Darren Abernethy, Senior Counsel TrustArc
Ravi Pather, VP Sales CryptoNumerics
The GDPR is not intended to be a compliance overhead for controllers and processors. It is intended to bring higher and consistent standards and processes for the secure treatment of personal data. It’s fundamentally intended to protect the privacy rights of individuals. This cannot be more true than in emerging data science, analytics, AI and ML environments where due to the nature of vast amounts of data sources there is higher risk of identifying the personal and sensitive information of an individual.
The GDPR requires that personal data be collected for “specified, explicit and legitimate purposes,” and also that a data controller must define a separate legal basis for each and every purpose for which, e.g., customer data is used. If a bank customer took out a bank loan, then the bank can only use the collected account data and transactional data for managing and processing that customer for the purpose of fulfilling its obligations for offering a bank loan. This is colloquially referred to as the “primary purpose” for which the data is collected. If the bank now wanted to re-use this data for any other purpose incompatible with or beyond the scope of the primary purpose, then this is referred to as a “secondary purpose” and will require a separate legal basis for each and every such secondary purpose.
For the avoidance of any doubt, if the bank wanted to use that customer’s data for profiling in a data science environment, then under GDPR the bank is required to document a legal basis for each and every separate purpose for which it stores and processes this customer’s data. So, for example, a ‘cross sell and up sell’ is one purpose, while ‘customer segmentation’ is another and separate purpose. If relied upon as the lawful basis, consent must be freely given, specific, informed, and unambiguous, and an additional condition, such as explicit consent, is required when processing special categories of personal data, as described in GDPR Article 9. Additionally, in this example, the Loan division of the bank cannot share data with its credit card or mortgage divisions without the informed consent of the customer. We should not get confused with a further and separate legal basis the bank has which is processing necessary for compliance with a legal obligation to which the controller is subject (AML, Fraud, Risk, KYC, etc.).
The challenge arises when selecting a legal basis for secondary purpose processing in a data science environment as this needs to be a separate and specific legal basis for each and every purpose.
It quickly becomes an impractical exercise for the bank, let alone annoying to its customers, to attempt obtaining consent for each and every single purpose in a data science use case. Evidence shows anyway a very low level of positive consent using this approach. Consent management under GDPR is also tightening up. No more will blackmail clauses or general and ambiguous consent clauses be deemed acceptable.
GDPR offers controllers a more practical and flexible legal basis for exactly these scenarios and encourages controllers to raise their standards towards protecting the privacy of their customers especially in data science environments. Legitimate interests processing (LIP) is an often misunderstood legal basis under GDPR. This is in part because reliance on LIP may entail the use of additional technical and organizational controls to mitigate the possible impact or the risk of a given data processing on an individual. Depending on the processing involved, the sensitivity of the data, and the intended purpose, traditional tactical data security solutions such as encryption and hashing methods may not go far enough to mitigate the risk to individuals for the LIP balancing test to come out in favour of the controller’s identified legitimate interest.
If approached correctly, GDPR LIP can provide a framework with defined technical and organisational controls to support controllers’ use of customer data in data science, analytics, AI and ML applications legally. Without it, controllers may be more exposed to possible non-compliance with GDPR and the risks of legal actions as we are seeing in many high profile privacy-related lawsuits.
Legitimate Interests Processing is the most flexible lawful basis for secondary purpose processing of customer data, especially in data science use cases. But you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use an individual’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If you choose to rely on GDPR LIP, you are taking on extra responsibility not only for, where needed, implementing technical and organisational controls to support and defend LIP compliance, but also for demonstrating the ethical and proper use of your customer’s data while fully respecting and protecting their privacy rights and interests. This extra responsibility may include implementing enterprise class, fit for purpose systems and processes (not just paper-based processes). Automation based privacy solutions such as CryptoNumerics CN-Protect that offer a systems-based (Privacy by Design) risk assessment and scoring capability that detects the risk of re-identification, integrated privacy protection that still retains the analytical value of the data in data science while protecting the identity and privacy of the data subject are available today as examples of demonstrating technical and organisational controls to support LIP.
