As anticipated under the provision of Article 70(4) of the GDPR, the European Data Protection Board (EDPB), on the 12th April 2019 began a public consultation on the Guidelines 2/2019 on the processing of personal data under Article 6(1) (b) GDPR in the context of the provision of online services to data subjects (the Guidelines), with the public consultation slated to end on the 24th May 2019.
For the ease of reference, it is necessary to restate the provision of Article 6 (1) (b) of the GDPR upon which the Guidelines are based as follows:
“Processing shall be lawful only if and to the extent that…processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract…”
In accordance with the tasks of the EDPB to issue guidelines on various provisions of the GDPR, the EDPB published the Guidelines in a bid to regulate the application of Article 6(1)(b) of the GDPR as it concerns the provision of online services to data subjects. Some key features of the Guidelines are highlighted below:
- In justifying the focus of the Guidelines on online services (also referred to as information society services) being provided to data subjects, the EDPB relied on Articles 56 and 57 of the Treaty on the Functioning of the European Union (TFEU) which defines and regulates the freedom to provide services within the European Union. In the light of the proliferation of online service providers coupled with tracking and similar activities that flows therefrom, it was considered appropriate by the EDPB to provide guidance on the contractual necessity basis (as reflected in Article 6(1) (b) GDPR) for processing personal data in the context of online services, in order to ensure that it is only relied upon where appropriate.
- The Guidelines also provide that the principles of data minimization and purpose limitation are very important to a reliance on Article 6 (1) (b) of the GDPR as a legal basis for processing personal data in the provision of online services particularly because of technological advancements which mean that more personal data than is necessary for any processing activity could be very easily collected.
- According to the Guidelines, reliance on Article 6 (1) (b) GDPR should, in accordance with the wording of the relevant provision, be ‘necessary for the performance of a contract’. This means that it must be impossible to provide the relevant service(s) without the specific processing activity taking place. In circumstances where this requirement is not met, the EDPB recommends that other applicable legal basis should be relied on.
- In determining what amounts to necessity under the relevant legal provision under consideration, the presence of other less intrusive alternatives to the processing activity will automatically make the said legal basis inapplicable as same cannot be said to be necessary to the performance of the contract. To be applicable, controllers must ensure that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract. Failure to meet these criteria means that the controller should consider another appropriate legal basis for processing.
- In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following further questions can be of guidance:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
For a detailed reading of the Guidelines, please find a link here: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf
Finally, it will be interesting to see if this public consultation will play any role in influencing the Guidelines. Just as with the GDPR journey so far, it will also be interesting to see how the Guidelines will play out and the amount of impact it will have particularly among online service providers.
Interested in making your voice heard? Please forward your views, opinions and comments as it pertains to the Guidelines to the EDPB at: EDPB@edpb.europa.eu