How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy?

If you’re a regular reader of the blog series on GDPR Piwik PRO is focusing on, you possibly noticed our posts are leading you through the questions your company should answer to assure readiness and minimize compliance risks with a view to the May 2018 deadline.

We initially talked about whether GDPR applied to your company. We addressed the thorny issue of whether “we don’t collect PII” would still be enough to assure compliance. Then, we skipped a couple of articles and discussed consent.

This article focuses on the heart of the GDPR and privacy legislation as it reviews the principles related to the processing of personal data, as well as how to assure such data endeavors are lawful. Consent will then be revisited, considering the upcoming ePrivacy Regulation that is currently being drafted and expected to come into force at the same time as GDPR.

Processing of personal data – main principles

Europe and the GDPR didn’t exactly re-invent the wheel when it comes to principles relating to the processing of personal data. As highlighted back in 2014 in the Privacy Engineers Manifesto, privacy legislation around the world shares common principles, which we can see below.



As such, Article 5 of the GDPR is no different, yet attention should be drawn beyond the first paragraph to focus on the enhanced notion of accountability.

Indeed, paragraph 2 highlights that “the controller shall be responsible for, and be able to demonstrate compliance, with paragraph 1 (“accountability”).”

The chances are therefore that data controllers, those dealing directly customers, will turn to their data processing partners for support in their compliance claims. How compliance can be demonstrated becomes part of the data equation: for example, how do you demonstrate that data is only kept for as long as necessary?

Or how do you prove data is “not further processed in a manner that is incompatible with those purposes” (the ones for which data was collected in the first place)?
Evidence related to data deletion, or at least anonymization, should become part of sound data practices under the GDPR.

Data minimization

Also note that one principle sits rather uncomfortably with “big data” practices: the “data minimization” principle in paragraph 1 (c) of Article 5 highlights that “personal data shall be adequate, relevant and limited in what is necessary in relation to the purposes for which they are processed”.

This principle can be upheld only if the data industry keeps track of the initial purpose for which the data was intended and assures alignment through traceability mechanisms. While certain traceability mechanisms seem to be in development, structuring of purpose unfortunately seems overlooked, which doesn’t bode well for forthcoming Internet of Things initiatives!

Lawfulness of processing

Once the principles related to processing of personal data are understood – including defining purpose, the reason for which data is being used in the first place – your company can move on to defining which mechanisms will make the processing of data lawful.
GDPR allows for a range of possibilities, of which legitimate interest is typically the most widely used.

Imagine for example someone contracting a subscription with a Telco operator to be able to receive and make calls under a personal phone number. The data processed to create this account, make the service work, and send invoices would typically fall under the concept of “legitimate interest”: the parties involved have a legitimate interest to make these data processing operations lawful, both the citizen/consumer whose data is being treated under this contract as the data controller and the Telco company delivering the service.

There is a lot of discussion about how far this concept of legitimate interest stretches, certainly when talking about digital data. Recital 47 specifies further that “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned”. Fraud detection gets a free pass for lawfully processing data, one that is also used in digital endeavors.

Direct marketing, however, while also listed in recital 47, is not endorsed. Indeed, the last line of this recital states “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. In other words, it doesn’t constitute a legitimate interest by default, as opposed to fraud.

And this is where, when it comes to digital analytics, it is essential to note that legitimate interest for now is not among the options available under the ePrivacy Regulation to assure lawfulness of processing. Indeed, article 8.1 of ePrivacy, while talking of consent, as does Article 6 of the GDPR, does not include this part of the GDPR. At the same time, the GDPR does include cookies and unique identifiers in the list of personal data, so privacy legislation applies to digital analytics.

ePrivacy and lawfulness of processing

While we can’t talk of direct transposition of the GDPR logic into the ePrivacy Regulation, which is considered lex specialis, Article 8 addresses the protection of information stored in and related to end-users’ terminal equipment. Indeed, this is about accessing cookies and other information available on devices.

The article states that processing data from a device by another party than the user is prohibited unless either consent is given by the end-user (option b) or it falls under the exception of web audience measurement (option d).

