CNIL Opines on Processors’ Ability to Reuse Personal Data

Background

For processors, there is significant value in the personal data they are processing from their own use perspective, whether to improve products and services, gain competitive advantage, identify fraudulent activity or to train algorithms. As a result, it is becoming increasingly common in IT contracts in particular (although also in other types of contracts) for processors to obtain a general right from controllers to use personal data processed by the processor under the contract on an anonymised and/or aggregated basis for its own purposes. This right (particularly with large IT vendors) has been difficult to negotiate out with processors offering controllers a take it or leave it approach.

Aside from the fact that, just from a general standpoint, many controllers do not want a processor to use their data for any other purposes other than to provide the services contracted for, a lot of controllers have been rightly concerned about letting processors use their data for their own purposes, even if on an anonymised basis.

The problem arises as under Article 28(3) of the GDPR processors can only use personal data on behalf of the relevant controller and in line with the documented instructions from the controller, unless a national or European text requires the processor to do otherwise. Should a processor act outside this remit then they are likely to be controllers themselves and would have to comply with all the core obligations of the GDPR, as well as being liable for sanctions for not having acted in accordance with the instructions of the original controller (Article 28(10) GDPR). Processors therefore have historically tried to circumvent this issue by saying the controller has instructed them to anonymise the data to enable the processor to use it for its own purposes. However, this approach has never been properly tested until now.

CNIL’S response

Clearly the CNIL is aware of the common market practice for processors (either with the permission of controllers, or occasionally without) to use personal data of controllers for their own purposes (usually just in a limited fashion, e.g. service improvement or statistical analysis), and therefore has decided to publish these guidelines in order to clarify when such reuse is permissible and compliant with the GDPR. The guidelines set out strict conditions that need to be met.

Compatibility test

In addition to confirming that controller consent is required, the CNIL has made it clear that a compatibility test to satisfy must be carried out by the controller before the controller can even decide whether to grant permission or not. The evaluation process to satisfy the compatibility test must be carried out for each processing for which the processor wishes to reuse the data, and the CNIL states “prior and general consent to the reuse of data is not legal”, which effectively means the controller must evaluate each new proposed processing on a case by case basis.

The evaluation criteria are:

• the link between the original purpose for processing and the new purpose;

• the context in which the personal data were collected;

• the possible consequences for data subjects;

• the nature of the personal data;

• the existence of appropriate safeguards; and

• Article 6(4) GDPR factors, e.g. encryption, pseudonymisation.

If the test is not met then the controller must refuse permission for the reuse of personal data. If the test is met then the controller can decide whether to give their consent or not.

Processor becoming a controller

If requisite written permission is secured the processor will become a controller for the purposes for which it is re-using the data. It is essential the processor then complies with all the GDPR obligations for this processing, e.g. legal basis, purpose, data minimisation, data retention, security measures, data subject rights etc. However, in relation to transparency, the CNIL says “it is, in principle, the responsibility of the original controller to inform the data subjects” about the new processing and the new controller, and whether data subjects can oppose it. Also, if the new controller has the contact data for the data subjects the original controller “may delegate this action to the processor for the processing it wishes to carry out.” The CNIL acknowledge there may be situations where the new controller may not be able to communicate with the data subjects directly so co-operation between the original controller and the new controller is needed in order for the data subjects to remain in control of their data.

This new transparency requirement on the original controller goes beyond the current practice. Typically providers who process personal data for their own service improvement and analytics purposes simply make clear in their own privacy notices that whilst in the main they are a processor, on occasion and in very limited circumstances, they are a controller of data for service improvement purposes etc. It is rare for the customer controller to take any responsibility for telling its data subjects about this element, and rather its information obligations end in the telling of data subjects about third parties with whom they share data for x, y and z purposes.

So what does this mean in practice?

It seems as though we may finally have an answer, and certainly the CNIL’s answer, for the perennial question – when can a processor use personal data it obtains from a controller for purposes broader than just strictly providing services to the controller? However, the strict conditions laid down in the CNIL guidelines go beyond what most controllers would expect and now place quite a lot of additional (and unwanted) burden on the controller.

Although this is guidance issued by the CNIL, we expect that regulators across Europe and the UK will likely adopt similar approaches, so we recommend that controllers start to revisit their contracts in light of these guidelines. Given it is the CNIL’s clear view that the compatibility test must be carried out on a case by case basis, a general contractual right will not be sufficient and greater input from both controllers and processors will be required on a case by case basis to comply with these guidelines.

Further, as the guidance requires controllers to notify the data subjects of this new processing purpose, controllers need to revisit their privacy notices to ensure such processing is adequately covered.

While this guidance places more of an administrative burden on controllers, it also gives controllers more bargaining power when it comes to negotiating out these types of clauses. We imagine that a lot of controllers are unlikely to want to put in the extra effort to enable processors to reuse the data unless the data reuse is obviously compatible with the provision of the services (and importantly benefits the controller) so it will be interesting to see how processors reliant on this data analysis will tackle reluctant controllers going forward.

[1] Subcontractors: the reuse of data entrusted by a data controller