Data controllers need to initially perform the GDPR three-part test to validate using LIP as a valid legal basis. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be your own interests (controllers) or the interests of third parties (processors). They can include commercial interests (marketing), individual interests (risk assessments) or broader societal benefits. The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Conducting such assessments for accountability purposes is happily now also easier than ever, such as with TrustArc’s Legitimate Interests Assessment (LIA) and Balancing Test that identifies the benefits and risks of data processing, which assigns numerical values to both sides of the scale and uses conditional logic and back-end calculations to generate a full report on the use of legitimate interests at the business process level.
What are the benefits of choosing legitimate interest processing?
Because this basis is particularly flexible, it may be applicable in a wide range of different situations such as data science applications. It can also give you more on-going control over your long-term processing than consent, where an individual could withdraw their consent at any time. Although remember that you still have to consider managing marketing opt outs independently of whatever legal basis you’re using to store and process customer data.
It also promotes a risk-based approach to data compliance as you need to think about the impact of your processing on individuals, which can help you identify risks and take appropriate safeguards. This can also support your obligation to ensure “data protection by design,” performing risk assessments for re-identification and demonstrating privacy controls applied to balance out privacy with the demand for retaining analytical value of the data in data science environments. This in turn would contribute towards demonstrating your PIAs (Privacy Impact Assessments) which forms part of your DPIA (Data Protection Impact Assessment) requirements and obligations.
LIP as a legal basis, if implemented correctly and supported by the correct organisational and technical controls, also provides the platform to support data collaboration and data sharing. However, you may need to demonstrate that the data has been sufficiently de-identified, including by showing that the risk assessments for re-identification are performed not just on direct identifiers but also on all indirect identifiers as well.
Using LIP as a legal basis for processing may help you avoid bombarding people with unnecessary and unwelcome consent requests and can help avoid “consent fatigue.” It can also, if done properly, be an effective way of protecting the individual’s interests, especially when combined with clear privacy information and an upfront and continuing right to object to such processing. Lastly, using LIP not only gives you a legal framework to perform data science it also provides a platform that demonstrates the proper and ethical use of customer data, a topic and business objective of most boards of directors.
About the Authors
Darren Abernethy is Senior Counsel at TrustArc in San Francisco. Darren provides product and legal advice for the company’s portfolio of consent, advertising, marketing and consumer-facing technology solutions, and concentrates on CCPA, GDPR, cross-border data transfers, digital ad tech and EMEA data protection matters.
Ravi Pather of CryptoNumerics has been working for the last 15 years helping large enterprises address various data compliance such as GDPR, PIPEDA, HIPAA, PCI/DSS, Data Residency, Data Privacy and more recently CCPA compliance. I have a good working knowledge of assisting large and global companies, implement Privacy Compliance controls as it particularly relates to more complex secondary purpose processing of customer data in a Data Lakes and Warehouse environments.
On October 1st, in the much anticipated Planet49 case, the Court of Justice of the European Union (ECJ) affirmed an earlier opinion set forth by the Advocate-General that utilizing pre-ticked boxes to obtain consent for website cookies does not represent valid consent because it does not show affirmative, unambiguous action on the part of the data subject. The Court decided this with reference to the GDPR, the ePrivacy Directive and the GDPR’s predecessor, the Data Protection Directive, which was in force at the time of the matter at issue.
The case, referred to the ECJ by the highest court in Germany, involved an online gaming company that offered website visitors the opportunity–after providing basic contact information–to enter an online lottery. To do so, visitors were shown two checkboxes: (1) an unticked box requesting the individual to agree to receive third party marketing messages, and (2) a pre-ticked box requesting the user to consent to the placement on their browser of advertising cookies. To enter the lottery, the third party marketing checkbox had to be affirmatively ticked, whereas the advertising cookie checkbox did not have to be ticked–but had to be manually un-selected by the visitor in order to refuse her consent to such cookies.
