In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion series to present common practical organizational responses that our members report undertaking in anticipation of GDPR implementation.

This second installment in the 10-part series addresses organizational efforts to implement the GDPR’s requirement that companies rely on a “lawful basis” to justify the processing of personal data. Find the first installment on data mapping and inventory here.

Lawful basis for processing 

Similar to the situation under the 1995 Data Protection Directive, under the GDPR a company may process a data subject’s personal data only if there is a “lawful basis” for such processing. Article 5 decrees that personal data shall be “processed lawfully,” and Article 6 lays out six different legal bases that satisfy the lawfulness requirement:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

Although Article 6 limits the legality of processing to situations where “at least one” of the bases applies, organizations should be cautious about relying on multiple lawful bases for any single processing purpose. The Article 29 Working Party’s guidance on consent suggests that “[a]s a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases.”

Companies are required to identify a basis for processing at the time of collection, before processing occurs, and per Article 13(1)(3), must furnish the data subject with both the purpose of the processing and its legal basis at the time data is collected.

What this means in practice

Our interviews with leading privacy professionals suggest that the simplest cases to support will be those where processing is necessary for the performance of a contract, or for the controller’s compliance with a legal obligation. In these cases where, for example, an online retailer processes a consumer’s address in order to deliver an ordered item (performance of a contract) or a financial institution processes an accountholder’s data to comply with anti-money laundering laws (compliance with legal obligation), the existence of a lawful basis is clear cut.

More common — but also more difficult — are situations where processing is undertaken with the consent of the data subject; or processing is necessary for the purposes of the legitimate interests of the controller or of a third party except where such interests are overridden by the privacy interests of the data subject. Guidance documents from the Article 29 Working Party provide examples of both. Examples for legitimate use of consent include a hotel chain’s online offer of an opt-in tick-box to a loyalty program, presented to customers who have already made a reservation; or a cable TV network’s asking subscribers to consent to the use of their viewing habits in order to present them with personalized content suggestions. An example of reliance on legitimate interests includes a computer store, using only the contact information provided by a customer in the context of a sale, serving that customer with direct regular mail marketing of similar product offerings — accompanied by an easy-to-select choice of online opt-out.      

Least common are cases where processing is necessary to protect the vital interests of the data subject or another natural person, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. One example of processing to protect the vital interests of the data subject might be the processing a person’s information in order to locate them after a humanitarian disaster. A classic example of processing necessary for the performance of a task carried out in the public interest is a tax authority’s collection and processing of an individual’s tax return in order to establish and verify the amount of tax to be paid. Recital 46 notes that some processing “may serve” the grounds of both public interest and the vital interest of the data subject, such as processing in order to monitor an epidemic.

Article 9 of the GDPR identifies “special categories of personal data” and sets forth a more limited subset of lawful bases for processing such data. Any data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,” along with “processing genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” is prohibited unless it meets one of the 10 exceptions specified in Article 9(2). Importantly, companies that process “special categories of data” cannot rely on a legimitate interest as a lawful basis for processing such data. However, a restrictive form of consent can be used. Article 9(2)(1) permits processing based on “explicit consent,” which requires “an express statement” of approval, a heightened requirement beyond the “clear affirmative act” necessary to establish consent when processing “regular” personal data. The Working Party suggests that a written statement, signed by the data subject where appropriate, is one means of demonstrating this requirement.

Unpacking consent and legitimate interests 

Consent

Many organizations start the process of identifying the legal basis for processing by determining which (if any) of their activities require consent. While the tighter requirements of GDPR-compliant consent could be a disincentive for relying on this basis, for some types of processing there’s simply no other way. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Conducting properly-resourced data mapping and inventory is a critical first step to identify any instances where consent has not been properly acquired or recorded. Next, companies should determine areas of processing where consent should be sought and identify any processing that currently relies on consent but should cease doing so. Existing databases must be brought into compliance by the May 25 deadline or risk losing their usefulness to organizations until proper consents can be procured.

Clearly, consent is the most talked-about of the six legal bases available under the regulation. According to a 2017 study conducted by the IAPP with TrustArc, obtaining consent ranked third overall among 11 compliance risks, and ranked second among just U.S. respondents. Many businesses rely on consent, often obtained via the ubiquitous “I Agree” button, for the collection, transfer, and processing of personal data. Recitals 32, 42, and 43 of the GDPR give some examples of what constitutes a “freely given, specific, informed and unambiguous” consent, and explicitly warn that “silence, pre-ticked boxes or inactivity” will not qualify.

A “written statement, including one given by electronic means, or an oral statement” may suffice. The GDPR also suggests that “ticking a box when visitng an internet website” or “choosing technical settings for information society services” will qualify as conduct that clearly indicates the data subject’s acceptance of processing. In its guidance on consent, the Working Party suggests that physical motions such as waving in front of a smart camera, swiping, or turning a phone or tablet in a specific direction could satisfy the requirement for “unambiguous consent,” so long as “clear information” is provided to the data subject. Recital 50 warns processors against processing data for purposes other than those disclosed when the data was originally collected. If a company wishes to conduct such additional-purpose processing, it must first obtain a new consent.

