Practical considerations from EU enforcement: Legal bases and transparency

Resource Center / Resource Articles / Practical considerations from EU enforcement

Practical considerations from EU enforcement: Legal bases and transparency

This article provides key takeaways and things to look out for on the GDPR's legal bases and transparency requirements. This is the first in a two-part series. The second part, "One-stop shop," can be found here.


Published: February 2023


Contributor:


Navigate by Topic

January arrived with a trilogy of EU enforcement that, having now waded through the 800 pages of regulator decision-making, has some very important information and considerations for privacy professionals. The consequences could be every bit as profound and challenging for privacy pros as the challenges posed by proliferating global restrictions and mechanisms on international data transfers.

Here, I break down and comment on the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s legal bases and transparency requirements. There will be a follow-up piece on this trilogy’s key takeaways from the “One Stop Shop.”

Helpful links and extra reading are at the end of this article. On the facts of — and reaction to — the case, there’s no better place to look than IAPP Staff Writer Jenn Bryant’s reporting on the initial fines and industry reaction.

The trilogy of decisions will be of particular relevance to and impact organizations that:

  • Rely on the GDPR’s ‘contract’ legal basis.
  • Have personalized advertising at the center of their business models.
  • Are required to maintain GDPR-compliant privacy notices.

Top tips for privacy pros:

  1. Review your legal bases and terms of use.
  2. Review your notices.
  3. Innovate when it comes to your notices.

Legal basis

There is no legal hierarchy or regulatory preference on the GDPR’s “exhaustive and restrictive” list of legal bases for processing personal data. However, this equality among the legal bases does not mean data controllers have “absolute discretion to choose the legal basis that suits better its commercial interests.” Each basis has its own definition and scope of application.

The trilogy of enforcement decisions delves mostly into the “performance of a contract” legal basis.

Key takeaways include:

  • Determine the fundamental substance, rationale and purpose of the contract
    It is against this it will be tested whether the data processing was necessary for its performance. Data processing that is useful or referenced in the terms of use does not make it “objectively necessary” for the performance of the contractual service. Another relevant consideration for necessity is whether there are realistic, less intrusive alternatives for the processing. In determining the core of the contractual service, it may be important to consider disclosures beyond the terms of use, e.g., how the service is promoted or advertised to the data subject.
    • Personalized advertising (Instagram and Facebook decisions)
      While the European Data Protection Board acknowledged personalized ads and content “may (but [do] not always) constitute an essential or expected element of certain online services,” it did not regard them as contractually necessary for Meta’s provision of its Instagram and Facebook services. Not only was personalized advertising not the core of the contract, the EDPB also decided contextual advertising based on geography, language and content could be a realistic alternative that does not involve measures such as profiling and tracking users.
    • Service improvements and security (WhatsApp decision)
      Terms of use that include data controllers providing service improvements and security features, e.g., to detect user misuse of services and harmful conduct taking place on the platform, were also found not to be necessary for the performance of a contract. In the past, the EDPB opined, as a general rule, improvements to services are usually not necessary to the contract. The EDPB decided the core element of the WhatsApp service was the provision of a messaging service for users. Accordingly, it was not necessary for the performance of the contract for data to be processed for the purposes of service improvements and security.
  • Assess whether contractual obligations have been created (if not, consider whether it’s appropriate to create them)
    The EDPB decided it was not enough for terms of use to merely mention processing of personal data in the context of the provision of services. Contractual commitments via specific contractual clauses would better demonstrate the contractual necessity of processing personal data to perform the contract.
  • Weigh up the bargaining power of the parties
    The EDPB placed emphasis on the relative bargaining power of the contracting parties. Crudely, the bigger the data controller is compared to the user, the more emphasis the regulators will place on examining contractual necessity. Redrafting terms of use to put the processing of personal data at the heart of a contract may not be enough if there is a significant imbalance between the parties.
  • Be transparent (see section on transparency)
    With regulators appearing to focus on what could have been in users’ expectations at the point of agreeing to terms of use, it’s increasingly important for data controllers to set out — in terms users can understand— what it is users are (and are not) agreeing to.

Comment

The EDPB has undoubtedly raised the bar as to when the “contract” legal basis can be relied upon. Assessments as to what data processing will, or will not, be necessary to the performance of a contract and what alternatives might be available will require a deeper understanding and scrutiny of contractual commitments, in so far as those commitments are relevant to the data controller fulfilling its GDPR tasks. In many cases, this will be new or extra work for privacy professionals, who may have to work more closely with other parts of the business to better understand the expectations of the user.

Practically, if the bar for reliance on the “contract” legal basis can’t be met, either an alternative legal basis will need to be found or the data processing activity will cease — which for many would present significant business model changes (including for advertisers that use real-time bidding to buy ad space on platforms like Instagram and Facebook).

It is important to note two points about two other legal bases. The first is the decisions did not rule out reliance on “legitimate interests” as a legal basis for such processing, though there is long-standing regulator skepticism about relying on such a basis. Legitimate interests may be easier to justify for data controllers when it concerns maintaining the integrity of the service, e.g., security features and compliance with community guidelines, than for personalized advertising.

The second is, notwithstanding potential future investigations as to whether Meta processes special category/sensitive personal data, the national DPAs agreed Meta was not “obliged” to rely on consent. This could change if there is a fresh investigation and if Meta is found to be processing special category/sensitive personal data (then it would need to rely on an Article 9 legal basis and would likely result in a decision that consent is the most appropriate Article 9 legal basis).