The Court analyzed Article 5(3) of the EU’s ePrivacy Directive, which requires that users have a GDPR-level of data subject consent prior to the storage and accessing of cookies on web browsers and other devices–which is separate from the requirement to then have a lawful basis for processing any personal data derived from those cookies, as is required by Article 6 of the GDPR. The ECJ found that because ePrivacy requires that a user must have “given his or her consent” for the storage or collection of cookies, this weighs in favor of a literal interpretation such that “action is required on the part of the user in order to give his or her consent.”
Other takeaways from the case include the ECJ confirming that the ePrivacy Directive’s consent requirements with respect to the storing or accessing of “information” apply irrespective of whether the information involved amounts to “personal data” as defined by the GDPR, and the finding that for consent to be valid, website operators must transparently indicate the life span of each cookie and whether any third parties will have access to them.
Questions left unanswered by the decision include a formal opinion on the legality of so-called “cookie walls” that require consent to third party cookies as a pre-condition to general access to a website, and an opinion as to whether a data subject can be required to consent to the processing of personal data for advertising purposes in order to participate in the promotional lottery. The latter question, which the ECJ was not asked to rule on, could by extension have implications for online ad-funded content.
This case serves as a reminder that for consent to cookies to be valid in the EU, the data subject’s consent at issue must be active, rather than passive; unambiguous and not implied, as would be the case by requiring individuals to be aware enough to un-tick a pre-ticked box; and specific, rather than bundled with other terms. For a summary of the case, see here.
TrustArc’s best-in-class Cookie Consent Manager helps organizations of all industries and sizes satisfy their cookie compliance goals via its support for “zero-cookie” load experiences. Through the integration of your organization’s tag management system, or the use of our Consent Manager API, the placement of cookies or the firing of tags or trackers can be withheld until after a user affirmatively opts-in using the Consent Manager. For more information, reach out to your Technical Account Manager or contact TrustArc today.
The GDPR, Brazil LGPD, Thailand PDPA, and many other privacy regulations around the globe require that organizations determine the legal basis for processing individuals’ data (customers, employees, etc.) as part of their business operations. For example, Article 6 of the GDPR states that processing shall be lawful only if at least one of the following applies: data subject consent has been obtained; processing is necessary for performance of a contract; processing is necessary for compliance with a legal obligation, to protect someone’s life or to perform a task in the public interest; or the processing is necessary for your legitimate interests.
Legitimate interests is a preferred approach for many organizations because of its flexibility and its applicability to any reasonable processing purpose. In contrast, other legal bases of processing, such as demonstrable consent, center around a specific purpose the individual agreed to. Under what circumstances can you use legitimate interests as your basis of processing? Here are the four boxes you must have checked in order to leverage legitimate interests.
Box 1. The processing is not required by law but is of a clear benefit to you or others. For example, an online retailer can promote a pair of sunglasses to someone browsing from an area where it’s the high summer season. Alternatively, an online store might use a visitor’s location data to offer a limited time free shipping offer to the visitor’s area.
Box 2. There’s a limited privacy impact on the individual. For example, most websites collect their visitors’ browsing data to optimize performance for the user. Most often, this aligns well with the Legitimate Interests provision. Collecting this data doesn’t pose a threat as long as it is anonymized.
Box 3. The individual should reasonably expect you to use their data in that way. For example, some businesses will want to send communications via email or SMS to remind clients of upcoming appointments. While it always needs explicit consent, most individuals expect their data to be used in this way.
Box 4. You cannot –or do not want to– give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing. For example, the use of second-party and third-party data can provide insights about the demographics of customers. This data can be used to identify target segments with personalized content. When processing this data, you may not want to have to give full control over to the individual when it will result in messages that they will ultimately want to receive, as it is likely relevant to who they are as a person or professional.
