The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object.
I. Background and Scope of Guidelines
The EDPB has issued new Guidelines on the question of which processing operations may be justified by the performance of contract justification as per Article 6(1)(b) GDPR. The EDPB states that it sees many companies trying to gain legal justification for processing operations by simply amending their contractual services descriptions. In order to counter this perceived market movement, the EDPB now issued very strict and narrow guidance by interpreting the “necessity” of data processing for the performance of a contract based on a so-called “objective” perspective, which, rather, looks at the main purposes of a contract and what data processing reasonably can be expected than what the contract states. However, the scope of these Guidelines is limited to the performance of contract justification. The EDPB thus often stresses that if the performance of contract justification fails based on their rather strict Guidelines, there may be other legal justifications available, for example, consent, balancing of interests or compliance with legal obligations.
II. Main Analysis
1. Available Justifications under the GDPR
The EDPB begins its Guidelines by outlining that Article 6(1)(a) to (f) of the General Data Protection Regulation (“GDPR”) provides six legal bases for processing personal data, wherein at least one legal basis must be applicable in order to process personal data under the law. Article 6(1)(b) of the GDPR gives a legal basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” This legal basis reflects that contracts with data subjects often cannot be performed without processing personal data. Thus, it is in both parties’ interests to process the data because the contract could not otherwise be performed. According to the EDPB, this legal basis, however, should only be relied upon where appropriate, i.e., where the processing is fair and transparent and where it recognizes the “reasonable expectations” of the individual whose data is processed.
2. The Performance of Contract Justification
Provided below is a summary of the key highlights from the Guidelines and the important takeaways as to when controllers can rely on Article 6(1)(b) to process personal data under the GDPR.
‘Necessity’ Assessment and Purpose Limitations of Article 6(1)(b)
A prerequisite for utilizing Article 6(1)(b) is the necessity of the processing of the personal data. In order to determine whether the processing of personal data is necessary for the performance of the contract, the purpose or purposes for the processing must first be identified. After determining the purpose for the processing, the next step is to assess whether the processing of personal data is “necessary” to achieve that purpose. This assessment is heavily fact-based and involves delving into whether there are other, less intrusive options than processing personal data in order to achieve the same purpose. The EDPB takes that view that if the processing of personal data is “useful” but not “objectively necessary” for performing the contract as there may be less intrusive alternatives, then Article 6(1)(b) cannot be used.
This would be true even if the processing is objectively necessary for the controller’s other business purposes. The processing would need to be objectively necessary for the particular contract in question. Additionally, “merely referencing or mentioning data processing” in the contract does not rise to the level of “objectively necessary.” In the converse, processing may be objectively necessary without mentioning the processing in the contract. In addition, the EDPB stresses that additional contractual purposes outlined in the terms of contract need to be explicit and clearly communicated should a controller want to rely on these purposes in order to justify additional data processing operations. For example, purpose descriptions such as “improving users’ ‘experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’” would—without more detail—“usually not meet the criteria of being ‘specific’”.
In conducting the “necessity” assessment, the EDPB defers to prior WP29 guidance on the subject matter (LINK: Article 29 Working Party Opinion 03/2013 on purpose limitation (WP203), page 15-16). The WP29 guidance stated that processing must be “genuinely necessary for the performance of the contract” and not “unilaterally imposed on the data subject by the controller.” The WP29 guidance also acknowledged the nexus between the “necessity” assessment and compliance with the purpose-limitation principle. The purpose-limitation principle of the GDPR is that the processing of personal data for a new purpose must be compatible with the original purpose for processing, otherwise a different legal basis will be needed upon which to rely.
Based on the Guidelines, the ultimate question in the “necessity” assessment is: Can the main subject matter of the specific contract with the data subject be performed if the specific processing of the personal data in question does not occur? If so, then the processing is not “necessary.” The Guidelines offer the following additional questions to consider in the assessment:
After completing the “necessity” assessment and determining that Article 6(1)(b) is the appropriate legal basis to use to process the personal data, controllers should be mindful of the need to reevaluate the appropriateness of the legal basis, particularly in the event of changes in processing. New technology, for example, may fall outside the scope of Article 6(1)(b) and require another assessment on the appropriate legal basis.
Transparency and the Utilization of More Than a Single Legal Basis
The controller must make sure that the data subject is aware of the legal basis on which the controller is relying to process the personal data. In contracts entered into by data subjects regarding online services, the EDPB is adamant that, for controllers to meet their transparency obligations, it must be clear and specific to the data subjects as to what the applicable legal basis is. The perspective of the average data subject is the standard that controllers must use when examining whether the data subject and controller have a mutual understanding of the contractual purpose.
If the online services contract is made up of a variety of separate services or elements of a service that can be performed independently of each other, then the “necessity” assessment must be conducted for each of the services separately. Different legal bases may be used for the processing of personal data for each of the services.
Article 6(1)(b) Scope in the Context of Pre-Contractual Use and Termination of a Contract
Prior to entering into a contract, the processing of personal data may be necessary in order to aid the actual entering into of that contract. For example, a “data subject provides their postal code to see if a particular service provider operates in their area.” Controllers may rely on Article 6(1)(b) in these situations. The EDPB, however, provides several situations in which Article 6(1)(b) may not be relied on in the pre-contractual context. These include: a financial institution requesting identity documents pursuant to national laws, unsolicited marketing or processing that is not done at the request of the data subject. Other legal bases, however, may be used in these contexts.
After the termination of a contract, continuing to rely on Article 6(1)(b) for the processing of personal data is not appropriate. If the controller was processing under Article 6(1)(b), then processing must cease. Switching the legal basis from Article 6(1)(b) to a different legal basis simply in order to continue processing should not be done.
3. Examples of Article 6(1)(b) Applicability
The EDPB provides several examples in the Guidelines that demonstrate certain situations in which reliance on Article 6(1)(b) for processing personal data is appropriate as well as certain situations where it is not appropriate. These examples are as follows:
III. Analysis and Takeaways
Even though, as pointed out above, these rather strict Guidelines issued by the EDPB may be challengeable at least partially, the Guidelines do reflect the current understanding of the European data protection supervisory authorities. Companies are thus well advised to evaluate their business models to reflect the following considerations drawn from the EDPB Guidelines: