EDPB issues draft guidelines on using ‘contract’ as lawful basis for online services
Is your collection of personal data and the purposes you use if for really necessary in order to provide people with your online service or are you in danger of bundling a number of activities in your terms? Is there a risk this lawful basis is being too broadly interpreted?
The European Data Protection Board (EDPB) has published draft guidelines on using ‘performance of a contract’, or entering into a contract (Article 6.1(b)), for the processing of personal data in the context of providing online services.
In the main, the guidelines clarify previous guidance issued by the Article 29 Working Party (which the EDPB replaced in May last year) . The focus is on online services as a distinct type of product, when it’s appropriate to use this as a lawful basis and the concept of “necessity”.
What does GDPR say?
Article 6.1 says, “Processing shall be lawful only if and to the extent that at least one of the following applies … “
6.1.(b) states, “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
What is an online service?
The EDPB says the term ‘online services’ used in its guidelines refers to ‘information society services’. These services are defined as:
“Any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the service”.
The EDPB says this definition extends to services that are not paid for directly persons who receive them, such as online services funded through advertising.
They further comment;
“The proliferation of always-on mobile internet and the widespread availability of connected devices have enabled the development of online services in fields such as social media, e-commerce, internet search, communication, and travel. While some of these services are funded by user payments, others are provided without monetary payment by the consumer, instead financed by the sale of online advertising services allowing for targeting of data subjects.”
The EDPB reiterate its guidelines are concerned with the applicability of Article 6.1(b) to the processing of personal data in the context of contracts for online services, irrespective of how services are financed. It confirms that the validity of contracts themselves is outside of the EDPB’s scope but stress that terms must comply with the requirements of contract law, and if relevant, consumer protections laws in order for processing based on those terms to be considered fair and lawful.
Purpose limitation & data minimisation
The requirement for organisations to ensure that any processing under Article 6.1(b) also complies with general data protection principles is highlighted, with the following viewed as specifically relevant in contracts for online services;
– purpose limitation – i.e. personal data must only be processed for specified purposes. Personal data collected for one purpose should not be used for a new, incompatible purpose
and
– data minimisation – i.e. process as little personal data as possible in order to achieve the purpose
The EDPB identifiies what it describes as an ‘acute risk’ that organisations may seek to include general processing terms in contracts in order to maximise collection and use of data, without adequately specifying the purposes or considering the data minimisation obligation.
Contract v Consent
It’s recognised that where processing is not considered necessary for performance of a contract another lawful basis may be applicable, subject to relevant conditions being met. The EDPB references the WP29 guidelines on consent which state;
“where a controller seeks to process personal data that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful basis”.
The EDPB further considers that;
“where processing is not in fact necessary for the performance of a contract, such processing can take place only if it relies on another appropriate legal basis.”
The overarching principle of transparency is, in the EDPB’s view, the key to avoid any confusion when individuals are entering into a contract regarding online services. The risk is highlighted that individuals may erroneously get the impression they are giving their consent when signing a contract or accepting terms of a service.
The guidelines say organisations need to be mindful of distinguishing between entering into a contract and giving consent; these are different concepts and have different implications for individuals’ rights and expectations.
This is an area some organisations may need to revisit, as in particular, website sign-up forms can be misleading.
Necessity
The EDPB say the concept of what is ‘necessary’ for the performance of a contract is not just an assessment of what is permitted by or written into the terms. The guidelines say;
“It also involves consideration of the fundamental right to privacy and protection of personal data, as well as the requirements of data protection principles including, notably, the fairness principle.”
1) Assessing Necessity
In assessing the necessity of processing, the guidlines urge organisations to balance ‘a fact-based assessment of the processing objective’ with ‘whether it’s less intrusive compared to other options for achieving the same goal.’
The EDPB says Article 6.1(b) will not cover processing which is ‘useful’ but not objectively necessary for performing the service or for taking relevant pre-contractual steps – even if it is necessary for the controller’s other business purposes.
