The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.
On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object.
I. Background and Scope of Guidelines
The EDPB has issued new Guidelines on the question of which processing operations may be justified by the performance of contract justification as per Article 6(1)(b) GDPR. The EDPB states that it sees many companies trying to gain legal justification for processing operations by simply amending their contractual services descriptions. In order to counter this perceived market movement, the EDPB now issued very strict and narrow guidance by interpreting the “necessity” of data processing for the performance of a contract based on a so-called “objective” perspective, which, rather, looks at the main purposes of a contract and what data processing reasonably can be expected than what the contract states. However, the scope of these Guidelines is limited to the performance of contract justification. The EDPB thus often stresses that if the performance of contract justification fails based on their rather strict Guidelines, there may be other legal justifications available, for example, consent, balancing of interests or compliance with legal obligations.
II. Main Analysis
1. Available Justifications under the GDPR
The EDPB begins its Guidelines by outlining that Article 6(1)(a) to (f) of the General Data Protection Regulation (“GDPR”) provides six legal bases for processing personal data, wherein at least one legal basis must be applicable in order to process personal data under the law. Article 6(1)(b) of the GDPR gives a legal basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” This legal basis reflects that contracts with data subjects often cannot be performed without processing personal data. Thus, it is in both parties’ interests to process the data because the contract could not otherwise be performed. According to the EDPB, this legal basis, however, should only be relied upon where appropriate, i.e., where the processing is fair and transparent and where it recognizes the “reasonable expectations” of the individual whose data is processed.
2. The Performance of Contract Justification
Provided below is a summary of the key highlights from the Guidelines and the important takeaways as to when controllers can rely on Article 6(1)(b) to process personal data under the GDPR.
‘Necessity’ Assessment and Purpose Limitations of Article 6(1)(b)
A prerequisite for utilizing Article 6(1)(b) is the necessity of the processing of the personal data. In order to determine whether the processing of personal data is necessary for the performance of the contract, the purpose or purposes for the processing must first be identified. After determining the purpose for the processing, the next step is to assess whether the processing of personal data is “necessary” to achieve that purpose. This assessment is heavily fact-based and involves delving into whether there are other, less intrusive options than processing personal data in order to achieve the same purpose. The EDPB takes that view that if the processing of personal data is “useful” but not “objectively necessary” for performing the contract as there may be less intrusive alternatives, then Article 6(1)(b) cannot be used.
This would be true even if the processing is objectively necessary for the controller’s other business purposes. The processing would need to be objectively necessary for the particular contract in question. Additionally, “merely referencing or mentioning data processing” in the contract does not rise to the level of “objectively necessary.” In the converse, processing may be objectively necessary without mentioning the processing in the contract. In addition, the EDPB stresses that additional contractual purposes outlined in the terms of contract need to be explicit and clearly communicated should a controller want to rely on these purposes in order to justify additional data processing operations. For example, purpose descriptions such as “improving users’ ‘experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’” would—without more detail—“usually not meet the criteria of being ‘specific’”.
In conducting the “necessity” assessment, the EDPB defers to prior WP29 guidance on the subject matter (LINK: Article 29 Working Party Opinion 03/2013 on purpose limitation (WP203), page 15-16). The WP29 guidance stated that processing must be “genuinely necessary for the performance of the contract” and not “unilaterally imposed on the data subject by the controller.” The WP29 guidance also acknowledged the nexus between the “necessity” assessment and compliance with the purpose-limitation principle. The purpose-limitation principle of the GDPR is that the processing of personal data for a new purpose must be compatible with the original purpose for processing, otherwise a different legal basis will be needed upon which to rely.
Based on the Guidelines, the ultimate question in the “necessity” assessment is: Can the main subject matter of the specific contract with the data subject be performed if the specific processing of the personal data in question does not occur? If so, then the processing is not “necessary.” The Guidelines offer the following additional questions to consider in the assessment:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e., its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
After completing the “necessity” assessment and determining that Article 6(1)(b) is the appropriate legal basis to use to process the personal data, controllers should be mindful of the need to reevaluate the appropriateness of the legal basis, particularly in the event of changes in processing. New technology, for example, may fall outside the scope of Article 6(1)(b) and require another assessment on the appropriate legal basis.
Transparency and the Utilization of More Than a Single Legal Basis
The controller must make sure that the data subject is aware of the legal basis on which the controller is relying to process the personal data. In contracts entered into by data subjects regarding online services, the EDPB is adamant that, for controllers to meet their transparency obligations, it must be clear and specific to the data subjects as to what the applicable legal basis is. The perspective of the average data subject is the standard that controllers must use when examining whether the data subject and controller have a mutual understanding of the contractual purpose.
If the online services contract is made up of a variety of separate services or elements of a service that can be performed independently of each other, then the “necessity” assessment must be conducted for each of the services separately. Different legal bases may be used for the processing of personal data for each of the services.
