Editor's Note:
Thomas Shaw is the author of the IAPP book: DPO Handbook — Data Protection Officers Under the GDPR.
One of the questions that does not get much attention in data protection is the concept of excessiveness. Data Protection Directive Article 6(1)(c) states personal data must be “(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.” General Data Protection Regulation Article 5(1)(c) states that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” So, personal data that is excessive or unnecessary cannot be collected and processed.
While these provisions seem clear enough, they beg the question of what is excessive/unnecessary collection and processing of personal data and perhaps even more important, who gets to decide what is excessive/unnecessary and what is not?
If a data subject refuses to provide data it deems as being excessive/unnecessary to a data controller, and the controller subsequently declines to offer the requested product or service, does the data subject have legal recourse against a controller for tying their provision of a product or service to collection of excessive/unnecessary personal data?
Examples of data controllers requesting excessive/unnecessary personal data abound in the EU. When looking for a new place to live, estate agents ask for a detailed transaction history of the applicant’s bank account. When trying to secure a loan in one country, banks ask whether the applicant has paid taxes in another country. When starting a new home electric power service, the utility companies ask for the applicant’s date of birth. When children enter competitions, their parents are asked to consent to the ongoing use of images of the children. Controllers seem insistent that they can demand any personal data they see fit, but do they have the legal right to collect any and all personal data they wish?
The Law
The term “necessary” is used more than 60 times in the GDPR’s articles. In relation to data subject rights, it is primarily used to limit the scope of the legal bases to process ordinary or sensitive personal data, or to transfer data outside the European Economic Area. But this concept is also used beyond just defining legal bases, as the Article 29 Working Party states that ”even if the processing of personal data is based on the legitimate interests ground, or on the performance of a contract, this would not allow for the collection of data which is excessive in relation to the purpose specified.”
This concept is also used in GDPR Article 25 to describe the requirement that privacy by default is to be implemented so that “only personal data which are necessary for each specific purpose of the processing are processed.” Under the Article 5 principles, personal data should be retained in an identifiable format no longer than necessary. However, there is no definition of “necessary” in the GDPR, and the recitals do not further illuminate what the boundaries of excessive/unnecessary are.
The European Court of Human Rights has often utilized the concept of “necessary” when analyzing whether a law is considered to be “necessary in a democratic society.” The Convention on Human Rights Article 8 allows for the right to privacy which can only be interfered with by governments if any restrictions are in accordance with the law and necessary for legitimate interests such as national security, crime prevention, national economy, or the rights and freedoms of others. The GDPR has utilized this concept of necessary in a democratic society as a threshold along with proportionality for national restrictions on data protection rights, such as those in the public interest or for national security.
The ECHR has defined “necessary” as occurring somewhere on a scale between “indispensable” and “reasonable… or desirable.” ECHR jurisprudence has created the following three prongs for determining whether a restriction is “necessary in a democratic society,” in relation to processing of criminal justice data. To be considered necessary, the restriction must meet a pressing social need, be proportionate to a legitimate interest, and there must be relevant and sufficient reasons for the restriction.
WP29 has interpreted the first prong to require some harm that the restriction would mitigate; the second prong to involve evaluating the severity of the harm, the scope of the restriction, and safeguards for fundamental rights; and the third prong to be based on analysis, research and surveys.
The Court of Justice of the European Union jurisprudence has also looked at the restrictions of DP rights and the balancing of DP rights with other rights such as freedom of expression. In Stadt Bochum, the Court said that in evaluating necessity, it is essential to “examine whether it is possible to envisage measures which will interfere less with the rights recognised by Articles 7 and 8 of the Charter but” are still effective. In Tietosuojavaltuutettu, the Court said that “the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data… must apply only in so far as is strictly necessary.”
A test
How would these requirements of necessity for legal restrictions on data protection rights apply to evaluating necessity in relation to the purposes of processing? Just as member state laws allow for interference with individuals’ privacy and data protection rights granted under the Charter, so processing by controllers interferes with the privacy and data protection rights of data subjects. Analyzing necessity of processing under GDPR Article 5(1)(c) should then be possible under a test similar to those used by the CJEU and ECHR for necessity of laws implementing DP restrictions.
The necessity of processing could be analyzed through a two-part test. The first part of the test is adapted from the ECHR, meaning that necessity of processing must resolve a legal obligation or important need of the controller’s related to the processing (essentially verifying a valid legal basis for processing), be proportionate and the controller must have documented relevant and sufficient reasons for the processing.
The second part of the test adapts the CJEU’s definition of being strictly necessary, meaning that processing is not necessary if there is another effective mechanism available that is less invasive of the data protection rights and interests of the data subject. As restated by WP29, if “any less intrusive but equally effective measure (taking into account reasonable costs) are available then only these measures will be deemed necessary.”
Application
This test can be illustrated using one of the examples mentioned above, the estate agent’s demand for an applicant’s banking history. The first part would determine that this demand for personal data is not based upon any legal obligation but is from a business need of the controller to get a tenant who pays timely (a legitimate interest). It may not however be proportionate, as the controller could instead just ask for a letter from a prior landlord without any financial details or could review evidence of only the most recent three months’ rent payments. The controller would need to document how their processing of this personal data relates directly to the increased likelihood of rent payments by applicants, based upon their own experiences or surveys and research, and that they could not receive a similar level of rent without collecting and processing all the demanded information.
The second part of the test then asks: Are there are other similarly effective measures that implicate lesser interference with the data subjects’ data protection rights? As identified in the proportionality test, the controller could instead use a letter from a prior landlord. They could view evidence only of the most recent rent payments by the applicant. Or better still, they could determine the creditability of the applicant through interviewing them and/or running a credit check. All of these should be similarly effective and require less interference with the privacy and data protection rights of data subjects.
By using this test, the necessity of processing personal data moves from one of significant adhesion, where the controller has almost all the power in the transaction, to a more neutral analysis where a controller must have performed and documented its analysis of why each type of personal data demanded must be collected and processed. The amount and types of personal data collected and processed is no longer based on unsubstantiated desires of controllers for as much personal data as they can collect, but upon what is strictly necessary to effectively achieve the purposes of the processing, providing the least interference with data subjects’ privacy and data protection rights.
photo credit: jamessensor Brussels - Cinquantenaire via photopin (license)