The European Data Protection Board (EDPB) has published draft guidelines on the “processing of personal data under the contractual legal basis in the context of the provision of online services to data subjects”. These guidelines are currently open to consultation.
- Scope of the Guidelines: Agreements for Online Services
The guidelines relate to a specific category of agreements, meaning those under which data subjects are provided “online services”, or access to platforms that do not require a direct payment from the users but are financed by targeted advertising instead.
- Choosing the Relevant Legal Basis
In relation to such services, the most obvious legal basis would be consent, legitimate interest or contract, the latter being the subject matter of the guidelines.
Article 6(1) (b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” as a legal basis for processing.
This legal basis has the advantage of not giving rise to a data subject’s right to withdraw consent or to object to the processing. It does, however, trigger the right to portability.
The purpose of the guidelines is to set out the boundaries of the legal basis with a view to fighting against any temptation to make the contract a “catch-all” legal basis for a very extensive set of processing activities.
- The Necessity Test
For EDPB, the essential question that a controller has to address is: “Is the processing of data genuinely and objectively necessary for the performance of the contract/or in order to take pre-contractual steps at the request of a data subject?”
According to EDBP:
- “What is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law.”
- “If there are realistic, less intrusive alternatives, the processing is not ‘necessary’. Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.”
- Necessity goes beyond a mere contractual condition. There is a “distinction between processing activities necessary for the performance of a contract, and terms making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract. ‘Necessary for performance’ clearly requires something more than a contractual condition.”
- “Unsolicited marketing or other processing carried out solely on the initiative of the data controller or at the request of a third party” do not amount to “pre-contractual steps at the request of the data subject.”
- “A controller may wish to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract. This may create a ‘take it or leave it’ situation for data subjects who may only be interested in one of the services”. “Where the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another, the question arises to which extent Article 6(1)(b) can serve as a legal basis”.
- After the end of the contract, the processing will “no longer be necessary for the performance of that contract and thus the controller will need to stop processing”. In principle data should not be used even with another legal basis as “it is generally unfair to swap to a new legal basis when the original basis ceases to exist.” There are, however, permitted exceptions, such as compliance with law, or exercise or defence of legal claims.
- EDBP’s Guidance Questions and Examples
An assessment should be made before the start of the processing activity, based on the following questions:
- “What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?”
Article 6(1)(b) is unlikely to be a justifiable legal basis for the following processing activities: service improvement, fraud prevention, and online behavioural advertising.
“The EDPB acknowledges that personalisation of content may (but does not always) constitute an essential or expected element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases.” This will depend on the nature of the service provided, the expectations of the average data subject and whether the service can be provided without personalisation.
What Next?
It is important that stakeholders review these guidelines carefully and submit their views or arguments in the consultation process, where necessary, by 24 May 2019. These guidelines notably seem to object to a digital agreement where services are exchanged for personal data. Moreover, these guidelines, even though restricted to an online agreement, can also be applied more generally to many other situations where Article 6(1)(b) is used as a legal basis in the offline world. We can assist you in making any such submission.