As a result, the court ruled in favour of erasure from the debt register based on the apparent change for the better in the person’s state of affairs and the overriding nature of his personal interest.

All in all, small differences in the facts and circumstances of any given case can be decisive in determining the success or failure of an objection to blacklisting.

Darinka Zarić

Darinka Zarić

Darinka Zarić is a legal counsel at The Privacy Factory. Legal issues regarding the digital society appeal to her. Especially in the field of Privacy Law and the use of big data. She is currently following the master Internet, Intellectual Property and IT-Law at the Vrije Universiteit Amsterdam.

Follow our publications

cookie

We use only functional and analytical cookies to ensure that we give you the best experience on our website. This means that our cookies do not collect personal data. Learn more.