The three legal bases under the GDPR most relevant for the complex processing of EU personal data, for example, in support of advanced analytics, behavioural advertising, marketing, product improvement, profiling, etc., are Consent, Contract and Legitimate Interests processing.
Consent as a legal basis for complex processing of EU personal data is limited because, under the GDPR, the processing must be capable of being described with specificity at the time of data collection. It is not possible to secure legally binding consent for processing activities to occur in the future, which cannot be described with specificity at the time of initial data collection. In addition, requiring consent to desired processing cannot be a condition for receiving a product or service – a data subject must be offered a genuine choice, or their consent is not freely given. If consent is not obtained in full compliance with GDPR requirements, “the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.” This makes it nearly impossible to rely on Consent as a lawful basis for complex data analysis, artificial intelligence, (AI) machine learning (ML), sharing, combining and enriching.1
The European Data Protection Board (EDPB) has stated that the legal basis of Contract is to be strictly construed to cover only the minimum data processing required to support the performance of a contract. If desired processing is not strictly necessary for the performance of a contract – for example, to support advanced analytics, behavioural advertising, marketing, product improvement, profiling, etc. – then Contract is not available as a legal basis for processing.2
The Legitimate Interests legal basis reflects the GDPR’s risk-based approach enabling the processing of personal data when it does not result in a risk of harm to data subjects. It is not enough to assert a legitimate interest in the results of the processing, and the legal basis “cannot be equated to the interest of companies to make a profit from personal data."3
1. Legitimate Interest: the identification and qualification of a legitimate interest pursued by the controller or by a third party. This interest of the controller or third party may be broader than the purpose of the processing but must be present at the processing date.6
2. Necessity: the need to process the personal data must be established as a requirement for the legitimate interest pursued.7
3. Balancing of Interests: the legitimate interest of the controller or third party must be balanced against the interests or fundamental rights and freedoms of the data subject, including the data subject's rights to data protection and privacy, considering the particular circumstances of the processing.8
The benefits of processing personal data using compliant Legitimate Interests processing as a legal basis under the GDPR include:
Use cases with major international organizations and outside experts9 confirm that 100% of the precision of analytical value is lawfully retained using Legitimate Intertest processing enabled by Anonos Data Embassy software for:
Anonos Data Embassy software uses state-of-the-art GDPR compliant Pseudonymisation-enabled Variant Twins® to create privacy-respectful versions of both direct identifiers (e.g. passport number, credit card numbers) and indirect identifiers (e.g. date of birth, zip code, gender) to enable lawful complex processing of EU personal data.
Variant Twin data element level controls support GDPR Pseudonymisation to satisfy the Balancing of Interest test required for lawful Legitimate Interests processing under the GDPR. With Anonos Variant Twins, the protection is embedded into the data in such a way that the benefits of combining ever-increasing sources of data remain, enabling correlations and discoveries to be realised, but in a privacy respectful lawful manner.
Anonos Variant Twin technology makes it possible to generate GDPR Pseudonymous data using dynamism and to measure the risk of re-identification, reconciling the tension between data innovation and increasingly stringent requirements for ethical and lawful processing. Anonos leverages patented dynamism to transform direct and indirect identifiers, based on who is using the data and for what purposes while retaining and controlling the linkability of the data to re-identify data subjects for authorized uses only.
Anonos Variant Twin technology creates sustainable data assets that:
1 See EDPB Guidelines 5/2020 at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
2 See EDPB Guidelines 2/2019 at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf
3 As made clear in the case filed by Privacy International against Acxiom and Oracle (data brokers), Equifax and Experian (credit reference agencies), and Criteo, Quantcast and Tapad (ad-tech companies) with data protection authorities in France, Ireland, and the UK. See https://privacyinternational.org/advocacy/2434/why-weve-filed-complaints-against-companies-most-people-have-never-heard-and-what
4 See Article 29 Working Party Opinion on the notion of legitimate interest of the data controller under Article 7 of Directive 95/46/EC, currently under revision by the EDPB (see the EDPB Work program 2021/2022 adopted on the 16 March 2021)
5 See EDPB Recommendations 02/2021on page 3 at https://edpb.europa.eu/system/files/2021-05/recommendations022021_on_storage_of_credit_card_data_en_1.pdf citing See CJEU judgement of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, Case C-13/16, ECLI:EU:C:2017:336, point 28.
6 Supra, Note 5, citing CJEU judgement of 11 December 2019, TK v Asociaţia de Proprietari bloc M5A-ScaraA, Case C-708/18, ECLI:EU:C:2019:1064, point 44.
8 Supra, Note 5, citing CJEU judgement of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado, Cases C-468/10 and C-469/10, ECLI:EU:C:2011:777, points 47 and 48; CJEU judgement of 19 October 2016, Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, ECLI:EU:C:2016:779, point 62.