Checking off each of these boxes is the single most complex aspect of leveraging legitimate interests as your basis for processing data. Conducting a legitimate interests assessment is challenging because the logic to determine whether the benefits significance outweighs the risk to individuals is complex.
If the benefits outweigh the risks, then the organization may use legitimate interests as its basis for processing data. The challenging part is that companies must quantify each side of the scale within subcategories of benefits and risks. Privacy leaders could spend hours creating a spreadsheet to perform a balancing test for each business process that the company wants to establish legitimate interests as its basis for processing. When multiplied by the total number of business processes a company has, the amount of time spent creating balancing tests could quickly amount to dozens or hundreds across the organization.
The balancing test can be completely automated. Learn more about how you can save time, respond to business needs faster, and generate an audit trail for legitimate interests with the TrustArc Platform. Learn about TrustArc’s Legitimate Interests Assessment and Balancing Test.
TrustArc is proud to present the next Privacy Insight Series webinar “GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!” with TrustArc General Counsel & Chief Data Governance Officer Hilary Wandall and Centre for Information Policy Leadership at Hunton & Williams LLP President Bojana Bellamy.
This webinar will take place on Wednesday, June 19th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about GDPR compliance – register today!
Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant?
This webinar will provide these key takeaways:
- The current state of an official GDPR certification and codes of conduct
- Case studies of how companies are demonstrating compliance
- The benefits of an external third party GDPR validation
Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar.
TrustArc publishes a broad range of privacy educational resources, including research reports, benchmark statistics, solutions briefs, product updates, webinars, workshops and much more. Check out the following resources on hot topics including CCPA, GDPR, Vendor Risk Management, DSAR Best Practices, Cookie Consent, and much more. Register for the free TrustArc Privacy Insight Series subscription and find out why over 20,000 privacy professionals per year take advantage of TrustArc privacy education resources.
The number and complexity of regulations addressing data privacy continues to increase significantly. Companies offering cloud-based services must comply with these regulations or risk losing business due to customer trust issues and/or potential fines and other legal action. Compliance with regulations like the GDPR and CCPA requires companies to address a wide range of items, including privacy assessments, cookie consent, and data subject access requests.
The digitization of data has inevitably led to a myriad of data privacy laws that span the globe. These regulations all need to be considered when doing business in the respective countries/regions to which the rules apply. Below is just a sampling of data privacy regulations that have been introduced in recent years:
- The General Data Protection Regulation (GDPR), which took effect in 2018 across the European Economic Area (EEA)
- All 50 U.S. states now have data breach notification laws
- The California Consumer Privacy Act (CCPA) has been passed, and at least five (5) other U.S. state laws related to data security and data disposal, including in Washington State, New York and Rhode Island, are progressing through the legislative process
- The Brazil General Data Protection Law (LGPD)
- Canadian data breach notification, risk assessment and reporting requirements updates
- The Turkey Data Protection Law
Cloud-based services are in a unique position in that they may play a dual role when it comes to data privacy management. These services may determine how personal data is processed, and they also may perform the actual processing of that data. Cloud-based services may be both:
- Data Controllers – Determining the purposes and means of processing personal data and
- Data Processors – Processing personal data on behalf of a data controller.
This potential dual responsibility requires providers of cloud-based solutions to pay special attention to data privacy – both in terms of establishing trust among themselves, their customers and end users – as well as regulatory compliance with current and future data privacy laws.
Read the TrustArc Solutions Brief “Managing Privacy Compliance in the Cloud” to learn more about:
- Privacy compliance requirements for cloud companies.
- Establishing and maintaining trust as a cloud-based service.
- Guidance on how to achieve privacy compliance with regulations such as GDPR and CCPA.
- TrustArc solutions to help you achieve compliance and establish trust.
- And much more!
TrustArc offers a broad range of solutions to help companies build and manage a privacy program. The solutions include the TrustArc platform, consulting services and certification / validation programs that can be tailored to meet your business needs. To learn more, download “Managing Privacy Compliance in the Cloud.”