The Belgian data trader Infobel has been hit with a €40,000 fine by the Belgian Data Protection Authority (GBA) for illegally reselling personal data for marketing purposes.
Infobel had received data from a telecom provider and subsequently sold it to a media agency, which then passed it on to a company for marketing communications. This chain of data transfer was deemed unlawful.
The GBA found that Infobel lacked proper consent from the individuals concerned. Consent must be “actively given” and cannot be implied by pre-ticked boxes or inactivity.
Furthermore, the GBA stressed that consent must be specific for each purpose. A company requesting permission for multiple uses must obtain separate consent for each, allowing individuals the freedom to choose.
The GBA concluded that Infobel violated the GDPR and imposed the €40,000 fine. They considered Infobel’s claim that the database in question had not been used since 2023 and its data deleted.
As part of the ruling, Infobel must inform its business clients of this decision and delete any data for which it cannot prove valid consent. Infobel still has the option to appeal the fine. Read the GBA’s statement here: GBA Press Release.
This case highlights the growing global scrutiny on data privacy, particularly as the cybersecurity landscape evolves with new challenges from AI, quantum computing, and complex regulatory demands. The push for stricter data sovereignty and compliance, like GDPR, is redefining how organizations handle personal information.
The need for explicit consent and transparent data practices is paramount, with experts predicting increased enforcement of data privacy regulations. This ensures accountability in an era where AI-generated content and quantum-assisted attacks could further erode digital trust. Building trust infrastructure is crucial.