EU law principles of necessity and proportionality profoundly impact GDPR lawfulness of processing.

DPC guidance on selecting a legal basis for processing

The following slightly paraphrased extract from the Data Protection Commission (DPC) guidance on selecting a legal basis for processing[1] describes the importance of necessity when defining the purpose for processing and selecting a legal basis.

As evident from the text of Article 6 GDPR, every legal basis except ‘consent’ only provides a justification for processing where it is ‘necessary’ for a particular purpose; for example, where it is “necessary for the performance of a contract”, or “necessary in order to protect […] vital interests”.  Exactly what processing is necessary to achieve a given purpose will vary from case to case and will depend on the exact circumstances.  In line with the principle of purpose limitation, controllers need to limit their processing to that which is needed for an explicit purpose.  These and other basic rules and considerations need to always be taken into account when controllers are assessing the necessity and lawfulness of their processing activities.

The Article 5 GDPR principle of ‘data minimisation’ also requires that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.  To comply with both the principles of data protection as well as the lawfulness requirements of Article 6, controllers must ensure that any processing they undertake meets the test of necessity.

The concept of necessity has an independent meaning in European Union law, which must be interpreted in a way which reflects the objectives of data protection law[2].  Necessity is generally interpreted strictly by the CJEU given that derogations or limitations on data protection rights are to be interpreted strictly.  For example, in the Rīgas case[3], the CJEU stated that “[a]s regards […] the necessity of processing personal data, […] derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary…”.

Necessity entails that processing should be a reasonable and proportionate method of achieving a given goal, taking into account the overarching principle of data minimisation, and that personal data should not be processed where there is a more reasonable and proportionate, and less intrusive way to achieve a goal.  In the Schecke case[4], the CJEU held that, when examining the necessity of processing personal data, the controller needed to take into account alternative, less intrusive measures, and any interference with data protection rights arising from the processing in question should be the least restrictive of those rights.  In general, to satisfy the necessity test, there ought to be no equally effective available alternative[5].

In light of the above, controllers should make sure that any processing of personal data which they undertake, or propose to undertake, is more than simply convenient for them, or potentially useful, or even just the standard practice which they or their industry have used up to now.  Instead, controllers should ensure that each processing operation is necessary as a specific and proportionate way of achieving a transparent stated purpose or goal, which could not reasonably be achieved by some other less intrusive means, or by processing less personal data.  Controllers also need to keep in mind that for more intrusive processing, a stronger justification will be required.

In summary, the chosen method of processing must be a targeted and proportionate way to achieve a specific purpose.  But the legal basis will not apply if a controller can reasonably achieve the purpose by some other less intrusive means, or by processing less data.  It is not enough to argue that processing is necessary because a controller has chosen to operate their business in a particular way.  Therefore, the question becomes whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of the organisations chosen methods.

Article 6 GDPR lawfulness of processing

When examining whether a controller’s unnecessary processing is lawful, it must be recalled Article 6(1) GDPR stipulates that,

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Impact of unnecessary processing on Article 6(1) lawfulness of processing

As outlined in the DPC guidance, the EU law principles of necessity and proportionality dictate that the mere existence of any equally effective alternative way that a controller could process information about a person means it is not necessary for the controller to use the way it has chosen to process the person’s information.  This is especially true if the alternative thing that the controller could do less severely interferes with the person’s fundamental rights and freedoms such as those set out in the EU Charter of Fundamental Rights or the European Convention of Human Rights.

In addition, where a controller relies on the Article 6(1)(f) GDPR legal basis of legitimate interests, the controller’s processing will not be necessary if the person did not reasonably expect the controller to process their information in this manner.

Crucially, all of the Article 6(1) GDPR legal bases except consent require that that the controller’s “processing is necessary“.  It follows that when a controller’s processing is not necessary then all of the Article 6(1)(b) to (f) GDPR legal bases drop away and are no longer available to the controller to enable its processing.  This means the controller can only rely on the reminiang Article 6(1)(a) GDPR legal basis of consent to process a person’s data.

A controller’s obligation to obtain a person’s consent for its unnecessary processing is obvious when looking at the Article 6(1) GDPR rules for lawful processing.

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Consequently, a controller’s failure to explicitly obtain a person’s freely given informed consent for its unnecessary processing means the controller’s processing will be unlawful in contravention of the Article 6(1) GDPR rules for lawful processing.

Footnotes:

[1] www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data

[2] CJEU, Case C‑524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 2008, para 52.

[3] CJEU, Case C-13/16 Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas.

[4] CJEU, Joined Cases C 92/09 and C 93/09, Schecke, Eifert v Hessen, 9 November 2010, para 86.

[5] CJEU, Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk, para 88.