Looking for a good reason to process your data? Consent is so 2017. Legitimate interest is so 2018. And contractual basis? Soooo 2019. Don’t forget about all those laws telling you to keep data. Our prediction is that compliance with a legal obligation will be the new thing in 2020 and beyond. In fact, this is a warning not to delete data just like that, you may not only end up violating a specific legal record keeping law, but also the GDPR. Here is a little history as to why.
The birth of the GDPR
Before the industry-creating, almighty and household-brand “GDPR” entered into effect, life was so simple. Most data controllers had never heard of EU privacy law and the ones that did just applied a “ask consent and we are safe” approach. And why wouldn’t they. There were only a handful investigations in some of the EU countries, a risk that just did not materialize.
The GDPR, with its hefty fines, its by political compromise riddled rules, and most of all its high costs of compliance changed the way companies looked at privacy (I like “data protection”, it sounds tougher than “privacy”). Its importance can never be underestimated: the GDPR is still to date the most be-lobbied piece of legislation together with the ever-imminent e-Privacy Regulation. At the time of the making of the GDPR, the EU economies we becoming more data driven and there was a need for a strong regulatory framework. IP laws provided no regulatory mechanism for the use of data. More to the point, if I were to have a copyright on my name, I would gladly give you a license against a small fee! No, not copyright or database rules but data protection rules are often thought to be the major determining legal framework for the use of data. Hence, when the GDPR was discussed every lobby organization jumped on it. The EU politicians had to physically kick out all the lobbyists from their Brussels buildings to be able to find some peace and quiet to build a compromise. After working through thousands of amendments to the GDPR was final.
As a result, the stakes were raised, the risks of non-compliant data use where higher, and the chances of materialization of risk bigger. Suddenly investors, business partners, boards and other stakeholders were suddenly looking at the inhouse privacy expert. Every pre-GDPR privacy officer / legal counsel earned a few extra stripes during this period. It was chaos, it was mayhem. The result of an impossible task: to transform multinationals and businesses in the course of a few months. Everything needed to be data compliant before 25 May 2018. In the weeks leading up to that date, boards were asking their GDPR project managers to demonstrate their compliance with the GDPR and business partners were asking each other if they could warrant their compliance with the GDPR. And rightfully so. Companies were warned. I remember the debate following the decisive vote within the EU parliament which turned the GDPR into law. It did not matter which political party or EU member state the speakers were from. They all repeated the same two things: data protection is a human right and we want real demonstrable compliance. They were not joking. So aren’t the Japanese, UK and Brazilian governments who created their own version of the GDPR and so many more countries to follow in the EU’s footsteps (like Pakistan).
Legal basis: going from a to f (consent to legitimate interest)
Just like that, the “ask consent and we are safe” strategy did not look that appealing to most companies. After months of long meetings, most boards realized that the rules around consent were the way they were, impossible… revocable, explicit, informed, freely given, administered, re-obtained, single, double, not clustered with contractual requirements it is just too much. Of course, there were a few organizations that were just too stuck in their ways. Those were the ones sending you opt-in requests for “processing of personal data” on GDPR launch day. We smiled and ignored them. And in turn they probably ignored our refusal to consent.
The fallback for consent was an old favorite: legitimate interest. We humans tend to believe that everything we do is legitimate. Good for us, good for everyone, the greater good. It is a value shared by every profession, industry public or private. Especially when it concerns what we do for our customers and employees. I bet you, put a marketeer and an official from an EU data protection authority in the same room and they will both state that they put the best interest of the individual first. But for some reason they will not agree with each other…strange.
The Working Party 29 (boy do I miss that name) had given out guidance some years prior to the GDPR with regards to legitimate interest and purpose limitation that made some believe that data processing for any purpose was possible. Were you processing for marketing? Not a problem, legitimate interest. Were you doing big data analysis on inner city crimes? Not a problem, it serves the community so legitimate interest.
Basing processing on legitimate interest requires the balancing of the interests of the data controller against that of the individual. After that the data controller should wonder if what they are trying to accomplish by the data processing is actually necessary. If there is some perceived risk, then you have to mitigate it. This assessment has led to a lawyer’s paradise. Everywhere around the world, lawyers (myself included) claim to know exactly what is allowed when you put in place the right combination of mitigation measures. Like it is a magic potion to which only privacy experts know the recipe. It goes a bit like this: make an entry into the records of processing, do a DPIA (Data Protection Impact Assessment) or LIA (Legitimate Interest Assessment) which for some reason always concludes that the data processing is allowed, apply a bit of data minimization (but not too much of that sort of dangerous poison!), create access restrictions for show and if you feel like it purpose limitation, discuss who decides what and tie a nice ribbon around it in your privacy statement. Very often we believe that everything is allowed, if you just be transparent about it. I am exaggerating of course.
