Opinion on the draft Guidelines 2/2019 of the European Data Protection Board¹

dr. Zsolt Bártfai
Global Privacy Consultant, IBM Security

This article only reflects the views of its author, none of its findings can be regarded as the position of IBM on this topic.

The European Data Protection Board published its draft Guidelines 2/2019 “on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects”[2] on 12 April 2019 (hereinafter referred to as Draft Guidelines). The provisions of the Draft Guidelines have been presented on several professional sites. This paper wishes to criticise the Draft Guidelines.

That is to say, the Draft Guidelines show several critical aspects of the GDPR and the (official) interpretations of the GDPR by the data protection authorities; such aspects that, if consequently implemented by the data protection authorities, would mean serious damage to and the disarrangement of the legal system. These aspects are the following

a) the nearly fifty years old concept underlying the GDPR (a concept that covers only one, well-defined type of data processing) may be dysfunctional—as it is in the present case, for example—when mechanically applied for other types of data processing,

b) considering data protection law as a “super law”, which does not align to the legal relationships underlying data processing but expects underlying legal relationships to align without understanding their point,

c) in this connection, it is not clear what the GDPR protects. Does it protect the privacy of data subjects or is it only a set of administrative rules that is enforced even if it is contrary to what data subjects want?

d) the restrictive interpretation of the concept of “contract” runs counter the age-old logic and rules of civil law, and the creation of data protection rules based on this interpretation is, in addition to unnecessarily complicating the judgment of a case, might have unpredictable consequences on civil law relationships and the on the trade flow.

 

Ad (a): The Concept of the GDPR

Apart from a few rules, the concept of the GDPR follows (similarly to Directive 95/46/EC) the concept of the 1970s and 1980s, i.e. it is capable, without reservations, to process data organised into computer databases (large filing systems). In other cases, only its principles would at maximum be applicable (there are, however, cases where they could not be fully applied!) with special rules adjusted to the data processing at hand.[3] Another characteristic of this concept is that it was (typically) for regulating state databases, i.e. it regulated superior-subordinate relationships (governed by public law) and provided legal protection for the data subjects in such relationships governed by public law.

Comparatively, the legal relationships analysed in the Draft Guidelines (information society services—online services) belong to the domain of civil law where parties are interdependent and are not in a superior-subordinate relationship. They are free—within the limits set by the law—to shape their legal relationship. The Draft Guidelines apply, therefore, a wrong approach by mentioning “objectively necessary” data processing; in civil law relationships, it is the agreement, the will (the “subjective” attitude) of the parties that is relevant.

Ad (b): Data protection law as “super law”

While, in its Subchapter 1.2, the Draft Guidelines admit that the regulation of online services belongs to multiple branches of law (e.g. consumer protection law, competition law) which are outside the competence of the Draft Guidelines [and the European Data Protection Board (EDPB)] and that assessing the validity of contracts is also outside the scope of competence of the EDPB; regarding its content, however, the Draft Guidelines discuss issues that in turn belong to these domains.

The role of data processing should in turn be clarified. Is it an independent or a consequential activity? Can the conditions of data processing be assessed on their own or necessarily in conjunction with another activity because they contribute to that? The text of the GDPR and the Draft Guidelines (just like other documents of data protection authorities) can give the impression that data processing is, independently from everything else, an activity which should be assessed in its own. In this regard, we refer back to the previous point; this approach does more or less apply to large (state) filing systems; such databases were set up to have a database that can be used for various purposes (the question whether data in the database are actually used at any time or how often and for what purpose they are used is another issue).

Conversely, in contractual relationships for instance, data processing is incidental; it is not done for the purpose of data processing in itself but because it is necessary in relation to a contract. The question what is necessary is up to the parties because, as I have mentioned above, the parties are—within the limits set by the law—free to shape their legal relationships in contractual relationships, which also means that they may stipulate a condition in the case of non-application of which they do not wish to conclude the contract (“take it or leave it”).[4] They may also stipulate that they conclude the contract in writing only and, consequently, only after identifying the other party. The lawfulness of this should be assessed based on civil law and not data protection law.

