Introduction
Modern technologies and personal data are increasingly important for real estate businesses. Robotics, Wi-Fi tracking, augmented and virtual reality, sensor technology, and the Internet of Things (e.g., a physical smart object in an internet-based structure) are some of the technologies being used. Through such modern technologies, a landlord has access to a large amount of data with respect to the owned property.
Collecting, sorting, and analyzing such data can provide the landlord with new insights on the building and its users, and can enable the landlord to predict their behavior. The accuracy of such predictions will generally improve if the landlord can develop a large dataset and combine a variety of information (e.g., by using data from a real estate portfolio). Predicting the behavior of a building’s users can, amongst other things, improve the service level, help retain tenants, and reduce maintenance costs.
The technological possibilities for data processing in real estate seem endless. However, the legislature has put in place certain limits.
Statutory limits to personal data processing in the EU
Under the EU General Data Protection Regulation (GDPR), processing of personal data requires a legal basis (e.g., consent or the execution of a contract). Personal data can in principle only be processed for specified and legitimate purposes. Data subjects must be informed about all personal data processing, and the data controller cannot freely share the personal information with third parties. In addition, using personal data to predict a person’s behavior and for decision-making may qualify as “profiling” and “automated individual decision-making” under the GDPR.
Profiling and automated individual decision-making have a somewhat negative connotation, as they are believed to create unfair stereotypes and social division. As a result, profiling and automated individual decision-making are subject to scrutiny. Profiling under the GDPR is “any form of automated processing carried out on personal data for the purpose of evaluation of certain personal aspects to a natural person, in particular to analyze or predict aspects with regard to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”.
Automated decision-making under the GDPR is defined as “making a decision by technological means without human involvement”.
Data subjects must be informed about any profiling or automated individual decision-making that occurs, the logic employed to justify such profiling, and the expected consequences of the processing. In addition, data controllers must consider objections against personal data processing, which can be made at any time.
The Dutch Data Protection Authority has stated (link in Dutch) that the tracking of people in the street, in shopping centers or stations via their mobile devices is only allowed in a few rare cases and under strict conditions. It is only allowed, according to the Dutch Data Protection Authority, if explicit prior consent is obtained or if there is a legitimate purpose. Based on this decision by the Dutch Data Protection Authority, tracking activities are only allowed if limited to specific periods and areas and where truly necessary. At other times and places, this measuring equipment should be turned off (link in Dutch). The Dutch Data Protection Authority has already imposed an order (link in Dutch) on Bluetrace, subject to penalty for noncompliance (last onder dwangsom), under the former Dutch Data Protection Act. The company was providing technology which could be used to track Wi-Fi signals of mobile devices arounds stores. Bluetrace had to stop collecting personal data from neighboring residents, erase or anonymize data from shopping passers-by, and provide information in and around the stores about the data processing.
Although the use of data in real estate has much broader applications than WIFI-tracking, the mentioned examples do illustrate the fine line between the technical possibilities for processing personal data and the statutory limits.
Conclusion
Non-compliance with GDPR requirements may lead to severe fines. The regulatory limits to personal data processing do not mean, however, that modern technologies can no longer be used. While the benefits of modern technologies remain available for both landlords and tenants, such technologies must be used in a transparent, fair, and lawful manner. Landlords, amongst other affected parties, will have to address the use of such modern technologies in their lease agreements and privacy policies.
Click here for more on GDPR.