CNIL restricts the use of data by processors
Locations
Under article 4.8 of the GDPR, a processor is defined as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller". This definition limits the possibility given to a processor to reuse the controller's data for its own purposes. This is further explained under article 28 which imposes a legal obligation on controllers and processors to sign a contract that sets out the conditions under which the processor is allowed to process the data.
In practise, however, things are quite different. In the majority of cases, processors are service providers (vendors, suppliers, etc.) who are keen to use the data they receive from their customers (i.e. controllers) for their own purposes. This is particularly the case with IT and cloud service providers who receive millions of gigabits of customer data that has great value to them. Indeed, customer data enables them to better understand the use of their products and services, to improve and help them develop these products and services, and more generally, to carry out various types of data analytics.
However, such uses of customer data typically do not fall within the scope of the processing activities that a processor is carrying out on behalf of the controller. Indeed, the controller does not instruct the processor to use its data for product development or for data analytics purposes. Hence, the processor must be considered a separate controller whenever the use of the controller's data exceeds the instructions that are given by the controller.
According to the CNIL, such reuse of the controller's data is not permitted unless it is compatible with the initial purpose(s) for which the data was collected by the controller. The CNIL refers to article 6.4 of the GDPR which states that "where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law (…) the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected.".
Based on this article, the CNIL considers that a processor is not permitted to reuse the controller's data for its own purposes, on its own initiative, unless required to do so by a national or European law. For example, electronic communication service providers may be required by law to store usage data and to make it available to law enforcement authorities for a limited period of time. Alternatively, the processing could be based on the data subject's consent but consent in such case will be specifically limited to the processing that is carried out by the controller and will not include any further processing by the processor. Without a valid legal ground for processing the data, the processor can be held liable for not having acted in accordance with the instructions of the data controller (art 28 GDPR).
Nonetheless, the CNIL does provide a few exceptions.
First, the processor must obtain the prior written authorization of the controller (unless it can rely on an existing national or EU law). Such authorization will typically be inserted in the services agreement or the data processing agreement that is signed between the parties.
Second, the data controller must conduct a "compatibility test" before granting permission with a view to assessing whether such further processing by the processor is compatible with the initial purpose(s) for which the data was collected. This compatibility test must be carried out in accordance with article 6.4 of the GDPR which imposes on the controller to verify whether there is a "link between the purposes for which the personal data have been collected and the purposes of the intended further processing." The controller must also verify the context in which the data were collected, the types of data that are used and the possible consequences of the intended further processing for the data subjects. Finally, the controller must take into account the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the test is not satisfied, the CNIL says that the data controller must refuse to grant authorization for the re-use of the data. In other words, controllers cannot give a blanket and general approval to their processors, and instead must perform a compatibility test on a case-by-case.
One can immediately see how this is likely to cause tensions between controllers and processors. On the one hand, processors (particularly large US tech providers) are likely to object to such verifications on the grounds that they do not fall within the scope of article 28 of the GDPR. On the other hand, controllers may feel under pressure not to grant processors permission to use the data for their own purposes at the risk of being sanctioned by EU regulators or of receiving complaints from their data subjects. The parties are also likely to disagree on what constitutes a "link" between the initial processing by the controller and the further processing by the processor. Behind this compatibility test also lies the obligation for controllers to take into account the reasonable expectations of their data subjects and the risks that any further processing may have on them.
If, however, the compatibility test is satisfied, then the controller may choose whether to authorize the processor to use the data for intended purposes. From a legal standpoint, this shows that the controller should remain in full control of its data and should not feel obligated to authorize the processor to use the data for its own purposes. In practise, however, service agreements often contain clauses allowing the processor to use the customer's data for its own purposes, which are difficult to negotiate.
One solution would be to authorize the processor to use the data on condition that the data is anonymized or pseudonymized. Indeed, it often appears that processors do not need the full identity of the users and all they really want is the usage data in order to better understand how their services are being used. In such case, authorizing the processor to use anonymized or aggregated data would not fall within the scope of the GDPR. However, the lack of a clear framework for the processing of anonymized data makes it almost impossible for controllers to verify that their processors are effectively using only anonymized data.
Third, the initial controller must inform the data subjects about the uses of their data by the processor for subsequent purposes. For example, a controller would have to inform its employees that the company's IT solutions provider intends to use their data for its own purposes. This raises some practical questions. At what moment must a controller notify its data subjects that a processor might be using their data for further purposes? If those purposes were not known at the time when the controller provided its privacy policy to the data subjects, then the controller must go back to the data subjects and inform them again (article 13.3 of the GDPR) even if the controller's privacy policy already informs the data subjects about the sharing of their data with third party recipients (article 13.1.e). Furthermore, the data subjects have the right to object to the processing by the processor based on article 21.1 and may also restrict such processing (art. 18). In such case, it'll be very difficult for a controller to override the rights and freedoms of the data subjects if they are in fact objecting to the further processing by the processor.
Lastly, once the processor obtains the authorization of the controller, the processor then becomes a separate controller who is responsible for complying with the GDPR, including the obligation to inform the data subjects about its own processing activities. This too may raise practical difficulties in situations where the processor is not directly in contact with the data subjects. Who should inform the data subjects about the processing activities that are carried out by the processor as a separate controller? The controller may agree to inform the data subjects on behalf of the processor, but this creates an additional burden for the controller who might not be willing to accept this burden.
The CNIL's guidance is likely to have consequences for all subcontractors who are providing services to their EU based customers and who wish to use their customers' data for their own purposes. Controllers and processors may need to review some of the clauses in their data processing agreements, particularly those around the sharing and reuse of data. While this remains the position of a single DPA (as opposed to guidance issued by the EDPB), the CNIL has become a very influential regulator within the EU and thus this guidance should not be ignored.