Xynics has been working with businesses of all shapes and sizes, helping them become compliant with the GDPR and other Data Privacy and Protection legislation.
One subject that keeps cropping up time and time again is the use of "publicly available" personal data. By this I mean data that the has not intentionally given to the business by the individual(s) concerned.
A good example of this dubious use of publicly available data are so called "finder" websites, services where you provide an email address, a domain name or other information you know, and they'll return personal data for that person or others at a company. Just google "find email addresses" and a selection of such services will be on that first page of results.
Xynics would be more than happy to work with these businesses to bring them to compliance however based on the extracts from their Privacy Policies below, they already feel that they are compliant on the basis that the data they process is publicly available.
The regulators may or may not agree with me on this, but it is my professional opinion as a holder of the Practitioner Certificate in Data Protection, that neither of the above are compliant with the GDPR, and here are my top 3 reasons for that opinion;
- There are no general exemptions from the GDPR for personal data made publicly available. Article 9 expressly forbids the processing of sensitive or "Special Categories of Data", except where you have an explicit lawful basis to do so, or that sensitive information is already made public by the individual. The exemptions within Article 9 do not apply generally to any Personal Data, only to Sensitive data.
- Article 14 of the GDPR (Transparency of data not obtained directly from the Data Subject). These businesses have determined the means and purpose for collecting and processing personal data, therefore they are a Data Controller as defined within the GDPR. With this comes the transparency obligations laid out in Article 14 which requires that a Data Controller to provide to the individual, within one calendar month of obtaining their information, all the disclosure requirements as outlined in Article 14(1) & (2). This includes where they got the information from and how they will use it. As none of these sites (which I appear on) have ever communicated with me, they
are not fulfilling this requirement.
- It's Theft! Extracting (or scraping) data from Social Media or a website is likely to be a breach of the social media platform or website Terms and Conditions. In years gone by businesses would use the Phone Book or Yellow Pages to market to individuals and to that extent, that activity would have been in breach of the terms and conditions of those publications. The same is true of the modern incarnation of this, scraping data from Social Media, websites and web directories. If you take what is neither yours nor given to you, it is theft whichever way you look at it. The only difference now it that the source you steal it from could be seen as the subject of an ongoing data breach, and in taking that information, you would be the perpetrator of that breach. I know with certainty that one of these finder sites stole my data from another website, because that other website contained a unique error which is replicated in the finder results.
So, to answer that original question, "when is it ok to use personal data that has been made publicly available (by the individual)?"
Who's expecting me to say never?
You can use it, if you are transparent about that use and your processing of it meets the principles of the GDPR and rights of the data subject. It really doesn't matter whether the information is made public or not, these fundamental rights and principles still apply;
You simply need to be transparent and meet your Article 14 obligations.
If you're still in doubt, think of it like this. You leave your credit card on your desk and someone in your office decides to use it to make a purchase, putting it back before you notice it's gone. You left it in public view, so it's OK for someone to use it without your permission?