Whoops almost everything is profiling – going from f to b (legitimate interest to performance of a contract)
But mitigation also has its limits. Some risks are by nature residual. They remain even if a data controller implements sufficient security measures, internal access controls and properly informs its data subjects. Think of the person being refused an insurance policy because of the default on the contract by a neighbor. Result: the entire street poses a risk, because of its perceived characteristics (average income, average age, average education level). Or the mother being thrown off social media because she shared her breastfeeding her child (yes, I know it is allowed now). Some risks can just not be mitigated because it violates the very thing privacy rules try to protect: the fair treatment of people (no, not the hiding of secrets, that is so 2008).
And what constitutes fair treatment? Well it means something different from one person to the next. Ask different people how they view corruption and criminality in one country and you will get similar views per country. Ask people about privacy and you will get a different answer from each single person. That is why data controllers desperately ask for regulator guidance and then completely disagrees once the guidance gets published. It is just that the EU legislature and data protection authorities have a completely view on what constitutes legitimate processing and what requires full control of the individual.
And the line in the sand is drawn with “profiling” and “analytics”. Many scholars have made convincing analysis of both concepts and I will not try to replicate them here. The real issue was that the GDPR included several profiling provisions making it difficult to stay away from the claws of GDPR explicit consent. And that was the intent of the EU legislature, to safeguard that its citizens will not be ruled by almighty algorithms (especially if they are US or China made). As an unfortunate result, we are dealing with a very wide concept and quite a lot of data analytics could fall to some degree within the profiling definition. We are also dealing with EU data protection authorities that will just not accept defeat: even if certain analytics does not constitute restricted profiling producing automated decisions, they still often argue that a data controller has ran out of legitimate interest and consent should be warranted.
In a data-driven economy data itself has no real value, it just sits in a database. It is the use people have from personal data that determines its value. And how do we create value? By involving business intelligence professionals that crunch and mine data and come with surprising insights. The result, there are not that many processes which haven’t been analyzed (and those processes are definitely on the data analyst’s planning).
So what to do when you are analyzing data but you want to stay away from consent? Well, you make sure that analytics become part of the contract with your customer, business partner or employee! The legal basis of article 6(1)(b) GDPR (performance of a contract) proved to be a nice escape from a dreadful conversion killing consent. It was cooked up by a few shrewd top tier lawyers, which creatively created the vision that the service that the individual subscribes to is analytics. If analytics constitutes one of the main pillars of a contract, who could then say that this processing is not necessary for the performance of a contract, right? Well the EDPB does, in its widely praised and criticized Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. In the guidelines the EDPB said that performance of a contract should be interpreted strictly (and then again in Guidelines 5/2020 on consent). It managed to whitelist a few analytics objectives within the context of a contract (e.g. a personalized news service) but it also blacklisted the most economically lucrative modes of data analytics. Analytics for fraud screening? Forget about it. Online behavioral advertising on the basis of a contract? Nope. Suggestions on the basis of past use? Wrong again. Performance of a contract has some serious limitations. We will need to explore additional options.
Don’t forget about the law – going from b to c (performance of a contract to compliance with legal obligations)
The problem with consent is that you are never sure it is valid. The issue of legitimate interest is that you are never sure if what you are doing will ultimately receive the blessing of the regulator. And putting everything in a contract, well that is a bit like cheating according to the EU data protection authorities. It was a loophole in the law. The data protection authorities want you to strip the contract to its bare basics and then ask yourself the question, what data do I really need to keep under a web shop account? Well login details and a delivery address (but only when you decide to order something!).
Don’t get me wrong, consent, legitimate interest and performance of a contract are all sweet and useful legal basis. But just don’t forget about the law. The all mighty article 6(1)(c) GDPR (compliance with a legal obligation), which has as many colors as there are laws in the world. Compliance with a legal obligation is a complex but incredibly rich option for all organizations big and small. You can base your processing on one of the many laws that are applicable to your business, or start by applying consent, contractual basis or legitimate and then end with storage on the basis of compliance with accounting, social or tax laws, or if this data would be of interest in the event of litigation, on the basis of the applicable limitation / prescription rules. Do you want an example? How about the French labor law telling you to keep your payrolling data for 5 years after the end of the labor contract? Or the Dutch Civil Code requires you to keep your bookkeeping for 7 years after end of the fiscal year? Laws tell you not only to keep data, but also which data, for how long and for which purpose.