This is an important clarification; if a purpose is necessary to the business but not objectively necessary for the contract with individuals, then the business should look to another lawful basis for this purpose, such as perhaps legitimate interests. A view supported by the ICO’s guidance on contract which says;
“The processing must be necessary to perform the contract with this particular person. If the processing is instead necessary to maintain your business model more generally, or is included in your terms for other business purposes beyond delivering the contractual service, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.”
The EDPB endorses previously adopted WP29 guidelines that ‘necessary’ for the performance of a contract must be, “interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller.”
The guidelines suggest the following questions should be asked when assessing necessity:
- What is the nature of the service being provided to the data subject?
- What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract?
- How is the service promoted or advertised to the data subject?
- Would an ordinary user of the service, reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are party?
If an assessment reveals that the intended processing goes beyond what is objectively necessary, it doesn’t mean this processing cannot take place, another lawful bases could potentially be relied upon.
2) Separate services/elements of service
The EDPB questions the extent to which Article 6.1(b) can serve as the lawful basis when a contract consists of several separate services (or elements of a service) that could reasonably be performed independently of one another. It’s advised, that in line with the fairness principle, the context of each of those services should be assessed separately, looking at what is objectively necessary to perform each. It’s stated;
“This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model. In that case, Article 6(1)(b) will not be a legal basis for those activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 6(1)(b) does not affect the legality of the contract or the bundling of services as such.”
3) Just because it’s in the contract, doesn’t mean it’s necessary
The EDPB clearly takes the stance that just because some processing is covered by a contract doesn’t mean it is necessary for its performance; just because activites are mentioned in the small print does not automatically make them ‘necessary’.
With particular reference to digital services the guidelines say;
“Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6(1)(b).”
4) Termination of Contract
In general, the EDPB view is that if a contract is terminated the processing should cease but it’s recognised there may be justifiable reasons why this information cannot be erased.
5) Necessary for taking steps to enter into a contract
The guidelines recognise some processing will be necessary in order to take steps, at the request of an individual, prior to entering into a contract. It’s stated;
“this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party.”
The following example is provided of where processing would be considered necessary in order to take steps prior to entering into a contract:
Example: A data subject provides their postal code to see if a particular service provider operates in their area. This can be regarded as processing necessary to take steps at the request of the data subject prior to entering into a contract pursuant to Article 6(1)(b).
However, the following example indicates where this wouldn’t be the case:
In some cases, financial institutions have a duty to identify their customers pursuant to national laws. In line with this, before entering into a contract with data subjects, a bank requests to see their identity documents. In this case, the identification is necessary for a legal obligation on behalf of the bank rather than to take steps at the data subject’s request. Therefore, the appropriate legal basis is not Article 6(1)(b), but Article 6(1)(c)*.
*Article 6.1(c) – processing is necessary for compliance with legal obligation.
6) Where processing under contract would not be appropriate
The EDPB cites the following as being examples of processing which would NOT be appropriate under performance of a contact;
– Processing for service improvement
– Processing for fraud prevention
– Processing for online behavioural advertising
7) Personalisation of content – contract or not?
It’s accepted that personalised content may be considered an essential or expected element of certain online services, but it’s also stressed this will not always be the case. The guidelines say whether such processing can be regarded as an intrinsic aspect of the service, will depend on;
– The nature of the service
– The expectations of the average data subject (not only in terms of the services, but in the manner in which is it promoted)
– Whether the service can be provided without personalisation
Where personalisation is not objectively necessary, e.g. it is intended to increase user engagement, organisations are advised to consider an alternative lawful basis. The following example is provided:
Example: An online marketplace allows potential buyers to browse for and purchase products. The market place wishes to display personalised product suggestions based on which listings the potential buyers have previously viewed on the platform in order to increase interactivity. This personalisation is not objectively necessary to provide the marketplace service. Thus, such processing of personal data cannot rely on Article 6(1)(b) as a basis.
Many organisations prior to GDPR being enforced last year, will have carefully identified and assessed their lawful bases for processing, and in particular considered ‘necessity’ when relying on performance of a contract. Others, however, could be including a number of activities in their terms that could be judged to have been unnecessarily bundled in.
The EDPB draft guidelines can be found here.
Philippa Donn, May 2019
Copyright DPN
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.