This is the first in a two-part series. The second part, "One-stop shop," can be found here.
Published: February 2023
January arrived with a trilogy of EU enforcement that, having now waded through the 800 pages of regulator decision-making, has some very important information and considerations for privacy professionals. The consequences could be every bit as profound and challenging for privacy pros as the challenges posed by proliferating global restrictions and mechanisms on international data transfers.
Here, I break down and comment on the key practical takeaways and things to look out for on the EU General Data Protection Regulation’s legal bases and transparency requirements. There will be a follow-up piece on this trilogy’s key takeaways from the “One Stop Shop.”
Helpful links and extra reading are at the end of this article. On the facts of — and reaction to — the case, there’s no better place to look than IAPP Staff Writer Jenn Bryant’s reporting on the initial fines and industry reaction.
The trilogy of decisions will be of particular relevance to and impact organizations that:
- Rely on the GDPR’s ‘contract’ legal basis.
- Have personalized advertising at the center of their business models.
- Are required to maintain GDPR-compliant privacy notices.
Top tips for privacy pros:
- Review your notices.
- Innovate when it comes to your notices.
The GDPR's Six Legal Bases for Data Processing
This chart provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation.
There is no legal hierarchy or regulatory preference on the GDPR’s “exhaustive and restrictive” list of legal bases for processing personal data. However, this equality among the legal bases does not mean data controllers have “absolute discretion to choose the legal basis that suits better its commercial interests.” Each basis has its own definition and scope of application.
The trilogy of enforcement decisions delves mostly into the “performance of a contract” legal basis.
Key takeaways include:
- Determine the fundamental substance, rationale and purpose of the contract
- Personalized advertising (Instagram and Facebook decisions)
While the European Data Protection Board acknowledged personalized ads and content “may (but [do] not always) constitute an essential or expected element of certain online services,” it did not regard them as contractually necessary for Meta’s provision of its Instagram and Facebook services. Not only was personalized advertising not the core of the contract, the EDPB also decided contextual advertising based on geography, language and content could be a realistic alternative that does not involve measures such as profiling and tracking users.
- Service improvements and security (WhatsApp decision)
- Personalized advertising (Instagram and Facebook decisions)
- Assess whether contractual obligations have been created (if not, consider whether it’s appropriate to create them)
- Weigh up the bargaining power of the parties
- Be transparent (see section on transparency)
The EDPB has undoubtedly raised the bar as to when the “contract” legal basis can be relied upon. Assessments as to what data processing will, or will not, be necessary to the performance of a contract and what alternatives might be available will require a deeper understanding and scrutiny of contractual commitments, in so far as those commitments are relevant to the data controller fulfilling its GDPR tasks. In many cases, this will be new or extra work for privacy professionals, who may have to work more closely with other parts of the business to better understand the expectations of the user.
Practically, if the bar for reliance on the “contract” legal basis can’t be met, either an alternative legal basis will need to be found or the data processing activity will cease — which for many would present significant business model changes (including for advertisers that use real-time bidding to buy ad space on platforms like Instagram and Facebook).
It is important to note two points about two other legal bases. The first is the decisions did not rule out reliance on “legitimate interests” as a legal basis for such processing, though there is long-standing regulator skepticism about relying on such a basis. Legitimate interests may be easier to justify for data controllers when it concerns maintaining the integrity of the service, e.g., security features and compliance with community guidelines, than for personalized advertising.
The second is, notwithstanding potential future investigations as to whether Meta processes special category/sensitive personal data, the national DPAs agreed Meta was not “obliged” to rely on consent. This could change if there is a fresh investigation and if Meta is found to be processing special category/sensitive personal data (then it would need to rely on an Article 9 legal basis and would likely result in a decision that consent is the most appropriate Article 9 legal basis).
Look out for:
- Meta’s appeal to Irish High Court, which will likely end up going on a referral to the Court of Justice of the EU.
- Ireland’s Data Protection Commission attempting to annul the EDPB’s binding direction that it conduct a “fresh” investigation as to whether special category/sensitive personal data was processed by the Meta services.
"Transparency . . . empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by . . . The concept of transparency in the GDPR is user-centric rather than legalistic . . ."
