«Performance of a contract» limits: Facebook, Instagram, WhatsApp… and Twitter
“Contract” lawful basis is trending very soon, as we hear about Heaven falling over Facebook, Instagram and WhatsApp heads in January.
This is an old post I wrote when I first heard of NOYB´s complaints, back in January 2020 (funnier, longer Spanish version here). I have only translated it, updated the Facebook bit and added a few memes.
- Contract, pre-contractual measures
- First rule: «A Contract is a contract and it´s not consent.»
- Second rule: To be able to apply the «contract execution» basis, data controllers must have in place, pun intended, a contract precisely with the data subject, the owner of the data whose processing it intends to legitimize.
- Third rule: contract performance can only legitimize objectively necessary data processings… to execute that contract. Nothing else.
- I want some examples to better picture this
- Example 1: access to the building where your office is
- Example 2: The Zuck of our lives
- Example 3: Apple and its related processing
- Last (and new) example: Elon´s Twitter joins the band!!
- Wait! What? Where all your bs rules come from?
- «It’s you.»
Contract, pre-contractual measures
The second of art. 6 GDPR lawful ground is the famous, ubiquitous, and “easy-peasy”: processing «necessary for the performance of a contract” or “for the implementation, at data subject´s request, of pre-contractual measures».
It’s a bit of a joke to apply this, isn’t it?
That is why this ground has traditionally been abused. But… not so fast, my friend.
This ground, along with «legal obligation» is one of data controllers favs: not in vain they are quite literal, and apparently do not require weighting assessments or weird and tricky things to use.
«Every rose has its thorn, my little padawan«. Problems lie in a certain tendency of many organizations to go for the easy way:
- On the one hand, trying to apply the simplest solution in the most complicated cases.
- Not only that but also: stretching them like chewing gum to cover excessive processings.
In this regard, we could sum up the Meta situation with this meme:
Fortunately, we have rules to avoid sneaky questions. In the very case of contract performance, we have three:
First rule: «A Contract is a contract and it´s not consent.»
A contract (at least in our latin tradition) implies two reciprocal commitments between the parties.
Contract should not be confused with consent, when «terms and conditions» are accepted.
This comes to mind after that awful lot of «self-serving confusion» about what a contract is and means. Hello, Facebook!
The EDPB already warned about this one in its 2019 6.1.b) GDPR guidelines:
Second rule: To be able to apply the «contract execution» basis, data controllers must have in place, pun intended, a contract precisely with the data subject, the owner of the data whose processing it intends to legitimize.
No, Alice Inc cannot invoke its contract with Bob Ltd to legitimize its processing of Jorge’s data.
I know, I know that your local Data protection authority may have said otherwise for particular cases. Please, let me know: I´m interested.
BUT: That only means that your DPA has interpreted that “data processing A” is inherent to “performance of contract B”. Congratulations! You can save the “mini-LIA” effort –more about this later- and use the silver bullet.
Also: Mind you, I am not saying that you cannot legitimize such processings under a different lawful basis (I mean my favourite one: legitimate interest), just not on art. 6.1.b) RGPD.
Third rule: contract performance can only legitimize objectively necessary data processings… to execute that contract. Nothing else.
Nothing else, I insist.
Yes, my friends: truth is, in order to rigorously apply the «contract» basis, you will have to make a mini «weighting assessment» to determine which processing is and which is not directly linked to the performance of the contract.
Give it a special thought when the contract you are talking about is… a labour one.
I want some examples to better picture this
Example 1: access to the building where your office is
If your company moves to a building with entrance security measures such as fingerprint access control, video surveillance system, or whatever, your employer company cannot justify the processing of your data in its own lease contract with the housing company.
Because that company (which owns the building) does not have a contract with you, but with your company (which employs you). Again: I’m not saying you can’t legitimize it, just not through art 6.1.b) GDPR basis.
Example 2: The Zuck of our lives
The additional processings perpetrated by Facebook, Instagram and WhatsApp: when you accept their terms and conditions, what you are doing is entering into a contract whose purpose is that:
1.- you feed Mark Zuckerberg’s social media platforms with your content (Facebook for oldies, Instagram for millenials), thus sharing it with «your contacts».
