Netherlands

[NL] Smart TV’s in Breach of Dutch Data Protection Act

IRIS 2013-9:1/21

Rade Obradović

Institute for Information Law (IViR), University of Amsterdam

On 2 July 2013, the Dutch data protection agency (CBP) published a report stating that TP Vision, a manufacturer of Smart TVs, is in breach of the Dutch Data Protection Act (Wbp). This report is a final version following a provisional report that had previously been sent to TP Vision in March of 2013 in order for them to put forward their views on the findings.

TP Vision makes Smart TVs for Philips and is the only manufacturer of such TVs in the Netherlands. Smart TVs are televisions with internet access possibilities/capabilities. Users can watch shows on-demand, rent movies, use apps and visit websites through a built-in browser. In its report, the CBP acknowledged that since Smart TVs are a fairly new phenomenon, there is still little awareness of the risks that are present when using the online functionalities of Smart TVs.

For each Smart TV TP Vision collects data in relation to user habits such as: when users watch TV; their favourite programmes and apps; which programmes are being recorded; which videos are being rented; and which shows they view on-demand. According to the CBP this is personal data, because it gives an extensive/probing account of users’ TV habits and interests. In accordance with the Wbp therefore, users need to be asked permission before this data is collected and must be informed about its intended use.

Using the collected data, TP Vision offers viewers personalised viewing suggestions and intends to offer personalised advertisements in the future.

There is a lack of clear and accessible information concerning the identity of TP vision and the processing of personal data via the Philips Smart TVs. It is insufficiently clear which cookies are being placed and read by TP Vision and which personal data is being collected and how long it is being stored. TP Vision tried to rectify this by adding this information to the Terms of Use Agreement, Privacy Statement and Cookie Policy. However, according to the CBP the information is inconsistent and still not sufficiently accessible to the public. It is also insufficiently clear that registering customer data with Philips is not obligatory.

Due to the fact that the cookies used by TP Vision are not functional (i.e. technically necessary) cookies, the Wbp provides that there is need for informed consent by the user for the placing of such cookies. For cookies that collect viewing habits, unambiguous consent (ondubbelzinnige toestemming) is required due to the fact that it concerns the processing of personal data. The consent needs to be based on a free, specific and informed expression of intent. Due to the lack of clear and accessible information, the received consent is considered invalid. No consent is asked for with regard to the use of advertising cookies and analytical cookies registering app and website use.

The CBP has acknowledged TP Vision’s claim that they have made efforts to comply with the Wbp and have partially ended the breach/violation since receiving the preliminary report, namely by providing information on how long the personal data is being stored.

The CBP further states that it will continue to monitor TP Vision’s compliance with the Wbp and will take appropriate enforcement action if it finds that TP Vision is still in breach of the Act.