On 9 April 2019, the European Data Protection Board (“EDPB”) adopted new guidelines “on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.”

In general, the GDPR requires that processing of personal data be justified under a legal basis in Article 6 GDPR.  One such legal basis is Article 6(1)(b), which covers data processing that is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”  The new EDPB guidelines consider the meaning of this basis, and in particular whether it can be used as the basis for data processing by online services for purposes such as service improvement, fraud prevention, targeted advertising, and service personalization.

In particular, the guidelines clarify the EDPB’s view that:

  • Targeted advertising, even when it “supports” an online service by funding that service, is “separate from the objective purpose of the contract between the user and the service provider,” and therefore is “not necessary for the performance of the contract at issue.”
  • Service improvement through the collection of usage information, telemetry, and user engagement data, “in most cases…cannot” be regarded as within the scope of Article 6(1)(b).
  • Service personalization can potentially fall within the scope of Article 6(1)(b), where that personalization is an “essential or expected” part of the service.
  • Fraud prevention generally cannot fall within Article 6(1)(b).

In addition, the EDPB touches on a range of other points in relation to interpretation of Article 6(1)(b) under the GDPR.  Perhaps most notably:

  • The EDPB argues the term “necessary,” as used in Article 6(1)(b), must be interpreted in line with data protection law objectives.  Accordingly, the EDPB takes the view that processing which is “useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes,” is not “necessary.”
  • The EDPB repeatedly emphasizes that Article 6(1)(b) can only cover processing purposes that are “clearly and specifically identified.”  The EDPB goes on to explain that purposes such as “improving users’ experience,” “marketing purposes,” “IT-security,” and “future research,” are all insufficiently specific.
  • The EDPB does allow, however, that Article 6(1)(b) can apply to incidental data processing related to the performance of a contract where processing can be “reasonably foreseen and necessary within a normal contractual relationship.”  This includes, for instance, processing necessary to send reminders to data subjects about outstanding payments, processing related to warranties, or processing needed to bring “a contract back in conformity after smaller incidents and issues.”
  • The EDPB clarifies that, for the purpose of Article 6(1)(b), contracts do not need to be expressed to be governed by the laws of EEA Member States.
  • The EDPB is clear that, in general, when contracts terminate, controllers should stop processing data previously processed based on Article 6(1)(b) relating to that contract.  The EDPB further states that additional further processing of such data after contract termination could be “unfair” except where based on consent of the data subject (or where required under applicable EU or Member State law).

The guidelines are now open for consultation until May 25, 2019.