If contract terms and conditions have been developed as a result of the negotiation process of the parties, processing of data implied by the agreed-upon terms and conditions will be “necessary”. Data processing is, therefore, incidental and determined by the terms and conditions of the underlying contractual relationship. The finding in Point 25 of the Draft Guidelines reading “If there are realistic, less intrusive alternatives, the processing is not ‘necessary’” is, therefore, wrong and inconsistent with civil law. It is not for the data protection authority to decide but for the parties. Raising data protection rules to the level of full-fledged contractual terms and conditions (see, for example, Point 26 of the Draft Guidelines) might violate the freedom of contract.

Ad (c): What does the GDPR protect?

Although the Draft Guidelines admit, in their Point 9, that expressing a view on the validity of contracts is outside the competence of the EDPB, the repeated stressing of “objective necessity” and the fact that it takes, without evidence, as given the lack of balance between the provider and receiver of an online service[5] (Point 12) still suggest that contracting parties would not have any room for maneuvering in the specification of data processing issues. This is not true in this form; as I have already mentioned in the foregoing, freedom of contract allows the parties to agree on terms and conditions that they accept, and the scope of data to be processed, the duration of data processing, etc. align to this due to the incidental nature of data processing.

Data protection law may not limit the lawful will of the parties and the entailing data processing because this is inconsistent with the autonomy of the parties. Therefore, when it comes to contracts, “necessary” is not what data protection authorities “objectively” regard as such, but what is implied by the mutual consent of the parties. Whereas all contracts are unique (even if they are concluded based on general contract terms and conditions), it may not be said ex cathedra, that they are forced (“unilaterally imposed “) upon the data subject in each and every case [WP217 III.2.2(i), referred to in Point 28 of the Draft Guidelines]. In the absence thereof, interventions by a data protection authority might actually violate the interests of the party whose interest the data protection authority referred to when intervening into the legal relationship.[6] Interests of the party who is in a weaker position in a contractual relationship can be protected not by restricting the scope and processing of data necessary for the fulfilment of the terms and conditions of that contract, but by regulating those contract terms and conditions; in other words, through consumer protection legislation or by prohibiting unfair or immoral contracts. Expressing a view on these is outside the competence of the data protection authority. It is not the consequence but the cause that needs to be regulated.

Ad (d): The concept of “contract”

Clarifying the concept of “contract” is an unavoidable prior question in the case of data processing related to contracts—partly due to the potential differences of the laws of the Member States. Still, neither the WP217 nor the Draft Guidelines deal with this issue. The fact that expressing a view on the validity of contracts is outside the competence of the EDPB, to which Point 9 of the Draft Guidelines correctly refer (as it is typically the competence of civil courts), does not mean an exemption from this. The competence of the EDPB does, however, also not include the definition of “contract” or “performance of a contract”. These issues belong to the domain of civil law (contract law or law on obligations, to be more specific) and the related jurisprudence; these definitions are “given” for the data protection authorities.[7]

The position of the WP29 [WP217 III.2.2(i)] saying that the expression “performance of a contract” needs to be interpreted restrictively and the position of the Draft Guidelines agreeing with this and sustaining the previous position (Point 28 of the Draft Guidelines) are both fundamentally wrong.

As I pointed out in my article on the “Thoughts on the legal grounds of processing in the GDPR”[8], enforceability of the obligations undertaken in the contract are material and inseparable components of the contract. This has been a material component of obligations since Roman law.[9] I also pointed out that it would be more correct to interpret the word “contract” (contractus) in Article 6(1)(b) of the GDPR as “obligation” (obligatio).

The following can be added to my previous position. While public law regulates the superior-subordinate relationship between the state and its citizens (and it is a fundamental requirement that state interventions are allowed in precisely defined cases only), civil law is based on the interdependence of autonomous and legally equal parties. Civil law, in the broader sense, is the field of law regulating the relationships of such (autonomous and equal) private parties, a fundamental branch of law that defines, or at least fundamentally affects, all the relationships between private parties. Accordingly, civil law does not only deal with contractual relationships, but with other obligations as well; this does not only mean the classical, typical contracts (such as sale-and-purchase, rental, etc.), but also the atypical contracts, as well as legal relationships such as the internal affairs of an association (political party, trade unions, etc.) or a residents’ association, etc., etc. As implied by the dispositive character of its provisions, civil law ensures the fundamental option for the parties to settle their relationships and defines prohibitions (imperative provisions) in certain cases only.