Obviously we’ve come a long way in digital analytics since the ePrivacy Directive was passed back in 2009. This time around it seems that while the law will be applicable for all countries – it will be a Regulation, not a Directive – we will have to do better in respect of how end-users understand the manner in which their data is accessed and used.

On top of that, they’ll probably have a lot to say about it, as “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (GDPR, article 4 (11)).
Considering the previously discussed accountability obligations, the ICO provides guidance related to consent in their GDPR Consent Guidance (p34) to give an idea of what would be required for proof of compliance.

UPDATE

UPDATE

In November 2023, the European Data Protection Board (EDPB) formulated guidelines outlining the new technical scope of Art. 5 (3) of the ePrivacy Directive. According to this article, companies must obtain prior consent before storing or accessing information on a user’s electronic device unless it is necessary to provide the requested service. So far, this principle has mainly applied to Internet cookies. The recent guidelines significantly extend the list of technologies covered by Art. 5 (3) to include new tracking methods and technical operations. 

The EDPB focuses on five critical elements of the cookie rule and applies an extensive interpretation to all of them:

• Information includes both non-personal and personal data, regardless of how it is stored or by whom.
• Terminal equipment refers to equipment connected to the public telecommunications network, e.g., smartphones, laptops, connected cars, connected TVs, or smart glasses.
• An electronic communications network is any system that allows the transmission of electronic signals. The rule concerns public communication services provided over such networks. However, communication over a network available to a limited number of people (e.g., subscribers) is also considered public.
• Access – the EDPB has a very broad delimitation of access according to which an access exists if an entity actively takes steps to gain access to information stored on a terminal equipment.
• Storage applies to information of any type, in any quantity, and takes place over any time (even as short as storage in RAM or CPU cache).

In this context, the “cookie rule” in the ePrivacy Directive would also apply to technologies such as URL and pixel tracking (including “identifiers”), local processing, tracking based on IP only, JavaScript code, Internet of Things (IoT) reporting, and other device fingerprinting techniques.

The EDPB’s proposals have sparked controversy as they may negatively affect the market. It was reflected in the feedback from various industry bodies as part of the public consultation on the new guidelines. 

To quote The Federation of European Data and Marketing:

The EDPB’s broad interpretation of “gaining access” would (…) mean that every communication over the internet is somehow “gaining access” to information within scope of Art 5(3) ePD (…). In doing so, the draft Guidelines’ interpretation also captures technologies and basic technical operations which are not necessarily related to marketing or advertising purposes (…). It is therefore unclear how a consent requirement for non-intrusive technical operations which do not necessarily involve the processing of personal data would bring a better protection of privacy to the user. This also seems detrimental to the user’s online experience as they will be asked to engage with additional consent requests, likely exacerbating the so-called “consent fatigue” .

The Central Association of the German Advertising Industry ZAW noted the need for a risk-based approach in the new guidelines. The IAB brought up, among other things, the negligence of the technical considerations.

Nevertheless, the guidelines reflect the EU data protection authorities’ interpretation of the law and are not directly binding. The outcome of the EDPB’s efforts to enforce the guidelines is yet to be determined.

The question of consent under the ePrivacy Regulation

It’s probably rather soon to state with absolute certainty that Article 8 will remain as it is. What’s sure is that time is short for the legislator and companies active within the digital data ecosystem to come to an understanding.

Consent obligations, also in line with the GDPR’s Conditions for Consent (Article 7) under which it can be withdrawn at any time by data subjects, should be at the heart of finding solutions to build accountable systems for the rapidly-emerging IoT.

Summing up

 The GDPR and its partner ePrivacy Regulation apply to digital analytics. Similar privacy principles apply in both laws, such as transparency, choice, information review and correction, information protection and accountability. However, in order to make processing lawful, while the GDPR allows for the use of “legitimate interest”, ePrivacy takes only consent into consideration.

The final text of ePrivacy is still under discussion. Companies should think about how they will best deal with consent obligations (remember cookie walls?) to enhance consumer trust.
The law can only go so far: it’s a minimum standard for compliance and aims to remain technologically neutral in order to assure durability. Solutions might be found in the form of old friends like DNT, where both the law but also industry bodies could play a role towards rebalancing the (digital) data equation.