In mid-October Serbian press widely reported about the direct marketing of breast milk substitutes to women who recently gave birth. The media were abuzz with speculations that somebody must have sold to the distribution company contact details necessary to send the promotional letters, and that privacy of the women was somehow compromised. It has turned out that no sale of personal data – lawful or unlawful – occurred. It is still not clear whether other, non-data protection laws, have been broken.
During the week of 12 October, the Commissioner for Information of Public Importance and Personal Data Protection ("Commissioner") carried out the supervision proceedings which did not result in detecting irregularities concerning data processing. The women were contacted by a marketing agency, Care Direct, whom the distributor engaged for implementation of the campaign. The mothers had given prior consents to Care Direct to use their personal data for the purpose of direct marketing. Or, rather, Care Direct was able to show to the Commissioner such written consents, but the Commissioner suggested in the press release that a good number of the signatures may have been forged – an issue for other state agencies to further enquire into.
Leaving aside the offences, prescribed by non-data protection legislation, which may have been committed in the particular case, an important data protection issue raised by the case is whether it is lawful under the Data Protection Act ("DP Act") to sell personal data and, if the answer is in the affirmative, under which conditions it can be done.
In general, the sale of personal data is permissible. This follows from the nature of a transaction which includes the sale of data. Such transaction includes transfer of the personal data to a third party and payment of compensation in return to receiving the data. Only the first aspect involves data processing, and – other conditions being met – such processing is permissible.
Transfer which enables a third party to use the data amounts to an act of data processing. Consequently, under the DP Act transfer must be grounded either in the provisions of a law or in the data subject's consent. If no specific piece of legislation authorizes particular type of data transfer and the consent of data subjects is needed, the data controller has to inform the data subject about all relevant aspects of the transfer before receiving his consent. This obligation stems from the general obligation of the data controllers to notify the data subjects of the relevant aspects of a data processing. The notification has to refer to the identity (or least the category) of the subsequent user/s of the data, the purpose for which the data will be used (e.g. direct marketing), the right to withdraw the consent, and other elements the DP Act explicitly requires.
As to the compensation which the data controller receives from the subsequent user in exchange for the transfer of data, it would not appear that the data controller (the "seller") has to notify the data subject and obtain his consent, as a precondition for receiving the payment. The DP Act defines personal data processing as "any action taken in connection with the data" and lists a number of examples of processing activities. In all these examples (collection, recording, copying, transfer, search, classification, separation, and so on) the data is the immediate "object" of the activity. In contrast, receiving compensation is an ancillary to another activity – the transfer – immediately directed at the data.
Furthermore, the very payment of compensation does not have the capacity to affect privacy of the data subject, and that fact additionally weakens the relevance of the compensation in the context of the protection of personal data.
The conclusion, then, is that the selling of personal data is permissible under the DP Act, provided that the properly informed data subject has consented to the transfer to a third party in order to be used for certain purpose, whether the transfer entails compensation or not.