Even the EU data protection authorities are on board. See the EDPB for example in its Opinion 2/2019 (p. 13):
“Furthermore, the controller informs data subjects that it has a legal obligation in national law to retain certain personal data for accounting purposes for a specified number of years. The appropriate legal basis is Article 6(1)(c), and retention will take place even if the contract is terminated.”
Wait? What? Did the EDPB just say you can keep data longer after a contract has ended. Yes, it did! The consensus is that the GDPR does not prevail over other more specific laws. You should read those laws into the GDPR or vice versa. Compare the CNIL, in its recent deliberation on processing of employee data:
“For example, many data necessary for the management of the contractual relationship (employment contract) must be kept for the duration of the employment relationship, unless otherwise provided by law or regulation.”
The legal ground “compliance with a legal obligation” is far more complex but much richer in options than the other article 6 legal grounds. Countries have made thousands of laws that all include obligations to keep certain information, administrations, books and registers etc. The reason? Accountability and auditability. All governments like to be able to check the books and data of organizations and therefore require certain information to be kept and processed. I repeat: all governments do this. It does not matter if we are talking about Germany or Haiti, all countries create laws of all sorts that require data processing. From civil laws to environmental and from labor to industry specific regulations.
The GDPR technically prohibits deletion of data in violation of another law
So before you go and delete that data, please stop and reflect: are you really sure you are allowed to delete? Now comes the second part of the argument: the GDPR prohibits to delete data in violation of other laws. Why? If you consider article 2 GDPR which states that deletion constitutes processing of personal data. As a result, you will need a legal basis for the intended deletion. On the basis of articles 5 and 6 GDPR you will need to ask yourself if data deletion is actually allowed and necessary (proportional and in compliance with the subsidiarity principle). If there is a law mandating that you keep the data, deletion is a definite no go. It would be in violation of that law and the GDPR.
This may feel weird right? Shouldn’t the intent of the GDPR not be “less is more”, data minimization and storage limitation. Yes, it does but to repeat the actual intent of the GDPR: the purpose of the GDPR is fair treatment of individuals. And sometimes having data on a person actually enables organizations to treat them fairly. Think about the situation where a citizen walks up to the counter of his local municipality inquiring about the specifics of his permit and the municipality official responds in Kafkian fashion: which permit? We don’t have anything about a permit…
But is article 5(1)(e) GDPR (storage limitation) not relevant then? Yes, it is, and don’t you forget it. The GDPR regulates proportionality and tells organizations never to store personal data longer than necessary for the purpose for which the data have been collected or used. As a result, virtually every legal minimum retention period relating to a piece of information containing personal data becomes a maximum retention period. So when the legal basis lapses, it is really time to delete the data.
Another reason why I love article 6(1)(c) GPDR
Sometimes I feel that EU data protection authorities have gotten too much power. They can dictate what constitutes a contract, how proper consent looks like and which interests is deemed legitimate on which is outbalanced by the interest of the individual. It is like they have become the guardians of ethics and good taste of our economies.
Article 6(1)(c) GDPR is more objective. It refers to laws outside of the scope of the GDPR, tested by courts, managed by different ministries and guarded by different regulators. When you base processing on compliance with a legal obligation, you suddenly find yourself in the presence of some strong allies: government stakeholders who have supported the non-GPDR law and an industry regulator that does not appreciate the data protection authority creeping in its space and providing for competing interpretations of law. Raise your hand if you have enjoyed battles between your tax authority and your data protection authority (I am sure there have been a few battles). Nothing more fun than to put a data protection authority in contact with your industry regulator or a ministry. Really, I have been there!
Compliance with a legal obligation provides for an ultimate fallacy of authority: the law says so. It is also the number one way to beat a data protection authority in a discussion because you take them out of their comfort zone. EU data protection authorities don’t like to debate other laws then their own GDPR. And to be honest if the above did not convince you… compliance with law is part of an organization’s social responsibility.
Thank you for making it down here. I am writing this on the edge of a hospital bed, hoping that our baby girl will be born on 25 May (that would be perfect for her two data protection lawyer parents) UPDATE: Yes!!! she was born on 25 May 2020!! We are filerskeepers, and we read all the laws in the world. Together with you we want to solve records retention once and for all and promote compliance with the GDPR/CCPA and all other privacy laws in the world.