On January 12, 2022, the French data protection authority, Commission nationale de l’informatique et des libertés, issued guidance on the reuse of personal data by processors for their own purposes under the EU General Data Protection Regulation. The guidance addresses one of the most common — and hotly contested — aspects of privacy negotiations between commercial parties: Namely, when can a processor use personal data it obtains from a controller for purposes broader than just strictly providing services to the controller? For example, may a processor use the data to improve its products or services or train its artificial intelligence and machine learning algorithms?
While the CNIL answers the question in the affirmative, it sets forth highly restrictive conditions, which some controllers and processors may find exceed their current practices.
This issue has gained attention in recent years as processors are increasingly finding benefits from the reuse of their customers’ data. For example, software providers often need to analyze how customers use their service so they can improve, develop and personalize their products and services to keep pace with competitors. Indeed, controllers may even expect their processors to use data to keep their products and services secure and prevent any fraudulent activity. As AI-enabled software becomes commonplace, service providers may need their customers’ personal data to power the development of their machine learning models. And while such improvements may benefit a processor’s customers generally, they do not always benefit the same customer whose data were used in any specific instance. In 2020 we discovered that during a global health crisis, data aggregated across customers can reveal insights that serve public health or scientific research purposes.
The CNIL’s guidance makes clear that processors can reuse personal data for their own purposes, but only under strict conditions, namely, where (a) the original controller grants explicit permission, and (b) the new purpose is “compatible” with the original purpose for processing. This requires processors to clearly specify how and why personal data will be reused and to ensure that their customer agreements grant sufficient permission. And controllers must evaluate whether their processors’ new purposes are “compatible” with the initial processing purposes. The CNIL emphasizes that if the compatibility test is not satisfied, a controller must refuse to authorize the reuse of the data; whereas if the test is satisfied, the controller is free to agree or not.
Importantly, the CNIL states a controller’s authorization for any repurposing of data by its processor must be provided on a case-by-case basis, taking into account the specific purposes and characteristics of the data concerned, and that blanket authorization in the agreement will not suffice. This appears to contradict standard market practice where the parties set the parameters of processing in the data processing agreement rather than keeping controllers continuously involved in their processors’ operations.
In its guidance, the CNIL provides a useful example: It states that “in a case where a processor wants to reuse data for the purpose of improving its cloud computing services, such reuse could be considered compatible with the initial processing, subject to appropriate guarantees such as the anonymization of the data if this identifying data is not necessary.” However, the CNIL clarifies that the processor’s reuse of data for marketing purposes would strain to pass the “compatibility test.”
It’s also important to note that under Article 6(4) of the GDPR, which the CNIL references in its guidance, a controller may conduct compatibility analysis only where the initial processing was grounded in a legal basis other than consent. Therefore, in the case of consent-based processing, the processor would apparently need to secure data subject consent to any new purposes.
In addition, the CNIL guidance clarifies that once it processes data for its own purposes, a processor becomes a controller in its own right and must comply with the more onerous requirements the GDPR places on controllers. In particular, processors will need to identify a legal basis for the processing and work through how they will provide notice to data subjects, which may require cooperation with the relevant controller.
Background
The reuse of personal data an organization receives as a “processor” under the GDPR for the processor’s own purposes sits uneasily with the binary controller-processor framework under the GDPR.
The GDPR limits processors to use personal data only on behalf of the relevant controller and in accordance with the controller’s documented instructions, except as otherwise required by applicable EU or member state law. Processors accept this limit in exchange for important exemptions from many of the GDPR’s core obligations, such as requirements to provide notice to data subjects and to identify a legal basis for the processing.
Where a processor merely uses the controller’s personal data to serve the controller’s purposes, there is no issue. However, organizations that reuse personal data for independent purposes run straight into key areas of GDPR uncertainty.
The GDPR specifies that processors that exceed the instructions of the controller become controllers in their own right. But that provision, Article 28(10), also says that a processor “infringes this Regulation by determining the purposes and means of processing” – i.e. by becoming a controller.
The GDPR position notably contrasts with the California Consumer Privacy Act concept of a “service provider” on this issue. Specifically, the CCPA recognizes that service providers may aggregate data across “businesses” for various purposes, including for the service provider’s internal use to build or improve the quality of its services and to prevent and detect security incidents and fraud.
The guidance
The CNIL guidance makes clear that processors can reuse personal data for their own purposes but only under strict terms. To do so, both the original controller and the processor that wishes to reuse the data must meet several conditions.
First, in order to reuse personal data for a different purpose than what was instructed by the controller, the processor must obtain the original controller’s written permission. Second, because a processor’s use of personal data for its own purposes constitutes “further processing,” it must meet a compatibility test. Thus, before the original controller grants authorization, it must evaluate the link between the original purpose for processing and the new purpose pursued by the processor, as well as the nature of the personal data, the possible consequences for data subjects, the existence of appropriate safeguards, and other factors specified in Article 6(4). Privacy pros may wish to revisit their old, worn copies of the Article 29 Working Party’s opinion on purpose limitation from 2013.
Third, the CNIL guidance states the original controller will bear responsibility for informing data subjects of the new processing purposes. In addition, if data subjects will have the right to object to the processing, the original controller must inform data subjects of this possibility. It remains to be seen whether a controller’s general description of data subject rights within its privacy notice will meet this requirement. In other contexts, the European Data Protection Board has emphasized that the right to object must be brought clearly and explicitly to the data subject’s attention. If the processor has the ability to communicate with data subjects directly, however, the CNIL guidance would allow the original controller to delegate this responsibility to the processor.
Finally, assuming the original controller determines that the reuse of data is compatible and grants written authorization, the processor may proceed in using the data for its own purposes. However, at this point, the processor becomes a controller for these independent purposes and must satisfy the GDPR’s controller obligations with respect to the processing. This means the new controller will need to identify a legal basis for the processing and will need to provide a privacy notice to data subjects, unless an exception applies.
As with the original controller’s notice obligations, the CNIL guidance recognizes that the parties may cooperate in providing the new controller’s notice if the new controller does not have the ability to communicate with data subjects directly.
Conclusion
Although the CNIL’s guidance makes clear that processors may reuse personal data, the strict conditions it places on such reuse exceeds what many in the market are currently doing. Processors may find they need to adjust their agreements to meet the specificity requirements the CNIL articulates; and controllers likely will find that they need to be more involved in decisions about how their processors reuse their data.
* This article first appeared January 13, 2022, on the IAPP Privacy Advisor