As explained above, provisions regulating data processing should also consider this specificity. The opposite case would, as I mentioned in my article previously referred to, lead to the extinguishment of the principle of freedom of contract or, in a broader sense, to the deterioration of the trust and expectation concerning the fulfilment of contracts (pacta sunt servanda).

What is then a contract? A contract is the sum of the rights and obligations the parties assume within the limits set by the law, including the imperative provisions of civil law and, in the case of dispositive provisions, the provisions of the parties that diverge from the law (and, in the absence of divergence, the provisions of civil law to fill in the gaps of contract). This also includes the option that the parties may agree on terms and conditions in the case of non-application of which they do not wish to conclude the contract (“take it or leave it”). If the other party accepts this condition, then it is according to his will as well. The term reading that there are contract terms and conditions which the “data controller unilaterally imposes on the data subject” in the previous WP29 position [WP217 III.2.2(i), referred to in Point 28 of the Draft Guidelines] is therefore wrong: as a general rule, the consumer/customer is not forced to enter the contract either, and the stipulation (“imposing”) of certain contract terms and conditions is the legal right of the service provider/seller. Unless a defect in consent is established, the fact that either party considers any of the contractual stipulations burdensome or does not like it is irrelevant. Assessing the lawfulness of individual contractual stipulations is not a matter of data protection but a matter of the defeasibility of the general contract terms and conditions or certain contractual stipulations.

This is the point where we should mention uncertainty which is (also) present in the Draft Guidelines, namely that where should be the limits of “data processing” in terms of a contract (or even generally). In this case, I do not mean the definition of data processing [Point 2 of Article 4 of the GDPR] (as that only lists data processing operations) but what criteria can be used to separate (logically or in terms of appearance) one data processing from another, also considering the purpose and legal basis of data processing, the scope of data processed, the retention time, etc. In this respect, in my opinion, everything is data processing (and data processing in itself) falling within the scope of contractual legal basis [Article 6(1)(b) of the GDPR] that is necessary for the fulfilment of the contract terms and conditions mutually agreed upon by the parties, while the fulfilment of other obligations, such as tax obligations, related to the contract constitute another, separate data processing.[10] Article 7(4) of the GDPR (“the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract) cannot be interpreted in terms of civil law: according to the explanation above, the parties can make anything a contract term or condition, and that thing will thus not become something that is separate from the contract and regarding which the matter of separate consent would make sense but a part of that contract; acceptance of contract terms and conditions is not a consent under Article 6(1)(a) of the GDPR.[11][12]

As I explained in my article I referred to previously, enforceability is linked to the point of contracts. Consequently, rights and obligations arising from a contract do not apply only as long as the parties perform (or refuse to perform), but until claims related to the contract can be put forward or finally extinguish; this applies until claims arising from contractual (or, in the broader sense, obligatory) relationships lapse (even if the contract has been fulfilled). Data processing obviously aligns to that. Therefore, in terms of civil law, the position of the Draft Guidelines ignoring the statute of limitations without assigning any reason is wrong (compare with Point 40 of the Draft Guidelines and Examples 1[13] and 3), due to which they require a different legal base for the period between the termination of the contract and the fulfilment of the claims arising from it. Whereas, during the period in question, the legal relationship remains the same as it was at the beginning of the contract (more specifically, the parties are the same, the subject-matter of the relationship of the parties is the same), no conceptual reason can be found for the position appearing in both the WP217 and the Draft Guidelines. Article 17(3)(e) of the GDPR (“the establishment, exercise or defence of legal claims”) is to be understood for contractual relationships not in terms of data processing within the term of limitation but in terms of potential data processing after the term of limitation (e.g. in procedures launched still within the term of limitation) (compare with Point 41 of the Draft Guidelines).[14]

In summary, the contractual legal basis [Article 6(1)(b) of the GDPR] is one of the most widely applicable (and actually applicable) legal basis, because it covers the relationships of autonomous and equal private parties. This is why the interpretation of the word “contract” should be expanded and used in the sense of “obligation”. A “contract” is in turn the sum of the rights and the obligations the parties have within the scope of a given legal relationship until the end of the term of limitation; it is a uniform, indivisible whole. By building on a fundamentally wrong concept, the Draft Guidelines take a position that could cause considerable harm to the functioning of the legal system.

