The European Data Protection Board (EDPB) recently published draft guidelines (Guidelines) which may impact online service providers' ability to process personal data. The Guidelines are open for consultation until 24 May 2019.

The Guidelines are significant because the legal basis a service provider relies on determines, and impacts upon, the type and scope of its processing activities. We consider the Guidelines and some of the key examples.

In order to process personal data lawfully, an organisation must identify one or more of the six legal bases specified in the GPDR. Traditionally, consent was a popular legal bases but changes under the GDPR have meant a greater focus on the legal bases of contractual necessity (CN) and legitimate interests.

CN, in essence, permits an organisation to process personal data that is necessary to perform a contract with the individual. The Guidelines seek to clarify the regulators' position on what is necessary to perform a contract in various circumstances.

Online services only

The Guidelines are concerned only with the application of CN to processing of personal data in the context of online services. Online services, or 'information society services', cover any service "normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services." This also includes services that are not paid for directly by the recipient, such as services funded through advertising.

The Guidelines do not answer questions that businesses in offline industries may have. 

Avoid unfair terms in contracts

EU law is prescriptive on the types of terms that cannot be included in contracts with consumers. The Unfair Contract Terms Directive, which is implemented in each Member State's national laws, aims to ensure balanced and transparent terms in consumer contracts. Contracts with EU consumers, such as users of online services, should not contain terms that fall foul of these rules.

While the Guidelines are limited to the consideration of data protection rules, the EDPB notes that processing based on an unfair term will not be consistent with the GDPR principle that processing is relevant and fair. Unfair terms cause a significant imbalance in the parties' rights and obligations under a contract. For example, a supplier should not unilaterally change a service without a valid reason, and limitation of liability and indemnity clauses must be fair. Therefore, providers of consumer services from outside of the EU, which are subject to GDPR (because of extraterritoriality provisions), should ensure that their terms are not considered unfair.

Narrow reading of "necessary"

The EDPB takes the position that CN is only available where the controller is "able to demonstrate how the main object of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of personal data in question does not occur". Despite offering differing perspectives and factors to consider when evaluating 'necessity' for performance of a contract, the EDPB interprets necessity narrowly. If the Guidelines are adopted in their current guise, many service providers relying upon CN may find it difficult to meet this higher standard for various processing activities.

In the Guidelines, the EDPB has considered a number of common processing activities which may be based on CN. In doing so, the EDPB has arguably created a presumption that at least some of these activities will not meet the standard of necessity:

  1. Processing for service improvement

The EDPB considers that CN is generally not an appropriate legal basis for processing for the purposes of improving a service or developing new functions within an existing service.

The examples offered in the Guidelines suggest that an email service provider, for instance, might not be able to rely upon CN to ensure its service remains up to date and competitive over time.

  1. Processing for fraud prevention

According to the EDPB, fraud prevention, particularly where it may involve monitoring and profiling customers, likely goes beyond what is objectively necessary for the performance of a contract.

In an online ecosystem built on trust and security, the EDPB's position suggests that ensuring the safety of online services (which would include fraud prevention) is not a core part of the contract with users.

  1. Processing for personalisation of content

The EPDB accepts that personalisation of content may constitute an essential element of online services in some cases. However, personalisation must be "integral" to the service and cannot be only intended to increase user engagement.

  1. Processing for online behavioural advertising

Significantly, the EDPB suggests that, as a general rule, online behavioural advertising does not constitute a "necessary" element of online services. Although such advertising may support the delivery of the service, the EDPB considers it to be separate from the objective purpose of the contract.

Many internet services are supported by online advertising, including the news media and free press. It is far from clear if this sweeping position being proposed by the EDPB is sustainable. Many online service providers will likely argue that certain types of behavioural advertising are an integral part of their services and the agreements which they have with users.

Key takeaways

Other legal bases, such as legitimate interests or consent, are available to controllers to lawfully process personal data. However, reliance on these alternatives may give rise to other issues. For example, processing based on legitimate interests must allow individuals to object to the processing, which would be problematic in the context of activities like fraud prevention or advertising required to support a service. Equally, obtaining valid consent can be challenging and is accompanied by a right of revocation. Ultimately, the lawful basis a service provider relies upon to process personal data has an impact on the type and scope of services.

The Guidelines are open for consultation until 24 May 2019, after which public submissions will be considered and the Guidelines finalised. Depending upon the outcome of the final version, particularly whether the EDPB moderates its position regarding certain processing activities, the Guidelines could have a notable impact on the online ecosystem. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.