(GDPR Article 6)
From scientific research to buying and selling online, every sector requires the processing of data. Companies need such processing because it allows them to extract the most relevant content for later use whether this be to add items to your basket whilst you are still browsing or to target specific advertisements to you on social media. As much as this processing benefits us in terms of convenience for instance, it leaves us open to data misuse. So, what does the GDPR do to protect us? Well, Article 6 outlines lawful bases for data processing which protects consumers from the reckless use of their data for purposes not made clear to them.
Processing shall be lawful where:
You have given consent
For the performance of a contract
For compliance with a legal obligation
Protecting yours or someone’s vital interests
Performing a task in the public interest
For a legitimate interest
For decades, tech companies played fast and loose with data collection and consent. Nowadays, sanctions are provided for this kind of flagrant breach of privacy rights, but this shows the problem remains. Tech companies have kept the same flippant attitude towards data collection and the consent of the user. In 2019, for example, Facebook was required to pay $5 bn in fines over privacy issues by the US government. This will not be the first or last time such a fine will be ordered.
In response to this problem, the GDPR established a new threshold for consent. The hope was with an arguably higher threshold coupled with higher fines; companies had to ensure this baseline standard was met for data processing. Currently, consent of the individual means it must be ‘freely given, specific, informed, and unambiguous’ indication of the individual’s wishes by a statement or by a ‘clear affirmative action’ signifies agreement to the processing of personal data.
Oftentimes consumers just want to access information on a website without having to jump through loopholes of unticking pre-ticked boxes or having to find a completely new website because the pop-up blurs the necessary service or information. As a consumer, we recklessly tick ‘I have read and agree to the terms & conditions and privacy & cookies notice’ because we are not aware of the consequences this ensues.
The spirit of the GDPR is supposed to protect consumers by ensuring we do not have to fatigue ourselves with taking our consent into our own hands. Freely given implies that there is a choice involved. Consent cannot be forced or assumed. An example of this in action is a site not being allowed to kick you off in retaliation of you not signing up for marketing. Additionally, consent must be ‘informed and specific’. In other words, this means that consent mechanisms cannot be buried in legalese or with a bunch of checkboxes. This makes it easier for the consumer to understand the consequences of consenting.
Recently, the court established that pre-ticked checkboxes is not a valid form of consent. The Planet49 case was crucial in this ruling. A German lottery website argued that the user being on the website was a signal that it could also place cookies on their computer. When asked for a reference from the German court, the CJEU clarified three important points. Firstly, that all sites need consent before issuing any non-essential cookies. If you decide to access the BBC website today for example, a cookie ‘giving you a better, more personalised experience’ is optional and does not impact your ability to access the top headlines. It is therefore a non-essential cookie.
Secondly, the ruling decided that a pre-ticked checkbox is not a valid from of consent because without giving the user the option to tick the box, no intentional consent is found. Lastly, the website must explicitly ask the user if they want cookies to be used. When you access any website, the ‘accept’ or ‘reject’ cookie box should appear as soon as you click the link to meet the standard set out under the GDPR.
This is all well and good but what does this mean for you? Quite simply, it means two things. First and foremost, it means less hassle for you. The GDPR has ensured that it should only take one click to agree or withdraw consent. This relieves the consumer of consent fatigue because they do not have to bother themselves with pages of checkboxes to gain access to a website’s services or information. Under the GDPR, simplicity is therefore key.
Secondly, it lessens the risk of data misuse. If a website is acting legally with the requirements under the GDPR, then consumers have access to the legal protectionary measures to ensure that their data is not being misused. This is because the GDPR ensures that a website presumes a user has not consented to non-essential cookies and data processing. It is therefore up to the user to show explicit consent.
When ordering something online, have you ever wondered why access to your data is so easy? You might think this is obvious. You want to buy a product or a service and necessarily a business would need information such as your card details for payment. Well, this is true- it is obvious, and this obviousness is protected under the GDPR.
Under Article 6(1)(f), where ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’ then processing is lawful. Legally, the test applied encompasses a purpose test, a necessity test and a balancing test. Let’s take the example of a pizza shop.
To decide whether an interest is ‘legitimate’, the GDPR does not provide any specific guidance. For the pizza shop, it is in their legitimate interest to have your home address so that the order can be delivered. When ordering a pizza, you must give your home address to allow the shop to deliver your order. Perhaps, you may also consider the shop to have a legitimate interest in maintaining your details for a little while after to promote information about its services. Under the GDPR, wide scope is given to what may be considered a ‘legitimate interest’ and so an interest does not have to be very compelling. Intuitively however, you may consider there is not a legitimate interest for the pizzeria to give your email address to the café next door to promote its business interests. In this way, the interest must clarify the purpose or the intended outcome of the data processing.
