Applying the GDPR to AI-based marketing using banking data

On 15 March 2024, the Dispute Resolution Chamber of the Belgian Data Protection Authority (DPA) issued a decision under the EU General Data Protection Regulation (GDPR) on the use, by a bank, of the transaction data of its customers to build direct marketing data models. The complainant in the case, a bank customer, had objected to the use of his transaction data for the training of the models.

The various defects in the DPA decision, analysed in detail below, include:

  • The failure to check whether the training data contained sensitive data or whether the AI-based offerings amounted to significant automated individual decisions;
  • The lack of clarification about the legal requirements (“may only”; “may not”);
  • The use of misleading terminology (“as-much-as-possible-anonymised data”); and
  • The over-easy bank-friendly acceptance of bank customers’ supposed “reasonable expectations”  

These alone, in my view, suffice to regard the decision as fundamentally flawed.

However, the most fundamental error on the part of the DPA lies in the separation of the two elements of the bank’s data processing: the “phase one” building of the models and the “phase two” application of those models to allow third party marketing, and the treatment of these two phases as, effectively, two separate processing operations for two supposedly separate purposes.

This is a sleight of hand that allowed the bank to claim, and the DPA to accept, that the processing in the two phases can be treated separately under the GDPR. Under this approach, “phase one” (the creation and training of the models) is seen as a purpose in itself, and because bank customers are supposed to “reasonably expect” that the bank will do this, and suffer no consequences from it (unless they voluntarily sign up to the “personalised discount” service), this can be based on the “legitimate interest” legal basis, although the processing in “phase two” (the actual making of the discount offers by third parties) cannot be based on “legitimate interest” but requires consent.

It is perfectly reasonable to describe the bank’s activities (and similar activities of other entities facilitating direct marketing) as a two-phase process. But it remains one process, for one purpose: direct marketing. The DPA itself accepts that:[1]

The use of [complainant’s] transaction data in the data model [must be regarded as] … purely an interim step towards the ultimately pursued purpose, i.e., the offering of personalised discounts.

But in that case, the “interim step” requires the same justification, the same legal basis, as the overall process: consent.

The DPA’s splitting off of “phase one” from the overall process, and allowing it on a separate legal basis, is either a fundamental conceptual error or – if done deliberately to “help” the bank in its monetisation of its customers’ transaction data – deceitful.

Hopefully, further decisions by other DPAs, and ultimately the Court of Justice, will rectify this gross error.

[1] “[H]et gebruik van zijn transactiegegevens in het datamodel [dient te worden beschouwd] … louter als een tussenstap voor het uiteindelijk beoogde doel, het aanbod van gepersonaliseerde kortingen.”