Article 6(1)(b) Scope in the Context of Pre-Contractual Use and Termination of a Contract
Prior to entering into a contract, the processing of personal data may be necessary in order to aid the actual entering into of that contract. For example, a “data subject provides their postal code to see if a particular service provider operates in their area.” Controllers may rely on Article 6(1)(b) in these situations. The EDPB, however, provides several situations in which Article 6(1)(b) may not be relied on in the pre-contractual context. These include: a financial institution requesting identity documents pursuant to national laws, unsolicited marketing or processing that is not done at the request of the data subject. Other legal bases, however, may be used in these contexts.
After the termination of a contract, continuing to rely on Article 6(1)(b) for the processing of personal data is not appropriate. If the controller was processing under Article 6(1)(b), then processing must cease. Switching the legal basis from Article 6(1)(b) to a different legal basis simply in order to continue processing should not be done.
3. Examples of Article 6(1)(b) Applicability
The EDPB provides several examples in the Guidelines that demonstrate certain situations in which reliance on Article 6(1)(b) for processing personal data is appropriate as well as certain situations where it is not appropriate. These examples are as follows:
- Payment Data Collected by an Online Retailer: When a data subject buys items from an online retailer and wants to pay by credit card and have the purchase be delivered to their home address, the retailer must process credit card information and address for payment and delivery purposes. Article 6(1)(b) is applicable in this context. If the data subject, however, wishes to have the purchase shipped to a pick up point, the data subject’s home address is not necessary for performance of the contract and, in this context, Article 6(1)(b) is not appropriate.
- Creation of Online Profiles: In the view of the EDPB, processing of personal data for behavioral advertising is not necessary for the performance of a contract for online services. Therefore, if an online retailer wants to create profiles of customers to develop a knowledge base of customers’ tastes and lifestyle choices as determined by their visits to the website, then the online retailer will need to find an alternative legal basis to carry out such profiling, as Article 6(1)(b) would not be appropriate in this context. This should be true even if such advertising helps fund the provision of the service, or if the data subject agrees to the processing of personal data in the agreement. [Note that this example shows that the EDPB takes a very static look at what a “typical” contract should perform and process and thus ignores that businesses and individuals have the freedom to enter into all sorts of contracts that should not be restrained by the “objective analysis” the EDPB shows. Because of ignoring this freedom and the dynamics of contracts and services, the analysis of the EDPB seems challengeable in particular if the customer receives direct its own benefit from certain processing operations that are part of the contractual services descriptions. However, until courts bring more clarity on the scope of the performance of contract justification, companies are well advised to carefully assess whether other legal justifications, for example, the balancing of interest test, can apply and be prepared to correspond to objections from customers.]
- Termination of an Online Service: When a contract for a service is concluded, the controller provides information to the data subject on the processing of personal data. The controller explains, inter alia, that as long as the contract is in place, it will process data about the use of the service to issue invoices. The applicable legal basis is Article 6(1)(b) as the processing for invoicing purposes can be considered to be objectively necessary for the performance of the contract. However, when the contract is terminated, and assuming there are no pending, relevant legal claims or legal requirements to retain the data, the usage history will be deleted. Furthermore, the controller informs data subjects that it has a legal obligation in national law to retain certain personal data for accounting purposes for a specified number of years. The appropriate legal basis is Article 6(1)(c), and retention will take place even if the contract is terminated.
- Improvement of Services: If the purposes of the processing are to improve a service or develop new functions within an existing service, Article 6(1)(b) is not the appropriate legal basis.
- Fraud Prevention: Article 6(1)(b) is not the appropriate legal basis for processing for the purpose of fraud prevention, such as monitoring or profiling customers.
- Personalization of Content: If personalization of content is an intrinsic and expected aspect of the online service, and not just intended to increase user engagement with the service, then it may be objectively necessary for the purpose of the contract. For example, an online retailer recommending products to past customers in order to increase interactivity is not objectively necessary to provide the service.
III. Analysis and Takeaways
Even though, as pointed out above, these rather strict Guidelines issued by the EDPB may be challengeable at least partially, the Guidelines do reflect the current understanding of the European data protection supervisory authorities. Companies are thus well advised to evaluate their business models to reflect the following considerations drawn from the EDPB Guidelines:
- Companies can only rely on the performance of contract justification where the purposes are clearly communicated, the processing operations do meet the reasonable expectation of the individuals and the processing functions are limited to what is necessary for the identified and communicated purposes.
- Companies should, in particular, assess whether their data processing operations are strictly necessary for their identified legitimate purposes or whether there are less intrusive means.
- Where the performance of contract justification fails, companies should assess whether any other legal justification, for example, an obligation to meet legal requirements, the balancing of interest-based justification or consent, applies and prepare accordingly. The privacy notices should clearly describe the processing and the legal justification and companies should be able to halt data processing where it relies on the balancing of interest justification and where an individual has rightfully objected to such processing.