A recent decision from Denmark’s privacy regulator should serve as a warning to other businesses across the European Union that record customers’ phone calls, practitioners and legal experts have told Bloomberg Law.
Denmark’s Data Protection Authority announced April 11 that it banned the country’s largest telecom, TDC A/S, from recording customers’ calls, for training or any other purpose, until the company offers an opt-out or way to give active consent. The right to opt out in such circumstances is enshrined in the General Data Protection Regulation (GDPR). Voice recordings are seen as personal data under the GDPR, and the rules generally apply to both EU and non-EU companies that process the personal data of EU residents.
The decision shows that data protection regulators are willing and able to enforce the GDPR’s voice recording consent provision, Michael Gorm Madsen, a partner in Bird & Bird’s Danish privacy and data protection practice, said.
“This can be seen as a wake-up call for all businesses recording telephone calls,” Madsen said. “If they have not already done so, they should implement consent technology now.”
Companies operating in Europe may have to change their policies for recording calls for training purposes if other DPAs follow Denmark’s lead and enforce that part of the GDPR, Jesper Lund, Chairman of Denmark’s IT-Political Association, said in an email.
“In the past, tacit consent for call recording may have been accepted by European DPAs if the data subject is informed at the outset of the call,” he said. “However, the GDPR requires a specific affirmative act from the data subject, and inaction is not accepted as consent.”
Denmark’s DPA said its decision stemmed from a customer’s complaint about a TDC subsidiary. The customer learned while on hold that his call could be recorded. He told a live agent that he didn’t want to be recorded, but the agent said it wasn’t technically possible to turn off the recording mechanism, according to the decision.
TDC was in “serious breach of the Danish Data Protection Regulation” by not having mechanisms in place to prevent customers’ calls being recorded upon request, the privacy regulator said. It rejected TDC’s claim that the practice served a legitimate interest, namely the improvement of its customer service.
“In this specific case, we found it most appropriate to impose a ban on the processing instead of initiating a criminal case in order to punish TDC with a fine,” DPA Deputy Commissioner Birgit Kleis said in a statement. ”I don’t exclude the use of fines in similar cases in the future.”
TDC said in a statement that it deleted all of its recordings that are more than 30 days old and is “working on a technical solution to implement active consent.”
Soren Sandfeld Jakobsen, a Professor at Aalborg University’s Department of Law, said giving TDC a chance to correct the problem rather than issuing a fine made sense. “The infringement only related to a limited number of data subjects, it did not concern sensitive data, the recorded phone conversations were deleted after use, and no evidence exists that they were used for anything other than training purposes,” he said in an email.
Lund said he would expect other data protection authorities in Europe to follow a similar course for companies’ first-time violations of the GDPR’s active consent rule. But Sandfeld Jakobsen said he would “not be surprised” if other EU DPAs took different approaches.
Other businesses, then, may not get off as easily as TDC did.
“I think quite a number of business today are recording telephone calls for training purposes without asking for consent,” Madsen said. “This may be seen as guidance to the market from the DPA, saying that they actually mean it when they say consent is needed. This time it’s a warning but next time it could a fine.”
To contact the reporter on this story: Marcus Hoy in Copenhagen at firstname.lastname@example.org
To contact the editors responsible for this story: Rebecca Baker at email@example.com; Keith Perine at firstname.lastname@example.org