Multiple GDPR lawful bases per purpose

There’s currently a lot of argument about whether it’s legitimate to assign more than one lawful basis for processing to a given processing purpose. A high proportion of the privacy notices we have examined since May 2018 do so. However, as long ago as November 2017 the Article 29 Working Party (now the European Data Protection Board) stated categorically in Guidelines on Consent under Regulation 2016/679:

Article 6 sets the conditions for a lawful personal data processing and describes six lawful bases on which a controller can rely. The application of one of these six bases must be established prior to the processing and in relation to a specific purpose. As a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases. Nonetheless, it is possible to rely on more than one lawful basis to legitimise processing if the data is used for several purposes, as each purpose must be connected to a lawful basis. However, the controller must have identified these purposes and their appropriate lawful bases in advance. The lawful basis cannot be modified in the course of processing. Hence, the controller cannot swap between lawful bases.

Several sources of legal opinion have suggested that, despite this unambiguous ruling, the wording of the GDPR admits of multiple concurrently assigned lawful bases to a single purpose. However, although I am not a lawyer I can clearly see how this might both restrict the exercise of data subject rights and cause problems for data controllers. What is not so clear though is what real advantage it might offer a responsible data controller that would outweigh the problems.

So lets' look at an extract from a typical ‘Privacy Policy’ to see what the issues are:

Processing Purpose
To manage our relationship with you which will include: (a) Notifying you about changes to our terms; (b) Asking you to leave a review or take a survey; (c) To respond to refund requests and complaints;

Type of data
(a) Identity; (b) Contact; (c) Profile; (d) Preference;

Legal basis for processing including basis of legitimate interest
(a) Performance of a contract with you; (b) Necessary to comply with a legal obligation; (c) Necessary for our legitimate interests (to keep our records updated, to study how customers use our products/services and to respond to you);

The first and most significant issue is the statement of purpose – it’s much too broad, as it explicitly encompasses three quite different purposes from the perspective of the data subject. Probably as a direct consequence of this, three different lawful bases have been specified. However it’s impossible that all three legal bases apply to each and every one of the three sub-purposes, but it’s not been made clear which lawful basis applies each.

The second issue is that the description of legitimate interests covers a multitude of different purposes, which should be defined as purposes rather then just subsumed under ‘legitimate interests’.

The third issue is that, depending on the context and exactly what the purpose is, profiling and preference monitoring may be subject to consent and can in any case be objected to. But even if legitimate interest might lawfully be relied on for it, unless the specific legitimate interest has been explicitly described and adequately justified, the possible grounds for objection will not be clear to the data subject. The information here is insufficient to assist them to make an informed decision.

OK, so why does this matter? In respect of any purpose, its processing activity and the assigned lawful basis, the data subject may have a differing set of exercisable rights, as they may be precluded from exercising some rights by the context – for example, I can’t exercise the right to be forgotten on the UK tax office. It's thus vitally important to the data subject to be informed about which of their notional rights they can exercise in the case of each specific purpose and processing activity, and to be able to determine whether there is any aspect of the processing they may wish to object to. This is of course where we see the fallacy of multiple concurrent lawful bases in stark contrast.

The clearest demonstration of the problem is in respect of consent (and indeed pretty much all the legal argument so far has been based round it). If I provide my personal data on the basis of consent for a specific purpose, I’m entitled to withdraw my consent at any time, and the data controller must honour that withdrawal of consent by ceasing to process my data for that purpose. If, however, they were entitled to say “You've withdrawn consent, but we now rely on our legitimate interest instead”, the data controller’s reliance on my consent was always only an empty gesture so my right to exercise control over the processing of my personal data (the essence of the GDPR’s raison d’être) has been infringed. And what’s more, I can complain to the ICO about that, which is where the data controller’s problems start to arise. The same would apply in principle to the union of contractual necessity or legal obligation with legitimate interest, so there’s a very good general argument in favour of the Article 29 Working Party’s ruling.

Legitimate interest is not, and was never intended to be,
a fall back option to permit continued processing in the face of challenge by data subjects.

In fact, as clearly stated by the Article 29 Working Party ruling, no lawful basis can be used as a fall back for any other. Despite this, numerous legal opinions have been published suggesting that you can apply multiple concurrent lawful bases provided you inform the data subject up front. In my (practical) opinion, this simply exacerbates the problem for both the data subject (by creating confusion) and the data controller (by opening the door to challenge).

Ultimately, the purpose of the GDPR is to allow personal data processing while protecting the rights and freedoms of data subjects. So far since May 2018 we have observed that privacy notices are almost universally achieving the opposite, by making it hard for data subjects to establish exactly what processing is taking place and what the justification for it is. A common manifestation of this is assigning multiple lawful bases to excessively loosely defined and inadequately justified purposes. Regardless of whether this is down to intent, lack of attention or lack of understanding on the part of data controllers, it’s fundamentally in breach of the transparency obligation imposed by the GDPR, thus rendering the data controller non-compliant with the legislation.

Consequently our advice is, first, to define your purposes to a level of detail that allows a single lawful basis to be assigned unequivocally to each purpose, second, to provide a robust and sufficiently detailed justification for each application of legitimate interest (not just three or four words of generality as in the example given here), and third and most importantly, never consider weasel ways to circumvent the requirements of the legislation in your own apparent interest, as these will always eventually backfire to your cost.

Mike Barwise
Director, BiR