The French data protection authority (“Commission nationale de l’informatique et des libertés” or “CNIL”) published, on January 12, 2022, a statement on processor reuse of data entrusted by data controllers. This guidance aims at establishing a legal framework to determine if, and under which conditions, a processor can use personal data it obtained from a controller for purposes broader than just strictly providing services to the controller.
Can a processor reuse the data it receives from a controller for its own purposes?
According to the definition laid out in the General Data Protection Regulation (“GDPR”)1, a processor processes personal data on the controller’s behalf. In this context, a processor merely follows instructions given by the controller and cannot, in theory, use the data for his own benefit. Such a rule is further confirmed by Article 28 §3 of the GDPR, which requires from both the controller and the processor to sign a contract (such as a data processing agreement) that sets out the terms of the processing that apply to the processor2. Accordingly, while the controller may, in writing, specifically authorize further processing, a processor who would do so without prior approval would itself become a controller and would be subject to sanctions for not acting in accordance with the purpose for which the data were originally collected3.
In practice, a processor may wish to reuse the data provided by the controller, with the objective of improving its services or products. However, such a use of customer data typically does not fall within the scope of the processing activities that a processor is carrying out on behalf of the controller. Against this backdrop, the CNIL sets forth highly restrictive conditions under which processors can reuse personal data for their own purposes.
When the legal basis for the initial processing is not the consent of the data subjects or a legal obligation, the controller is required to verify the “compatibility” between each further processing for which authorization is sought by its processor and the purpose for which the data were originally collected.
To assess such a compatibility, the controller must take into account:
- the possible existence of a link between the purposes for which the personal data were collected and the purposes of the contemplated further processing;
- the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller
- the nature of the personal data, in particular if the processing concerns sensitive data or personal data relating to criminal convictions and offences
- the possible consequences of the envisaged further processing for the data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymization.
The CNIL provides two examples: (i) the reuse of data for the purpose of improving cloud computing services and could be considered compatible with the initial processing, subject to appropriate guarantees such as the anonymization of the data if this identifying data is not necessary; (ii) however, in case the reuse of data by processor seeks marketing purposes, it would be difficult to pass the “compatibility test.”
The CNIL insists that if the aforementioned “compatibility test” is not satisfied, a controller must refuse the reuse of the data. However, should the compatibility test succeed, the processor must still obtain a written authorization from the controller.
Services agreements and data processing agreements on board for review
Having established the compatibility between initial processing and sub-processing, a written authorization from the initial controller will have to be ascertained. Although such an approval could typically be inserted in the services agreement or the data processing agreement signed between the parties, a processor wishing to reuse data provided by its controller must bear in mind that a prior and generic authorization will not be accepted by the CNIL: each compatibility test must be conducted for a specific processing, taking into account the purposes and characteristics of said processing that the processor wishes to reuse the data for, and a specific authorization from the controller must be obtained.
Consequently, the CNIL’s newly issued guidance is likely to have consequences for numerous processors who are providing services to their EU based customers and who wish to use their customers’ data for their own purposes. Processors may consider adapting their template agreements on this topic, and controllers may engage in more substantive negotiations to object to further reuse.
A strict approach to data reuse
This approach from the CNIL is stricter than the positions already taken at a European level. The EDPB previously stated that, in the silence of the controller’s instructions, a processor could enjoy “a certain degree of discretion about how to best serve the controller’s interests, allowing [it] to choose the most suitable technical and organizational means“4. Even as soon as 2013, Working Party 29 issued an opinion on purpose limitation in the context of reuse of data by the processor stating that the “compatibility test” should take into account not only the context in which the personal data have been collected but also the “reasonable expectations of the data subjects as to their further use.” In the Working party’s Opinion, such a balanced approach was a necessary condition to guarantee that future Article 6.4 of the GDPR would “neither [be] too general so as to be meaningless, nor too specific so as to be overly rigid“5.
Following this CNIL’s statement, the next question will be whether the strict nature of the guidance will be mirrored in an equally strict manner in future decisions.
1See Article 4.8 of the General Data Protection Regulation for the definition of a Processor : “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
2See Article 28 of the General Data Protection Regulation.
3Reference is made by the CNIL to Article 6.4 of the General Data Protection Regulation.
4See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
5See Working Party 29 Opinion 03/2013 on purpose limitation.