2.- you allow Mark to spy and study and show you a ads galore between posts and photos.
In the case of WhatsApp, the purpose of the contract for the user is to be able to use an effective instant messaging platform.
What has never been clear is that Mark, in order to execute its part of these contracts, that is, to make your content accessible (your beach feet photos, your rants and diatribes…) needs to profile you in detail, breaking down your personality into hundreds of attributes in order to sell its personalized advertising service to third parties.
Maybe that personalization of advertising is the key data processing for Mark, but the truth is that it has little to do with the service expected by users. Remember that it is not the same…
(1) the contract between Facebook and the user (object: allowing the use of a social network to share content) and
(2) the contract between Facebook and the advertising companies (object: to place their ads only under the noses of their ideally targeted audience – at least theoretically, because guess what? this is not necessarily true either-).
Let´s leave that bloody Meta’s body rest in peace (it seems that the three Christmas penalties may exceed 2 billion euros). Just remember that its disregard for data protection compliance was olympic from day one: in the early hours of May 25, 2018 it changed its terms and conditions abandoning consent as the key lawful basis of legitimacy, to change it for contract.
In Spain we call it “nocturnality”.
See the crystal-clear video capture courtesy of Pat Walshe, -@privacymatters on twitter-. He formatted his Mac, and when reinstalling its OS again, and entered its app market, he was kind enough to highlight three interesting fragments of the «Apple» data processing information that was going to happen there.
Click ‘see how your data is managed’ and you’re taken to a scroll window proving information on ‘App Store and Privacy’ advising of opt-outs …. pic.twitter.com/sUq0baBQQI
— Privacy Matters 🇬🇧🇮🇪🇪🇺🌻 (@PrivacyMatters) September 17, 2019
Yes, you are agreeing to a platform use agreement, software license, etc… with Apple.
Yes, that agreement involves some necessary data processing but… what’s that? And what’s that? Where are the non-pre-ticked checks that must be actively and unequivocally accepted for your granular and additional consents to legitimize the non-essential processings, before they are carried out?
You can only object “ex post facto”. But at that point, the bird – your data – has already flown out of the nest.
As you can see from the date of Pat’s thread, it is not an example from now, it is from the end of 19. What is from now is these news: the CNIL instructor proposes 6 million penalty against apple for this infringement.
Apple wants to pay less, but above all, it wants the penalty not to be made public: Incoherence in the «transparency kingdom».
Last (and new) example: Elon´s Twitter joins the band!!
— Casey Newton (@CaseyNewton) December 14, 2022
Wait! What? Where all your bs rules come from?
I know, I know GDPR does not expressly request a direct link between the data controller and the data subject (it only says literally that the data subject must be a «party»).
One could say that half the world has a contract with the other half.
If the mere fact that a given company has a contract with a second one, allows it to process my data because «It needs it» to fulfill its contract then… well, you may leave this post and read something more interesting.
Luckily, I haver better arguments…
ICO´s men in black made it clear in their guidelines about lawful bases. On their website, you can read this:
In the same line the Irish DPC guidelines on lawful bases.
In the same sense, the EDPB indeed (guidelines on 6.1.b) GDPR):
In fact, they also impose on the controller the obligation to make a «mini LIA» (MUAHAHAHA) based on four questions:
- What is the nature and main characteristics of the service for the data subject?
- What is the subject matter and substantive elements of the contract?
- What are the respective expectations of the two parties?
- Would it be within the reasonable expectations of the average customer that, in view of the service, the data controller would carry out the data processing it intends to legitimize on this basis?
Example: the EDPB very neatly, without mentioning Facebook at all, pointed out that an online store would certainly need to process the customer’s payment method data to execute (collect) the sale. BUT it will need another legitimate basis to profile its users behavior, tastes, preferences, etc….
And the same was adviced with respect to customer data processing for behavioral advertising.
Have a very good week.
HO HO HO
Jorge García Herrero
Lawyer and DPO