– Paragraph 4 of Article 29 Working Group Guidelines on transparency under Regulation 2016/679)
Ireland’s DPC, with no EU regulators objecting, decided Meta did not comply with GDPR obligations on transparency and notice. The key takeaways for privacy pros can be divided into what must be provided to data subjects and how must it be provided.
A note on Fairness: The EDPB view was that a failure to comply with GDPR transparency requirements equates to misleading data subjects. That can be consequential for a further infringement of the GDPR — the core GDPR principle of ‘fairness’ — which can attract further administrative fines (as it did in each of the three decisions).
What must be provided to data subjects?
Article 13(1) and (2) of the GDPR set out the list of information that must be included in a privacy note, including the identity and contact details of the data controller, the recipients of the data and the data subject’s right to complain to the relevant DPA. Within the list is a requirement to provide information on the “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.”
It was not enough for Meta to list “in the abstract” the various purposes and legal bases. Compliance with the transparency obligations required making a “link” in the notice between:
- The categories of personal data collected.
- The specific processing operations or set of processing operations.
- The purpose(s) of those processing operations.
- The legal basis relied upon.
Assessing whether the information provided in the notice meets the transparency obligations should be done “cumulatively” and “holistically,” rather than by taking each layer and comparing it, in isolation, to the GDPR requirements.
How must it be shown?
- Use clear and plain language. Know your audience and use terminology they can understand.
- Avoid the oversupply of high level, generalized or illustrative information. For example, the inclusion of various qualifiers — “such as” and “things like” — were called out for making it hard, if not impossible, for data subjects to identify with any degree of specificity what processing is carried out on what data.
- Be concise. The importance of concision “cannot nonetheless be overstated.”
- Cohere delivery. The layering of notice can be desirable, especially in the interest of finding concision, e.g., by providing links users can navigate to receive more information. The layering of notice was not criticized as a general approach by the DPC, indeed, the layered approach has been endorsed by the Article 29 Working Party. However, if notice is layered, it is important to ensure the assessment of whether the transparency obligations were fulfilled is cumulative (see above) and the navigation between, away from and back to the layers is coherent.
- Diversify delivery. While transparency obligations can be met via purely text-based privacy notices, other formats and media may help provide the information in a clearer and more concise manner. Article 12(1) and Recital 58 of the GDPR note the possibility of providing privacy notices orally or by other means such as visualization.
The above may make good sense from a regulatory perspective and from a data rights perspective. It may also make sense from a time management perspective, with the Washington Post estimating it takes 6.7 hours for the average reader to get through the privacy notices of the apps on a typical mobile phone.
On the other hand, “easier said than done” may be the call back from privacy pros. Knowing both its data processing operations and its audience does not necessarily make it easier for a data controller to convey its data processing operations to said audience. Some may argue even the most sophisticated data processing activities can be boiled down into more accessible components. For example, this blockchain expert explains the concept at five levels of complexity.
The Goldilocks challenge will be to boil matters down so data subjects are meaningfully empowered to hold data controllers accountable for their privacy rights, but not underdo the boiling so technical and operational details on data processing activity is impenetrable to data subjects. This gets particularly complex for data controllers whose services may span a diverse spectrum of users; users of varying means, time and capabilities of comprehending the information provided in a privacy notice. The tension between completeness and ease of understanding is well-understood, even if the solution is not easily executed.
Many privacy pros will want to consider how to move away from or complement blocs of Shakespearean prose in their privacy notices with more innovative media and technologies. Audio, video, gamification, augmented/virtual reality or interactions in the metaverse may become more commonplace. We may even see privacy technology vendors complement their stack of solutions to assist with transparency obligations.
Look out for:
- Meta’s appeal to Irish High Court, which will likely end up going on a referral to the CJEU.
- Industry reactions and trends, specifically updated privacy notices and emergence and growth of different forms of media to provide notice, e.g., see King’s gamified version of its privacy notice, via the “Privacy Saga”.
- EDPB Guidelines on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects
- Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests
- Article 29 Working Party Guidelines on consent
- Article 29 Working Party Guidelines on transparency under Regulation 2016/679
- Ireland’s Data Protection Commission Guidance on legal bases
- Data Protection Network guidance on legitimate interests
- IAPP on Transparency
Irish DPC decisions