Common use of Contractual Necessity Clause in Contracts

Contractual Necessity. Generally, consent is not the only legal basis for digital service providers to process consumer data. Article 6 (1) (b) GDPR allows the processing of personal data when this is “necessary for the performance of a contract”.1287 This provision considers that sometimes contracts cannot be performed, and services cannot be provided if the consumer does not provide personal data.1288 This is when a consumer pays with a credit card for a product available on an online marketplace and requests its delivery to their home address.1289 In this case, Article (6)(1)(b) GDPR allows the online marketplace to process the consumer’s card details and address based on this clause.1290 On May 25, 2018, when the GDPR came into force with strengthened requirements for consent, Meta updated its terms and conditions, stating that it processed the consumer personal data under Article 6(1)(b) GDPR because such data was necessary to perform “core service” of Meta’s platforms (Facebook, Instagram), now framed as “personalized experience”, including personalized advertisement.1291 On the same day, Noyb, a digital rights organization that can be said to act as the “private prosecutor” for enforcing the GDPR,1292 filed a complaint with the Austrian DPA.1293 ▇▇▇▇ argued that ▇▇▇▇ attempted to bypass the GDPR’s strict consent requirements and engaged in illegitimate OBA.1294 As Meta’s EU head office is located in Ireland, the Austrian DPA transferred the case to the Irish DPA.1295 1286 See Digital Content Directive, supra note 940, rec. 24. 1287 General Data Protection Regulation, supra note 44 at art 6(1)(b). 1288 EUROPEAN DATA PROTECTION BOARD, Guidelines 2/2019 on the Processing of Personal Data under Article 6(1)(b) GDPR in the Context of the Provision of Online Services to Data Subjects, 2 (2019). 1289 Id. at 35. 1290 Id. 1291 See BREAKING: Meta Prohibited from Use of Personal Data for Advertising, NOYB (2023), ▇▇▇▇▇://▇▇▇▇.▇▇/en/breaking-meta-prohibited-use-personal-data-advertising (last visited May 2, 2023). 1292 Noyb stands for “none-of-your-business”. Full name of this organization is European Center for Digital Rights. See CPDPConferences, supra note 945. 1293 See noyb, ▇▇▇▇.▇▇ Filed Complaints over “Forced Consent” against Google, Instagram, WhatsApp and Facebook, NOYB (2023), ▇▇▇▇▇://▇▇▇▇.▇▇/en/noybeu-filed-complaints-over-forced- consent-against-google-instagram-whatsapp-and-facebook (last visited May 2, 2023). 1294 See Id. 1295 Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation, (Dec. 31, 2022) (Ir.), 49. In 2014, the EDPB already argued that contractual necessity was not a suitable legal ground for OBA within the context of the 1995 Data Protection Directive that preceded the GDPR.1296 In 2019, the EDPB reiterated that digital service providers could not rely on Article 6(1)(b) GDPR as the legal basis for OBA.1297 However, in 2021, the Irish DPA published a draft decision suggesting that ▇▇▇▇ relied on valid legal grounds. The reasoning of Irish DPA supported the argument that if ▇▇▇ was Meta’s core service to consumers, then processing personal data for OBA was, indeed, necessary. Irish DPA avoided evaluating the validity of tha claim that OBA constituted Meta’s sprimary service to consumers, pointing to the competence of the contract law, and outside of the competence of the DPA. After several EU DPAs objected to the draft decision, the Irish DPA referred the case to the EDPB, which in July 2022 issued binding decisions that clarified that Meta when serving Facebook provided social networking service could not rely on the contractual necessity clause as the legal basis for processing personal data for OBA.1298 The EDPB argued that OBA involves processing an open-ended amount of consumer personal data and cannot be “strictly necessary” for the contract, even if the subject of the contract is personalization (including personalized advertising).1299 The EDPB explained that while it may be less profitable, Meta could personalize advertisements based on limited consumer data, such as what consumers disclose when they sign up (e.g., age, gender, and country of residence).1300 The EDPB further states that accepting contractual necessity as a valid legal basis for OBA would make lawful “theoretically any collection and reuse of personal data”.1301 In accordance with the EDPB’s binding decision, on 31 December 2022, the Irish DPA issued a €390 million fine to Meta, banned the company for engaging in OBA on the basis of Article 6(1)(b) GDPR, and gave the company three months to bring their OBA practices in compliance to the GDPR.1302 In response to this decision, Meta updated its terms and conditions, and since April 5, 2023, it has continued to process personal data for OBA based on their claimed “legitimate 1296 ARTICLE 29 DATA PROTECTION WORKING PARTY, Opinion 06/2014 on the Notion of 1297 See EUROPEAN DATA PROTECTION BOARD, supra note 1288 at 51–56. 1298 See generally Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, European Data Protection Board (Jul. 28, 2022). 1299 Data Protection Commission (Ir.) (Dec. 31, 2022), supra note 1295, 49. 1300 European Data Protection Board (Jul. 28, 2022), supra note 1297, 132. 1301 Id. 1302 Data Protection Commission (Ir.) (Dec. 31, 2022), supra note 1295, 113. interest” under Article 6(1)(f) GDPR.1303 Section 6.3.3 analyzes the validity of relying on legitimate interest for ▇▇▇.

