‘Just do it’ says Dutch DPA in warning to Nike for data protection failure


Nike appNike has been collecting too much personal information from customers without correctly obtaining their permission first.

The world’s largest sportswear company has now been issued with a warning to stop this by the Dutch DPA (CBP).

The Nike+ Running app combines GPS information about distance covered with body characteristics such as height and weight to calculate calories and ‘Fuel Points’ for the Nike rankings. Storage of these details for a longer period constitutes handling of sensitive personal health information, CBP found.

Under the forthcoming EU General Data Protection Regulation (GDPR), a key principle is purpose limitation, designed to establish the boundaries within which personal data collected for a given purpose may be processed and put to further use.

The Data Controller must only collect data for specified, explicit and legitimate purposes and once data is collected it mustn’t be further processed in a way that’s incompatible with those purposes. In short, purpose limitation protects data subjects by setting limits on how Data Controllers are able to use their data while also offering some flexibility for Data Controllers.

The presumption of ‘legitimate interest’ exists under GDPR unless challenged by the data subject – in which case it’s then down to the Data Controller to show it received the necessary explicit consent in the first place or face being fined for being in breach of the EU Regulation.

Against this background there’s a growing sense of concern that personal data and sensitive personal data can be filtered, misappropriated or manipulated for financial gain to the detriment of the data subject.

Following the CBP investigation, Nike European Operations Netherlands has had to take number of measures to correct its current practices.

New users of the Nike+ Running app no longer need to give their height and weight details. Nike adjusted the information in the app and agreed to inform all users in the coming months correctly and request their explicit consent for handling this personal data.

Under the forthcoming EU General Data Protection Regulation (GDPR) Nike would face an administrative fine for failing to comply with the principles enshrined in the EU Regulation and could face a financial penalty 2% – 5% of global turnover if this was found to be a widespread and systemic failure to adhere to the GDPR by its operations across the European Union.

Leave a reply