COMPLEX PROCESSINGWhat Are the Relevant Legal Bases?
The three legal bases under the GDPR most relevant for the complex processing of EU personal data, for example, in support of advanced analytics, behavioural advertising, marketing, product improvement, profiling, etc., are Consent, Contract and Legitimate Interests processing.
Consent as a legal basis for complex processing of EU personal data is limited because, under the GDPR, the processing must be capable of being described with specificity at the time of data collection. It is not possible to secure legally binding consent for processing activities to occur in the future, which cannot be described with specificity at the time of initial data collection. In addition, requiring consent to desired processing cannot be a condition for receiving a product or service – a data subject must be offered a genuine choice, or their consent is not freely given. If consent is not obtained in full compliance with GDPR requirements, “the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.” This makes it nearly impossible to rely on Consent as a lawful basis for complex data analysis, artificial intelligence, (AI) machine learning (ML), sharing, combining and enriching.1
The European Data Protection Board (EDPB) has stated that the legal basis of Contract is to be strictly construed to cover only the minimum data processing required to support the performance of a contract. If desired processing is not strictly necessary for the performance of a contract – for example, to support advanced analytics, behavioural advertising, marketing, product improvement, profiling, etc. – then Contract is not available as a legal basis for processing.2
Legitimate Interests Processing
The Legitimate Interests legal basis reflects the GDPR’s risk-based approach enabling the processing of personal data when it does not result in a risk of harm to data subjects. It is not enough to assert a legitimate interest in the results of the processing, and the legal basis “cannot be equated to the interest of companies to make a profit from personal data."3
The EDPB notes that the Legitimate Interests legal basis4 requires a controller to satisfy three conditions:5
1. Legitimate Interest: the identification and qualification of a legitimate interest pursued by the controller or by a third party. This interest of the controller or third party may be broader than the purpose of the processing but must be present at the processing date.6
2. Necessity: the need to process the personal data must be established as a requirement for the legitimate interest pursued.7
3. Balancing of Interests: the legitimate interest of the controller or third party must be balanced against the interests or fundamental rights and freedoms of the data subject, including the data subject's rights to data protection and privacy, considering the particular circumstances of the processing.8
COMPLEX PROCESSING What are the Benefits of Legitimate Interests Processing
The benefits of processing personal data using compliant Legitimate Interests processing as a legal basis under the GDPR include:
- Under Article 17(1)(c), if a data controller shows they “have overriding legitimate grounds for processing” supported by technical and organizational measures to satisfy the balancing of interest test, they have greater flexibility in complying with Right to be Forgotten requests
- Under Article 18(1)(d), a data controller has flexibility in complying with claims to restrict the processing of personal data if they can show they have technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected.
- Under Article 20(1), data controllers using Legitimate Interest processing are not subject to the right of portability, which applies only to consent-based processing.
- Under Article 21(1), a data controller using Legitimate Interest processing may be able to show they have adequate technical and organizational measures in place so that the rights of the data controller properly override those of the data subject because the rights of the data subjects are protected; however, data subjects always have the right under Article 21(3) to not receive direct marketing outreach as a result of such processing.
Use cases with major international organizations and outside experts9 confirm that 100% of the precision of analytical value is lawfully retained using Legitimate Intertest processing enabled by Anonos Data Embassy software for:
- Training AI and ML algorithms; and
- Sharing and combining protected datasets.
ANONOS DATA EMBASSY SOFTWARE Variant Twins Enable Legitimate Interests Processing
Anonos Data Embassy software uses state-of-the-art GDPR compliant Pseudonymisation-enabled Variant Twins® to create privacy-respectful versions of both direct identifiers (e.g. passport number, credit card numbers) and indirect identifiers (e.g. date of birth, zip code, gender) to enable lawful complex processing of EU personal data.
Variant Twin data element level controls support GDPR Pseudonymisation to satisfy the Balancing of Interest test required for lawful Legitimate Interests processing under the GDPR. With Anonos Variant Twins, the protection is embedded into the data in such a way that the benefits of combining ever-increasing sources of data remain, enabling correlations and discoveries to be realised, but in a privacy respectful lawful manner.
Anonos Variant Twin technology makes it possible to generate GDPR Pseudonymous data using dynamism and to measure the risk of re-identification, reconciling the tension between data innovation and increasingly stringent requirements for ethical and lawful processing. Anonos leverages patented dynamism to transform direct and indirect identifiers, based on who is using the data and for what purposes while retaining and controlling the linkability of the data to re-identify data subjects for authorized uses only.
Anonos Variant Twin technology creates sustainable data assets that:
- Preserve the full utility of original source data
- Deliver the desired resistance to re-Identification of “anonymisation”
- For “locally anonymous” internal use
- For “universally anonymous” data sharing and combining
- Retain the ethical and lawful control over re-linkability of GDPR compliant Pseudonymised data
1 See EDPB Guidelines 5/2020 at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
2 See EDPB Guidelines 2/2019 at https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines-art_6-1-b-adopted_after_public_consultation_en.pdf
3 As made clear in the case filed by Privacy International against Acxiom and Oracle (data brokers), Equifax and Experian (credit reference agencies), and Criteo, Quantcast and Tapad (ad-tech companies) with data protection authorities in France, Ireland, and the UK. See https://privacyinternational.org/advocacy/2434/why-weve-filed-complaints-against-companies-most-people-have-never-heard-and-what
4 See Article 29 Working Party Opinion on the notion of legitimate interest of the data controller under Article 7 of Directive 95/46/EC, currently under revision by the EDPB (see the EDPB Work program 2021/2022 adopted on the 16 March 2021)
5 See EDPB Recommendations 02/2021on page 3 at https://edpb.europa.eu/system/files/2021-05/recommendations022021_on_storage_of_credit_card_data_en_1.pdf citing See CJEU judgement of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, Case C-13/16, ECLI:EU:C:2017:336, point 28.
6 Supra, Note 5, citing CJEU judgement of 11 December 2019, TK v Asociaţia de Proprietari bloc M5A-ScaraA, Case C-708/18, ECLI:EU:C:2019:1064, point 44.
7 Supra, Note 5.
8 Supra, Note 5, citing CJEU judgement of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado, Cases C-468/10 and C-469/10, ECLI:EU:C:2011:777, points 47 and 48; CJEU judgement of 19 October 2016, Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, ECLI:EU:C:2016:779, point 62.