Article 7 sets forth additional conditions for valid consent. To rely on consent, companies must be able to demonstrate that data subjects have in fact given it, necessitating an organizational system that will maintain a record of the required clear affirmative act or express statement (oral or written), depending on the type of data being processed.

Written declarations of consent, if packaged with other matters, must be presented “in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.” This means that a valid consent statement cannot be buried in fine print, written in impenetrable legalese or conflated with other important contract terms. Data subjects also retain a right to withdraw consent at any time, and must be informed of this right before providing consent. Withdrawal of consent must be as easy as giving consent. Finally, the requirement that valid consent must be “freely given” is emphasized; particular scrutiny is warranted for whether “the performance of a contract, including the provision of a service, is conditional on the consent to the processing of personal data that is not necessary for the performance of that contract.”

Additionally, to satisfy the requirement that consent be freely given, companies relying on consent must consider the imbalance of power between themselves and data subjects. The Working Party warns that “any element of inappropriate pressure or influence on the data subject … which prevents a data subject from excerising their free will, shall render … consent invalid.” For example, a bank that asks for its customers’ consent to use their payment details for marketing purposes, but denies banking services or increases fees if consent is not granted, would be exerting inappropriate pressure. The GDPR does not absolutely prohibit offering services conditioned on consent to data processing, but per Recital 43, any consent so provided is presumed invalid, and the Working Party notes that “[valid] cases will be highly exceptional.”

In addition to avoiding behaviors prohibited by the GDPR, organizations must meet a number of affirmative obligations to vindicate data subjects’ rights when relying on consent. Article 20(1)(1) guarantees data subjects the right to access any data they have provided to a data controller based on consent. Recital 63 adds that access should be provided “easily and at regular intervals” to enable a data subject to verify the lawfulness of processing. Article 20 also guarantees that this data be provided in a “structured, commonly used and machine-readable format,” which controllers should consider when designing data storage and categorization tools for the processing of data that will be collected based on consent. Recital 68 clarifies that the requirement of data portability applies to controllers engaging in processing based on consent or pursuant to a contract, but not on other legal grounds, though it does not require all controllers to design mutually interoperable formats.

Article 17 guarantees every data subject the right to “obtain the erasure of personal data concerning him or her without undue delay.” This right is specifically implicated when consent is withdrawn by data subjects. Data controllers planning to rely on consent should thus have a workable erasure mechanism in place for cases of withdrawal of consent as part of their plan to cease processing upon a data subject’s objection. 

Specific operational problem areas include: employment agreements that rely on consent as the basis for the processing, since the requirement that consent be freely given is inherently undermined by the imbalance of power between an employer and an employee; any processing of consumer data based on pre-GDPR data subject consent; any services that obtained consent via pre-ticked boxes or browsewrap; and any processing occurring for multiple purposes. Valid pre-GDPR consent does not guarantee continued validity after May 25, 2018; Recital 171 makes it clear that consent obtained before the GDPR will remain valid only if it satisfies the stricter standards of the Regulation.

Legitimate interests

Like the 1995 Data Protection Directive, the GDPR permits data processing in furtherance of a company’s “legitimate interests pursued by itself or a third party” — with the critical caveat that the “interests or fundamental rights and freedoms of the data subject” cannot be outweighed by the company’s interest. Recital 47 gives several examples of such consent-less processing based on legitimate interests, including relationships where the data subject is a client or in the service of the controller. In every case, however, “careful assessment,” often referred to as a “balancing test,” is required. This process comprises a two-step analysis: First, a company must present an interest that is legitimate; second, processing in furtherance of that interest must satisfy a balancing test between the controller’s legitimate interest and data subjects’ privacy rights.

In its guidance on legitimate interests, the Working Party states that “any interest can be considered legitimate as long as the controller can pursue this interest in a way that is in accordance with data protection and other laws.” Next, a company must determine if its “interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.” This test is not an easy “either-or” proposition; it is a complex assessment that must take in to account four broad factors: the controller’s legitimate interest; the impact on the data subject; the provisional balance between the two; and additional safeguards applied by the controller to prevent any undue impact on the data subjects.

As a lawful basis for processing, legitimate interest, like consent, triggers complex compliance considerations. Article 13(1)(4) and Article 14(2)(2) of the GDPR require an organization to specifically identify its legitimate interests to a data subject. Importantly, under GDPR Article 18(1)(4), companies that choose to rely on legitimate interest grounds must create a mechanism to restrict processing for a data subject who chooses to challenge a controller’s application of the balancing test. Both Article 21(1) and Recital 69 guarantee data subjects a mechanism to object to processing based on legitimate interests.