Look out for:

  • Meta’s appeal to Irish High Court, which will likely end up going on a referral to the Court of Justice of the EU.
  • Ireland’s Data Protection Commission attempting to annul the EDPB’s binding direction that it conduct a “fresh” investigation as to whether special category/sensitive personal data was processed by the Meta services.
  • The CJEU ruling on contractual necessity (Case C-446/21). In December 2020, the Austrian Court of Appeal issued a judgment on a dispute between Max Schrems and Facebook Ireland. This judgment is subject to appeal to the Austrian Supreme Court who, in turn, referred the matter to the CJEU. The Austrian Court of Appeal endorsed reliance on the “contract” legal basis in providing users with personalized content, noting the personalized advertising business model is neither “immoral nor unusual,” the personalized advertising business model and provision of personalized content are clearly explained in Facebook’s terms of use, lawfully agreed to by users, and such a business model, and providing such a service, requires the processing of personal data.
  • The CJEU ruling on legitimate interest (Case C-621/22). The Amsterdam District Court referred a dispute between the Nertherlands' data protection authority, Autoriteit Persoonsgegevens, and the Royal Dutch Lawn Tennis Federation relating to the sharing of member personal data with sponsors for marketing purposes, based on legitimate interest. Industry reactions and trends specifically included amending terms of use to make the contractual necessity of data processing more prominent and transparent, shifting legal bases from performance of a contract to another legal basis, most likely legitimate interest and consent, and shifting business practice away from personalized advertising via tracking technologies to contextual advertising. In contextual advertising, ad space is sold based on generic data which does not identify a viewer, such as time of day and content of the page.

Transparency

"Transparency . . . empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by . . . The concept of transparency in the GDPR is user-centric rather than legalistic . . ."
– Paragraph 4 of Article 29 Working Group Guidelines on transparency under Regulation 2016/679

As is common practice today, Meta’s Terms of Use guides users through the process of accepting terms of use, with options for users to read more, proceed or go back, via a series of click-through information notices. Contained in that layered sequence of information notices was Meta’s articulation of how it processes the personal data of its users, in purported compliance with the GDPR.

Ireland’s DPC, with no EU regulators objecting, decided Meta did not comply with GDPR obligations on transparency and notice. The key takeaways for privacy pros can be divided into what must be provided to data subjects and how must it be provided.

A note on Fairness: The EDPB view was that a failure to comply with GDPR transparency requirements equates to misleading data subjects. That can be consequential for a further infringement of the GDPR — the core GDPR principle of ‘fairness’ — which can attract further administrative fines (as it did in each of the three decisions.)

What must be provided to data subjects?

Article 13(1) and (2) of the GDPR set out the list of information that must be included in a privacy note, including the identity and contact details of the data controller, the recipients of the data and the data subject’s right to complain to the relevant DPA. Within the list is a requirement to provide information on the “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.”

It was not enough for Meta to list “in the abstract” the various purposes and legal bases. Compliance with the transparency obligations required making a “link” in the notice between:

  • The categories of personal data collected.
  • The specific processing operations or set of processing operations.
  • The purpose(s) of those processing operations.
  • The legal basis relied upon.

Assessing whether the information provided in the notice meets the transparency obligations should be done “cumulatively” and “holistically,” rather than by taking each layer and comparing it, in isolation, to the GDPR requirements.

How must it be shown?

  • Use clear and plain language. Know your audience and use terminology they can understand.
  • Avoid the oversupply of high level, generalized or illustrative information. For example, the inclusion of various qualifiers — “such as” and “things like” — were called out for making it hard, if not impossible, for data subjects to identify with any degree of specificity what processing is carried out on what data.
  • Be concise. The importance of concision “cannot nonetheless be overstated.”
  • Cohere delivery. The layering of notice can be desirable, especially in the interest of finding concision, e.g., by providing links users can navigate to receive more information. The layering of notice was not criticized as a general approach by the DPC, indeed, the layered approach has been endorsed by the Article 29 Working Party. However, if notice is layered, it is important to ensure the assessment of whether the transparency obligations were fulfilled is cumulative (see above) and the navigation between, away from and back to the layers is coherent.
  • Diversify delivery. While transparency obligations can be met via purely text-based privacy notices, other formats and media may help provide the information in a clearer and more concise manner. Article 12(1) and Recital 58 of the GDPR note the possibility of providing privacy notices orally or by other means such as visualization.

Comment

The above may make good sense from a regulatory perspective and from a data rights perspective. It may also make sense from a time management perspective, with the Washington Post estimating it takes 6.7 hours for the average reader to get through the privacy notices of the apps on a typical mobile phone.

On the other hand, “easier said than done” may be the call back from privacy pros. Knowing both its data processing operations and its audience does not necessarily make it easier for a data controller to convey its data processing operations to said audience. Some may argue even the most sophisticated data processing activities can be boiled down into more accessible components. For example, this blockchain expert explains the concept at five levels of complexity.

The Goldilocks challenge will be to boil matters down so data subjects are meaningfully empowered to hold data controllers accountable for their privacy rights, but not underdo the boiling so technical and operational details on data processing activity is impenetrable to data subjects. This gets particularly complex for data controllers whose services may span a diverse spectrum of users; users of varying means, time and capabilities of comprehending the information provided in a privacy notice. The tension between completeness and ease of understanding is well-understood, even if the solution is not easily executed.

Many privacy pros will want to consider how to move away from or complement blocs of Shakespearean prose in their privacy notices with more innovative media and technologies. Audio, video, gamification, augmented/virtual reality or interactions in the metaverse may become more commonplace. We may even see privacy technology vendors complement their stack of solutions to assist with transparency obligations.

Look out for:

  • Meta’s appeal to Irish High Court, which will likely end up going on a referral to the CJEU.
  • Industry reactions and trends, specifically updated privacy notices and emergence and growth of different forms of media to provide notice, e.g., see King’s gamified version of its privacy notice, via the “Privacy Saga”.

Additional resources



Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 2

Submit for CPEs