The last drafts of the ePrivacy Regulation include several legal bases that might serve to legitimize data processing. In general, consent will probably continue to play a key role in the processing of data through electronic communications. However, article 8 of the version of the ePrivacy Regulaton by the Council includes alternative bases for the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, concerning even its software and hardware:
- A) it is necessary for the sole purpose of providing an electronic communication service;
- C) it is strictly necessary for providing a service specifically requested by the end-user;
- D) it is necessary for the sole purpose of audience measuring, provided that such measurement is carried out by the provider of the service requested by the end-user, or by a third party, or by third parties jointly on behalf of or jointly with provider of the service requested provided that, where applicable, the conditions laid down in Articles 26 or 28 of Regulation (EU) 2016/679 are met;
- DA) it is necessary to maintain or restore the security of information society services or terminal equipment of the end-user, prevent fraud or prevent or detect technical faults for the duration necessary for that purpose; or
- E) it is necessary for a software update provided that certain circumstances apply.
If the processing only involves the collection of information emitted by terminal equipment of the end-user to enable it to connect to another device and, or to network equipment, it shall be permitted if conditions such as those included in article 8.2 of the ePrivacy Regulation draft apply (that is, (a) it is done exclusively for, and only for the time necessary, the purpose of establishing or maintaining a connection; or (b) the end-user has given consent; or (c) it is necessary for the purpose of statistical purposes that is limited in time and space to the extent necessary for this purpose and the data is made anonymous or erased as soon as it is no longer needed for this purpose, (d) it is necessary for providing a service requested by the end-user.) and the corresponding safeguards have been successfully implemented (See article 8.2(d) of the ePrivacy Regulation draft.
| Box 2: re-use of personal data
One of the most controversial issues in terms of data protection is the re-use of personal data and the possibility to proceed with a lawful processing on this basis. This issue has been the subject of in-depth analysis in documents such as the EDPB-EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act). In a nutshell, The EDPB and the EDPS reiterate that all processing of personal data as referred to in the Proposal shall occur in full compliance with the GDPR, and thus accompanied by appropriate data protection safeguards. This means that the re-use of personal data should always respect the principles of lawfulness, fairness and transparency as well as purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality in line with Article 5 of the GDPR (73). The draft of the ePrivacy Regulation by the Council includes a clause devoted to this issue, article 8, (g) and (h).
Furthermore, it might also happen that data are finally processed under an alternative legal basis, such as public interest. This is not at all impossible if circumstances recommend it and the processing is based on Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject. However, developers should keep in mind that such alternative basis are applicable only if the controller is a public authority. Furthermore, the regulation of public interest might be different in each Member State. Controllers should be well aware of such circumstance.
On the other hand, personal data may be reused for purposes compatible with that for which it was originally collected. Thus, in principle the developer might use data already available to develop the device, without collecting new data. However, the controller must ensure and carefully document that this purpose is indeed compatible with the original one (see “Purpose Limitation Principle” subsection in the “Principles” Section of the General Part of these Guidelines).
Other than that, personal data may be also be re-used after being subject to a process of anonymization. That is, previously existing personal data can be turned into non-personal data. This leaves the processing out of the scope of the GDPR. It may still fall under the ePrivacy Regulation when it comes into effect. In this case, further use of anonymous data will be permissible. In this regard, the controller must bear in mind that the technical process consisting of subjecting personal data to an anonymization technique constitutes in itself a processing of personal data. This processing can be regarded as compatible with the original purpose of the processing on the condition that the process produces truly anonymized information, in the sense defined by the former Article 29 Working Party. (see the “Anonymization” and “Pseudonymization” sections in the Main Concepts part of these Guidelines)
The legal basis that provides the lawful ground for the use of location/proximity data should, in any case, incorporate meaningful safeguards. A clear specification of purpose and explicit limitations concerning the further use of personal data should be included, as well as a clear identification of the controller(s) involved. The categories of data as well as the entities (and purposes for which the personal data may be disclosed) should also be identified. In case the data is being used for more than one purpose, the controller should link which categories of data are being used for which purposes. In addition to all the previous, it is important to establish and communicate the period of time during which the data will be preserved. Moreover, the information must not be used to determine the nature or characteristics of an end-user or to build a profile of an end-user. Depending on the level of interference, additional safeguards should be incorporated, taking into account the nature, scope and purposes of the processing. See, on this, Article 8 of the ePrivacy Regulation.
Developers have checked that they have a legal basis that allows for a lawful data processing
Controllers have checked the EU or national regulatory framework regarding the use of personal data.
If personal data are used for compatible purposes, the controller has performed the compatibility test and ensured that uses are compatible.
If the data are used for a purpose other than that initially sought, the tool is designed to inform the user about this use.
The tool is designed to allow the re-use of personal data only when it is grounded in Union or Member State law which lays down a list of clear compatible purposes for which the further processing may be lawfully authorized or constitutes a necessary and proportionate measure in a democratic society
4Article 29 Working Party, Opinion 5/2014 on Anonymisation Techniques. Adopted on 10 April 2014, p-7-8., at https://iapp.org/media/pdf/resource_center/wp216_Anonymisation-Techniques_04-2014.pdf. ↑