 

 


[1] This article was first published in Hungarian at https://gdpr.hvgorac.hu/velemeny-az-europai-adatvedelmi-testulet-2-2019-iranymutatasanak-tervezeterol/. English translation by Idea Fortis (ideafortis.hu)

[2] Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects – https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf (accessed on 12 May 2019)

[3] In this regard, see Article 85 of the GDPR, which allows for deviation practically from all rules of the GDPR in the issues it regulates. It is, therefore, justified to ask whether the rules of the GDPR are—in all respects and in all detail—applicable to the types of data processing falling within its scope?

[4] Stipulating such contract terms and conditions (and specifying the scope of personal data related to their fulfilment) is not the “interest” of either (or perhaps both) of the parties, but their “right” (subjective right). In contractual relationships, it is not the “interests” of the parties but their subjective rights that are legally relevant (their interests appear behind the exercising of the subjective right, i.e. in the reason and manner of their actions within the scope of their contractual relationship)—compare with Points 2 and 18 of the Draft Guidelines.

[5] I am not disputing that it is (could be) true for certain business sectors that some players are in a dominant market position. Taking such a stance in a general position seems, however, wrong.

[6] The provision that “data subjects … cannot trade away their fundamental rights” (Point 51 of the Draft Guidelines) is another ex cathedra statement. As the Hungarian Constitutional Court has put it in a case of different type: “Any person can cause damage to himself/herself and take risks if he/she is capable of making free, informed and responsible decisions.” (Decision No. 21/1996. (V. 17.) of the Constitutional Court) The GDPR mentions it explicitly that EU or Member State law may override the will of the data subject only in its Article 9(2)(a).

[7] Contents of contracts, obligations can be different in various legal systems. This paper applies the approach based on Roman law, having regard to the fact that the Roman law is influential in European legal systems.

[8] Original title in Hungarian: A GDPR jogalapjairól. https://jogaszvilag.hu/szakma/a-gdpr-jogalapjairol-1-resz/ and https://jogaszvilag.hu/szakma/a-gdpr-jogalapjairol-2-resz/, available in English at https://www.linkedin.com/pulse/thoughts-legal-grounds-processing-gdpr-zsolt-bártfai-ll-d-ll-m/

[9] See: Justinian’s Institutes I.3,13. pr. says “Obligatio est iuris vinculum, quo necessitate adstringimur alicuius solvenda rei secundum nostrae civitatis iura”— An obligation is a legal bond that ties us to the necessity of making some performance in accordance with the laws of our state.

[10] Therefore, in a contractual relationship, in the light of the relevant legal regulations, data processing does not have multiple purposes, legal bases, etc. but one can speak of a collection of multiple, different types of data processing. The case detailed in Point 3.1 of the Draft Guidelines is, therefore, not another aspect of the same type of data processing but a separate type of data processing.

[11] The decision CNIL adopted against Google is, therefore, wrong in this respect (see https://www.legifrance.gouv.fr/affichCnil.do?id=CNILTEXT000038032552): a large part of the conditions offered by the service provider should be considered as potential contract terms and conditions which the data subject can either accept or not. This kind of acceptance of contract terms and conditions is not a consent according to Article 6(1)(a) of the GDPR, but it should still be assessed within the scope of Article 6(1)(b).

[12] At the same time, this position is not inconsistent with the prohibition of tying for instance (compare with Point 31 of the Draft Guidelines); if tying is prohibited, then the related data processing will also be unlawful. If a particular commercial activity is not prohibited, then related data processing can also not be ab ovo such.

[13] In this example, assessing the processing of the home address is not correct; whereas it—i.e. potential non-fulfilment (e.g. the non-receipt of goods or the refusal to pay)—generates a legal claim which can be asserted only against the customer, and this “necessitates” the home address—or any other unequivocal contact—(because that is where the customer can be contacted). The processing of the home address can be justified until the lapse of the claim (whereas civil law provides the opportunity to assert claims within the term of limitation for the parties), i.e. it is necessary.

[14] In accordance with what I explained in my article I referred to previously, the assertation of legal claims should not be regarded as a separate legal basis but as a necessary part of the legal relationship underlying the data processing under any legal basis; enforcement of rights cannot exist on its own without an underlying legal relationship.