Ultimately, to chart the waters of the fact-specific balancing test, companies will have to look to a history of enforcement actions by supervisory authorities. In the meantime, they can rely on the example legitimate interests given by the Commission and the Article 29 Working Party in their advice. The Working Party’s 2014 guidance on legitimate interests, while issued under the 1995 Directive, can nevertheless provide useful examples of how this test might be applied in different situations: 

In the workplace:

Establishing a company-wide internal employee contact database with the name, business address, telephone number, and email address of all employees, to enable employees to reach their colleagues, could be justified under a legitimate interests test, so long as “appropriate measures,” such as the adequate consultation of employee’s representatives and institution of effective security policies, are taken.

Compliance with a foreign legal obligation, such as a whistle-blowing scheme required by the United States’ 2002 Sarbanes-Oxley Act, qualify as legimate interests. Non-EU legal obligations do not authorize processing based on a “legal obligation” under Article 6(c). If such programs include appropriate safeguards, the legitimate interest of the company in complying with its foreign legal obligations will justify data processing. 

In contrast, electronic monitoring of employee internet, email or telephone use, particularly if accompanied by video surveillance, will likely fail the balancing test without the institution of substantial additional safeguards to protect employee privacy interests. The nature of employement in any given context would also be critical to this type of processing.

Despite furthering an employer’s legitimate interest of ensuring compliance with non-smoking rules, a company’s use of hidden cameras to identify employees and visitors who smoke in unauthorized places would likely fail the balancing test as a disproportionate invasion of individuals’ privacy rights, when other less intrusive solutions are available.

Processing consumer personal data:

Companies clearly have a legitimate interest in collecting information about their customers’ preferences in order to “better personalize their offers and ultimately offer products and services that better meet the needs and desires of customers.” Some types of marketing can be conducted pursuant to this interest, such as direct physical or electronic mailing with an effective opt-out. However, according to the Working Party, the combination of “vast amounts of data about [customers] from different sources” used to build “complex profiles of customers’ personalities and preferences” is likely “a significant intrusion into the privacy of the customer” that will be overridden by the interests and rights of the data subject.

The Working Party engaged with one scenario in particular detail: a fictitious interaction between a pizza chain and a customer. It explained that the restaurant, pursuant to its legitimate interest of increasing sales, could directly mail coupons to the address provided by a past delivery customer, so long as it provided an easy-to-use opt-out. However, if that company’s processing of customer information for marketing purposes were expanded to include years of the customer’s purchases, as well as her purchases at a grocery store owned by the chain’s parent company, her browsing history captured via cookies placed by the store’s website, and location data from her mobile device, the outcome of the balancing test would swing away from the company to the individual.

Similarly, an internet company that provides a variety of online services including a search engine, video sharing, and social networking, which adopts a privacy policy enabling it to combine all personal information collected through different channels from each user for the identified interest of “providing the best possible quality of service” would likely fail the balancing test. This is due to the fact that the users cannot control or object to specific combinations of data and that the level of information potentially collected creates an imbalance of power between the company and its users. 

Given that a controller’s legitimate interests must be specified at the time of collection, repurposing data is hard to justify under this basis. Per Recital 69, controllers always bear the burden of satisfying the balancing test. Under GDPR Article 40, controllers should consult their trade associations or similar industry groups, since they are authorized to prepare codes of conduct to define controllers’ legitimate interests in specific situations.

Usefully, the Working Party identified certain measures that may help “tip the balance to ensure that … processing can be based on the [legitimate interest of the controller],” including:

  • A workable and accessible mechanism to ensure data subjects an unconditional opt-out from processing.
  • Strict limits on how much data is collected.
  • Immediate deletion of data after use (for example, an app scanning users’ contacts solely to determine which ones had already consented to the app’s processing of their information).
  • Use of anonymization techniques.
  • Aggregation of data.
  • Privacy-enhancing technologies, privacy by design, and data protection impact assessments.
  • Technical and organizational safeguards to ensure that data cannot be used to take decisions or actions with respect to individuals.
  • Data portability and related measures.
  • Pseudonymization and encryption of data. 

Conclusion

As with any organizational response to the GDPR, the first step is the adoption an effective data mapping and inventory strategy. Once a company maps its personal data processing, it should carefully document a lawful basis for each processing purpose. Of the six lawful bases permitted under the GDPR, consent and legitimate interest are not the most commonly used, but are the source of the greatest amount of uncertainty. Nevertheless, there are pre-enforcement steps companies can take to minimize processing risks.

Pre-GDPR consent-based processing should be reviewed to ensure that the underlying consent remains effective. If necessary, new consent should be sought. If any “special category” processing was identified, the company must solicit “explicit” consent. Under the GDPR, in all instances of consent-based processing, companies should ensure the availaibility of withdrawal mechanisms.

For processing based on a company’s legitimate interest, the required balancing test should be reviewed and documented. The fact-specific nature of this legal basis highlights the importance of good recordkeeping. In line with the Working Party’s guidance, data use and privacy policies should be evaluated for potential opportunities to add “balance tipping” mechanisms.

photo credit: Nicholas Erwin Thumbs Up via photopin (license)