Online services became part of our everyday life. The provision of online services, in almost all cases, goes hand in hand with data processing. On the one hand, we provide our data intentionally to the service providers when we decide to use services online but in other cases, data are collected when we use the services. Due to the nature of online services, some of the general data protection rules shall be shaped and interpreted accordingly to be applicable in the context of online services. Two new guidelines have been published recently that may help in interpreting the data protection requirements in connection with the provision of online services. (Both guidelines were published in draft versions for public consultation purposes.)

The first guidelines were published by the European Data Protection Board (EDPB) on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects (Guidelines 2/2019).

The second guidelines were issued by the UK’s Information Commissioner's Office (ICO) on age appropriate design, as a code of practice for online services.

Both guidelines make clear that the term “online services” is applied in the meaning of “information society services” as defined in Directive 2015/1535 (Article 2). Information society services mean “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

1. EDPB’s guidelines

Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

If the specific processing is necessary for the provision of the service requested by the data subject, it is in the interests of both parties to process that data, as otherwise the service could not be provided and the contract could not be performed. However, the extent of the applicability of this legal basis is not fully clear in practice. It is always a question what types of data are really necessary for the performance of the services.

Validity of the contract

Contracts for online services must be valid under the applicable contract law. For example, “the controller must ensure that it complies with the relevant national laws on the capacity of children to enter into contracts.” The controller also needs to satisfy other legal requirements (e.g. requirements regarding consumer contracts).

Necessity and other legal bases for data processing

Based on EDPB’s opinion “Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.”

In this context, the EDPB refers to WP29’s opinion that the necessity “… must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also, the fact that some processing is covered by a contract does not automatically mean that the processing is necessary for its performance. […] Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract.” (Opinion 06/2014)

The EDPB also draws attention to the obligation of data controllers that at the time of considering the necessity of processing, it is important to examine “the perspective of an average data subject in order to ensure that there is a genuine mutual understanding on the contractual purpose.” It’s worth noting here that the EDPB used terms like “average data subject”, “reasonable data subject” or “ordinary user of the service”. It will be interesting to see how these terms will be filled with content in the practice and whether such will serve as a point of reference in data protection law to consider the expectation of data subjects.

Applicability of 6(1)(b) of the GDPR

According to the EDPB, a controller can only rely on Article 6(1)(b) to process personal data when it can be established that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed.

In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following questions should be considered:

• "What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
• What is the exact rationale of the contract (i.e. its substance and fundamental object)?
• What are the essential elements of the contract?
• What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?"

Other legal bases for processing

When a controller relies on Article 6(1)(b) for the processing, the controller shall demonstrate that

(a) a contract exists,

(b) the contract is valid pursuant to applicable national contract laws, and

(c) the processing is objectively necessary for the performance of the contract.

According to the guidelines, “where processing is not considered ‘necessary for the performance of a contract’, i.e. when a requested service can be provided without the specific processing taking place, the EDPB recognizes that another lawful basis may be applicable, provided the relevant conditions are met.”

This means that data processing under Article 6 (1) b) is often complemented by data processing under other legal bases (e.g. consent or legitimate interest).

Processing of special categories of personal data

Article 6(1) b) can only be relied on as the legal basis for processing special categories of personal data if an exception in Article 9(2) subparagraphs (b) to (j) can be applied in the given case. If none of the exceptions (b) to (j) apply, the processing of special categories of personal data is not possible in the context of the contract but an explicit consent can be obtained on the basis of Article 9(2) subparagraph (a).

Specific situations

The guidelines examine the applicability of Article 6 (1) b) in some special situations, like fraud prevention, processing for service improvement, processing for online behavioral advertisement. Regarding these types of activities, EDPB concludes that generally, other legal basis should be considered since these are not necessary for the performance of the contract.

2. ICO's guidelines

The processing of children's personal data requires special attention and care from data controllers. Differences regarding age limits and contractual rules applicable to contracts conculded with children in different Member States shall be carefully considered.    

ICO's code of practice contains practical guidance on age-appropriate design for online services likely to be accessed by children. The code contains and elaborates 16 standards as follows: 

• "Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
• Age-appropriate application: Consider the age range of your audience and the needs of children of different ages. Apply the standards in this code to all users, unless you have robust age-verification mechanisms to
  distinguish adults from children.
• Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
• Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
• Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
• Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
• Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices
  over which elements they wish to activate.
• Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
• Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation, taking account of the best interests of the child), and provide an obvious sign for children
  when location tracking is active. Options which make a child’s location visible to others must default back to off at the end of each session.
• Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
• Profiling: Switch options which use profiling off by default (unless you can demonstrate a compelling reason for profiling, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
• Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data, weaken or turn off their privacy protections, or extend their use.
• Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable compliance with this code.
• Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.
• Data protection impact assessments: Undertake a DPIA specifically to assess and mitigate risks to children who are likely to access your service, taking into account differing ages, capacities and development
  needs. Ensure that your DPIA builds in compliance with this code.
• Governance and accountability: Ensure you have policies and procedures in place which demonstrate how you comply with data protection obligations, including data protection training for all staff involved in the design and development of online services likely to be accessed by children. Ensure that your policies, procedures and terms of service demonstrate compliance with the provisions of this code."  

The code provides practical advice, including a data protection impact assessment template in its annexes.