The European Data Protection Board has released for consultation a new set of guidelines on the topic of the processing of personal data in the context of online services (“Guidelines“). In particular, the Guidelines focus on the circumstances in which it is appropriate to use performance of a contract (Art. 6(1)(b)) as the lawful basis for processing personal data, and those in which other bases, such as consent (Art. 6(1)(a)) or legitimate interests (Art. 6(1)(f)) are preferable. The Guidelines attempt to correct perceived ‘bad practice’ resulting from an overly broad application of the performance of a contract basis. They can also be seen as building on previous advice which the EDPB and its forerunner, the Article 29 Working Party, have given on the issue of lawful bases for processing, in particular Opinion 06/2014. Lawful basis has also come up recently, in relation to consent, in the Planet49 case, and these new Guidelines also address consent (at least tangentially) in an online context.

Key Takeaways

Some of the key points from the guidelines are:

· Necessity. The concept of what is necessary for the performance of a contract is not simply equivalent to what is written into a contract. This is a well-established point, but one which is worth emphasising. A website operator cannot artificially expand the scope of Art. 6(1)(b) through the way in which it drafts the online Terms and Conditions, for example by listing processing activities which are not strictly necessary in order to deliver the services requested by the customer.

· Contracted services versus wider business model. To help understand the distinction between what is, and what is not, necessary to perform a contract for the purposes of Art. 6(1)(b), the guidelines draw a helpful distinction between what is necessary to deliver the contracted services to the individual, on the one hand, and what is necessary for the controller’s wider business model, on the other hand. Two examples of activities which are likely to fall into the latter category are (i) service improvement / development of the website; and (ii) advertising of related services (including online behavioural advertising facilitated by cookie technologies) on the website.

· Purpose limitation. The principle of purpose limitation (i.e. only collecting personal data for certain specified purposes) dictates that, where a controller wishes to rely on Art. 6(1)(b), the contract must clearly and specifically state the relevant purposes for processing. Vague expressions (‘delivering the services’ or ‘administering the contract’) are to be avoided. This notably aligns very closely with the EDPB’s previous guidance in relation to transparency, which cautioned against vague expressions and similarly imprecise language in the context of privacy notices generally.

· Entering into a contract ≠ consent. The EDPB is concerned about a risk of misunderstanding, by either the data subject or the controller, that a data subject’s acceptance of, or agreement to, a set of T&Cs, will constitute consent for the purposes of data protection (i.e. Art. 6(1)(a)). Website sign-up forms which are woolly or misleading on this point are common. If express agreement to T&Cs is desirable for legal evidential reasons, then this should be dealt with separately from an acknowledgement of the privacy notice / privacy policy (the contents of which should be clear about the actual lawful basis for processing)

Context Specific Examples

The guidelines conclude by focusing on some common processing scenarios in an online context, and analysing whether (or not) Art. 6(1)(b) would be applicable.

As indicated above, the guidelines are clear that ‘service improvement’ type activities (e.g. collecting metrics on how data subjects use and engage with the website in order to improve the website) are not necessary for the performance of a contract – this is fairly uncontroversial, and most controllers would properly opt for legitimate interests or potentially consent. Also uncontroversial (as it was dealt with in Opinion 06/2014), although perhaps more surprising to some controllers, is the guidance that fraud prevention processes will not normally benefit from Art. 6(1)(b). In an online context, these might range from customer address verification checks, to sophisticated behavioural analysis tools combating e-commerce payment fraud. The EDPB’s view is that, whilst they may be essential for the safe operation of the wider business model, they go beyond what is objectively necessary for the performance of a contract with a data subject.

Personalised Services

The most interesting example chosen is in relation to the personalisation of content. A huge array of websites offer services which are at least partly personalised to an identified user, with the personalisation based on their past activities on the website, their purchase history (so-called ‘recommendation engines’) or their expressly stated preferences. In the EDPB’s view, where the personalisation is an “intrinsic aspect of an online service“, then the Art. 6(1)(b) basis will be available to support the underlying data processing. However, the EDPB carefully distinguishes between services where the personalisation is the core component of the service (for example, a news aggregation service which pulls in content from different places based on your stated preferences, think Apple News or Feedly), to one where the personalisation is ancillary. For example, the core service offered by your typical e-commerce site is the sale of products – showing a user a personalised virtual storefront, with a personalised list of products is not, normally, intrinsic to that service, and therefore not necessary for the performance of the contract for Art. 6(1)(b) purposes.