When legitimate interest and performance of contract can be used and the level of granularity of privacy consent to justify data processing under the GDPR.
As part of the privacy audits that we are running for several clients to get them compliant with the European General Data Protection Regulation, a frequent scenario is that companies require a single consent for the processing of personal data for the delivery of marketing communications of their products/services as well as those of third parties’ and for the profiling of their customers. Also, there is a considerable confusion on when and how legitimate interest can be exploited under privacy laws and how broad can the performance of contract be used to justify data processing activities.
The purpose of this blog post is to give some clarify on the “dos and don’ts” on how to pick the correct legal basis of the data processing between consent, legitimate interest and performance of contract under the GDPR and how to properly use them.
What consent required under the GDPR?
The privacy consent under the GDPR needs to be
freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The GDPR further clarifies that consent
could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
What is the level of granularity required?
The wording of EU privacy regulation seems straight forward, but, despite of such language, it leaves the door open to different interepretions on issues such as:
- Is it possible to obtain a single consent for different channels of communication?
- Is it necessary to obtain a consent for marketing communications of third parties’ products/services, separate from the consent for marketing communications of the data controller’s product/services, even if it is performed by the data controller, without disclosing/communicating personal data to the third party?
- How shall third parties whose products/services are advertised be identified? Is it necessary to refer to their industry?
These questions had been clarified in the past by data protection authorities such as the Italian privacy authority in its guidelines on direct marketing. But will these guidelines still be valid after the 25th of May 2018? The matter was not fully clarified in the guidelines of the Article 29 Working Party on privacy consent.
An important change in any case for countries like Italy where the privacy consent to the processing of health related data was required to be “in writing” under the current regime is that this is no longer a requirement. The privacy consent to the processing of health related data shall be explicit and specific, but can be given also for instance in an electronic form.
I discussed in more details on privacy consent in this blog post “How privacy consent changes with the GDPR?” that specifically focuses on issues raised by the Article 29 Working Party on privacy consent.
When can the performance of the contract be relied on?
With reference to online services, the European Data Protection Board clarified in its draft guidelines on scenarios when it is possible to rely on the performance of the contract as legal basis of the data processing pursuant to article 6(1)(b) of the GDPR that such legal basis cannot be used to justify data processing
when a requested service can be provided without the specific processing taking place.
Therefore, such legal basis shall be used in a narrow manner, while – based on my experience – companies try to expand it on their needs. Indeed according to the EDPB, “if there are realistic, less intrusive alternatives, the processing is not necessary“.
Data controllers in order to rely on such legal basis shall establish both
- that the processing takes place in the context of a valid contract with the data subject and
- that processing is necessary in order that the particular contract with the data subject can be performed.
Also, according to the EDPB, in case of termination of a contract, the legal basis of the performance of a contract cannot be relied on anymore and a different legal basis shall be used such as the compliance with a legal obligation pursuant to Article 17(3)(b) of the GDPR, or the establishment, exercise or defence of legal claims, pursuant to Article 17(3)(e). But such different legal basis shall be identified at the outset and described in the relevant privacy information notice.
Finally the EDPB clarified that the performance of contract
- cannot be used as legal basis for “service improvement“, but in such case legitimate interest might be relied on;
- cannot be used as legal basis for “fraud prevention” purposes that may involve monitoring and profiling customers, but in such case legal obligation or legitimate interests might be relied on;
- cannot be used as legal basis for “online behavioural advertising, and associated tracking and profiling of data subjects“, considering that data protection is a fundamental right and personal data cannot be considered as a tradeable commodity; but
- may be used as legal basis for “personalisation of content” when it is an essential or expected element of certain online services.
When is it possible to rely on legitimate interest under the EU Privacy Regulation?
I summarized the scenario in the video below as part of my videoblog Diritto al Digitale and below is a more detailed review in English
Under the previous privacy laws, legitimate interest could be exploited in countries like Italy only with the express approval of the data protection authority. This restriction led to a limited usage of this legal basis, even if there are some interesting decisions on the usage of legitimate interest as legal basis for customers’ profiling in relation to telecom operations.
A higher level of flexibility is given by the GDPR which provides that
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
The so called “balancing test” needs to be run between the interests of the data controller and the ones of the affected individuals. And the area on which privacy related legitimate interest is leading to the vast majority of questions pertains to when it can be used as legal basis to the processing of personal data for direct marketing or even profiling purposes. You can also review my video in Italian above.
This was the topic on which the article 29 Working party issued its decision holding that the assessment on whether profiling can be based on legitimate interest depends among others on
- the level of detail of the profile e.g. a profiling activity excluding bad payers could be in my view be grounded on legitimate interest;
- the comprehensiveness of the profile i.e. whether the profile only describes a small aspect of the data subject, or paints a more comprehensive picture;
- the impact of the profiling i.e. the effects on the data subject and for instance he will suffer a major loss because of such profiling or might just receive less profitable marketing offerings; and
- the safeguards aimed at ensuring fairness, non-discrimination and accuracy in the profiling process.
What is my view?
With reference to the scenarios where legitimate interest can be relied on under the EU Privacy Regulation, we are are using it with reference to
- cases where no other legal basis can be used (e.g. on some matters concerning employees or with reference to the disclosure of personal data as part of M&A transactions);
- marketing profiling that is no invasive e.g. the clustering of customers on the basis of their age range;
- the usage of technologies that because of their nature require some level of profiling in order to properly work, in scenarios where there are other ways of for instance contracting a specific customer; and
- testing activities on real personal data that cannot be performed by using “sintetic data” as this would impact the reliability of the test.
You can read on the topic “Top 5 answers on how direct marketing changes with the GDPR“. What is your view on the above? Happy to discuss!