Contractual Necessity. Generally, consent is not the only legal basis for digital service providers to process consumer data. Article 6 (1) (b) GDPR allows the processing of personal data when this is “necessary for the performance of a contract”.1287 This provision considers that sometimes contracts cannot be performed, and services cannot be provided if the consumer does not provide personal data.1288 This is when a consumer pays with a credit card for a product available on an online marketplace and requests its delivery to their home address.1289 In this case, Article (6)(1)(b) GDPR allows the online marketplace to process the consumer’s card details and address based on this clause.1290 On May 25, 2018, when the GDPR came into force with strengthened requirements for consent, Meta updated its terms and conditions, stating that it processed the consumer personal data under Article 6(1)(b) GDPR because such data was necessary to perform “core service” of Meta’s platforms (Facebook, Instagram), now framed as “personalized experience”, including personalized advertisement.1291 On the same day, Noyb, a digital rights organization that can be said to act as the “private prosecutor” for enforcing the GDPR,1292 filed a complaint with the Austrian DPA.1293 ▇▇▇▇ argued that ▇▇▇▇ attempted to bypass the GDPR’s strict consent requirements and engaged in illegitimate OBA.1294 As Meta’s EU head office is located in Ireland, the Austrian DPA transferred the case to the Irish DPA.1295 1286 See Digital Content Directive, supra note 940, rec. 24. 1287 General Data Protection Regulation, supra note 44 at art 6(1)(b). 1288 EUROPEAN DATA PROTECTION BOARD, Guidelines 2/2019 on the Processing of Personal Data under Article 6(1)(b) GDPR in the Context of the Provision of Online Services to Data Subjects, 2 (2019). 1289 Id. at 35. 1290 Id. 1291 See BREAKING: Meta Prohibited from Use of Personal Data for Advertising, NOYB (2023), ▇▇▇▇▇://▇▇▇▇.▇▇/en/breaking-meta-prohibited-use-personal-data-advertising (last visited May 2, 2023). 1292 Noyb stands for “none-of-your-business”. Full name of this organization is European Center for Digital Rights. See CPDPConferences, supra note 945. 1293 See noyb, ▇▇▇▇.▇▇ Filed Complaints over “Forced Consent” against Google, Instagram, WhatsApp and Facebook, NOYB (2023), ▇▇▇▇▇://▇▇▇▇.▇▇/en/noybeu-filed-complaints-over-forced- consent-against-google-instagram-whatsapp-and-facebook (last visited May 2, 2023). 1294 See Id. 1295 Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act, 2018 and Articles 60 and 65 of the General Data Protection Regulation, (Dec. 31, 2022) (Ir.), 49. In 2014, the EDPB already argued that contractual necessity was not a suitable legal ground for OBA within the context of the 1995 Data Protection Directive that preceded the GDPR.1296 In 2019, the EDPB reiterated that digital service providers could not rely on Article 6(1)(b) GDPR as the legal basis for OBA.1297 However, in 2021, the Irish DPA published a draft decision suggesting that ▇▇▇▇ Meta relied on valid legal grounds. The reasoning of Irish DPA supported the argument that if ▇▇▇ was Meta’s core service to consumers, then processing personal data for OBA was, indeed, necessary. Irish DPA avoided evaluating the validity of tha claim that OBA constituted Meta’s sprimary service to consumers, pointing to the competence of the contract law, and outside of the competence of the DPA. After several EU DPAs objected to the draft decision, the Irish DPA referred the case to the EDPB, which in July 2022 issued binding decisions that clarified that Meta when serving Facebook provided social networking service could not rely on the contractual necessity clause as the legal basis for processing personal data for OBA.1298 The EDPB argued that OBA involves processing an open-ended amount of consumer personal data and cannot be “strictly necessary” for the contract, even if the subject of the contract is personalization (including personalized advertising).1299 The EDPB explained that while it may be less profitable, Meta could personalize advertisements based on limited consumer data, such as what consumers disclose when they sign up (e.g., age, gender, and country of residence).1300 The EDPB further states that accepting contractual necessity as a valid legal basis for OBA would make lawful “theoretically any collection and reuse of personal data”.1301 In accordance with the EDPB’s binding decision, on 31 December 2022, the Irish DPA issued a €390 million fine to Meta, banned the company for engaging in OBA on the basis of Article 6(1)(b) GDPR, and gave the company three months to bring their OBA practices in compliance to the GDPR.1302 In response to this decision, Meta updated its terms and conditions, and since April 5, 2023, it has continued to process personal data for OBA based on their claimed “legitimate 1296 ARTICLE 29 DATA PROTECTION WORKING PARTY, Opinion 06/2014 on the Notion of 1297 See EUROPEAN DATA PROTECTION BOARD, supra note 1288 at 51–56. 1298 See generally Binding Decision 2/2022 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Meta Platforms Ireland Limited (Instagram) under Article 65(1)(a) GDPR, European Data Protection Board (Jul. 28, 2022). 1299 Data Protection Commission (Ir.) (Dec. 31, 2022), supra note 1295, 49. 1300 European Data Protection Board (Jul. 28, 2022), supra note 1297, 132. 1301 Id. 1302 Data Protection Commission (Ir.) (Dec. 31, 2022), supra note 1295, 113. interest” under Article 6(1)(f) GDPR.1303 Section 6.3.3 analyzes the validity of relying on legitimate interest for ▇▇▇.