When can processing be deemed necessary? By necessary, the processing does not have to be absolutely essential however it must be a proportionate way of achieving the purpose. If there is another purpose which is less intrusive which does not utilise the processing of data in this way, then this should be used. Let’s say the pizzeria has CCTV cameras for security reasons. A public figure posts a video from inside the pizza shop to state they have not made adequate provisions for Covid restrictions to the media. The owner has a legitimate interest in to releasing the CCTV footage from the shop’s security to counter the report as it is damaging to its reputation and commercial interests. When considering necessity, the owner concludes it cannot pursue its interest without publishing this footage. However, it is not necessary for the owner to publish pictures of other people enjoying food in the pizzeria. The owner must take steps to ensure the other customers are protected.
The last consideration is the balancing test which accounts for the interests, fundamental rights, or freedoms of the individual. Outside of Article 6, the GDPR provides more specific guidance on these terms in Recital 75 which states that such an impact may include an inability to exercise rights, loss of control over the use of personal data or any social or economic disadvantage. In the example above, a customer would not reasonably expect the pizzeria to share their address with the café next door for the promotion of their products or services. In some circumstances, the interests of the pizzeria can surpass that of the customer’s if there has been a lack of payment for example and the pizzeria would be reasonable in taking steps to seek the payment of outstanding debts.
The legitimate interest head is a flexible and broad lawful use under Article 6, and it can be hard to say with certainty what falls under this interest. Yet, the courts have shown to be promising in protecting the interests of users and consumers where cases concern processing by Big Tech companies. Recently, the Danish Protection Agency was successful against overturning Google Analytics’ argument of a ‘legitimate interest’ in gaining a better understanding of a visitors’ behaviour on a website. This is because visitors could not reasonably expect their information to have been passed onto Google’s wider servers in America. Thus, the lawful base is strongly scrutinised and often weighs in favour of a user’s fundamental rights.
Performance of the Contract
A third aspect of lawfully processing data is to do with contracts between a company and a client. A lawful basis for processing can be found if you have a contract with an individual and their data needs to be processed to fulfil a contractual obligation. This can be found under Article 6(1)(b). In our pizzeria example, a customer would need to provide their credit card details online for the pizza to be paid for. If there is a potential contract with an individual, then this can be seen as a lawful basis. If you wanted the pizzeria to cater your birthday party for example, and you asked for a quotation for the size of your party, then the pizzeria could process some of your data even if you decide you want Chinese food instead.
Where personal data needs to be processed, the bar of necessity is the same under legitimate interest. The processing must be a proportionate step in delivering the contractual service and where there is a less intrusive way to deliver the contractual service then this should be used. It is fine for the pizzeria to process your credit card number or your address as this is necessary to perform the contract. However, the pizzeria using the fact that you have ordered a Margherita to, in psychographic terms, identify that your customer is vegetarian is not necessary for the performance of the contract. Even if this type of targeted advertising falls a part of the customer relationship, it is not a necessary part of the business and is not necessary for the performance of the contract itself.
Where it is not necessary for the performance of the contract, another lawful basis must be considered.
Miscellaneous Lawful Bases
Other miscellaneous provisions exist under Article 6(1) which will be dealt with here. Under Article 6(1)(c), similar to the contractual obligation where there is a legal obligation which is necessary for compliance, processing is lawful. If you applied for a job at the pizzeria, you would need to provide a national insurance number to process tax.
Article 6(1)(d) where the vital interests of someone is at stake then processing can be done to protect a person. A ‘vital interest’ is further defined as being interests which are essential to someone’s life. An example of this is when an individual is admitted to the emergency department of a hospital with life-threatening injuries, the medical history of the individual will need to be disclosed to the hospital for their vital interests. The caveat is that where the individual is physically or legally able to give consent, then this cannot apply.
Article 6(1)(e) values the public interest where if this is to carry a specific task which is laid down by the law or there is an exercise of official authority which is laid down by law. A government agency might have statutory powers to conduct research about the online shopping habits of consumers where retailers must share the personal data of their customers to carry this out.
What happens if Article 6 is infringed?
An infringement of any of these articles is an offence. The GDPR does not allow any leeway for companies who process data without lawful basis. Depending on the size of the company and the size of the breach, a smaller or larger fine might be enforced. For instance, the Cabinet Office was recently fined £585,000. It is however unlikely that our pizzeria would fall to the same fate.