GDPR: what are the lawful bases under which data can be processed?

Stuart Ritchie


I recently was asked a similar question. Rather than just say "read Article 6(1) GDPR", I thought it might be useful to flesh out that banal answer to give some hints of the other Articles/other laws to consider against each instance (or, in the colorful phrase of one Board, "pathway to righteousness").

Article 6(1) sets out exactly the same six options as set out 22 years ago in Article 7 of the Privacy Directive – so essentially nothing has changed, just been tightened a little. These arguably may be parsed as follows:

    1. Express informed true consent (see also Articles 7/8), subject to the Directive 93/13/EEC tests (that have been bagging Google its recent multi-billion fines – noting that many Supervisors do not accept consent as valid for employees and/or extra-EEA transfers and/or when mixed with any other legal bases, and that some Supervisors historically have insisted on written consent);
    2. Necessity to perform obligations of or enter into a contract with the data subject (only), subject to Directive 93/13/EEC;
    3. Necessity to comply with specified statutory obligation, and not an inch beyond (I predict that early private remedy targets will be banks hypothetically exceeding their FATCA obligations, the UK HMRC hypothetically sending their taxpayer data to Hawaii, the UK Department of Health hypothetically requiring NHS family doctors to treat patient opt-out consent as express consent to surrender their data to Google, and indirectly continuing to force transfer of most NHS patient data to terrorist havens as first reported to the parliament more than 15 years ago);
    4. Necessity in the vital interest of the data subjects, i.e. immediately saving their lives, plus odd specific situations like immediately saving lots of other lives;
    5. (public sector only – not government contractors who obviously must use legitimate interests) Necessity in respect of the public interest, subject to unconditional data subject right of objection interpreted in the context of the Charter of Fundamental Rights; and
    6. (private sector, plus public sector going off piste?) Necessity in respect of the "legitimate interests" of the controller (excluding profit), subject to unconditional data subject right of objection interpreted in the context of the Charter of Fundamental Rights; for excellent initial guidance read WP29 Opinion 6/2014.

A few things that the GDPR doesn’t change:

  • "Necessity" is to be read as objective necessity, i.e. the supervisory authorities and the Courts will decide.
  • All personal data processing is unlawful by default;
  • Derogations (aka national "opt-outs") are permitted, but only as permitted within the GDPR rules and only by Member States of the EU. (Brexit changes things a little: lawyers can deduce for themselves the choices available to the UK post-Brexit, and the consequences of said decisions. For conduct reasons I ought not say more except to emphasize this is nobody’s fault. None of the more powerful GDPR drafting lobbyists, including the UK, reasonably could have anticipated either of the two herds of elephants in the room: Herr Schrems and Brexit).

Things changed directly or indirectly by the GDPR:

  • The initial legal burden of proof is switched to the defendant;
  • Board-level deniability is dead;
  • The impact on criminal rules of evidence, and criminal submissions, of the above, given that until now English prosecutions of directors of very large enterprises generally have failed (despite succeeding in confiscating profits under the RICO-like POCA statute), and that two-thirds of Member States have custodial sentences ranging from a few months to ten years. I have no idea of the impact.
  • Statutory support for pro bono class action remedies (which my colleagues on the defense tables regard as a regrettable cottage industry – it might not be cottage for much longer). [EDIT: amusingly, about 10 days after I posted this Max Schrems announced his move into Article 80 non-profit class actions against commercial controllers]

How will the Supervisors play all this? I should say that the best way to evaluate how the 46 Supervisors will be thinking about these things, especially on investigating/fining controllers in other jurisdictions, is to look at the way the Supervisors already do this under the pre-GDPR law. My favorite example is Decision 2016-007 of CNIL (France’s Supervisory Authority) in respect of Facebook Inc and Facebook Ireland. I attach a copy (as I seem to have lost my link to the English version on CNIL’s site). Under the GDPR CNIL will not need to be so gentle.

    All facts and opinions set out above, including but not limited to spoken content and attachments/links, are provided for informational purposes only as a non-legal service to the public, and do not constitute legal advice or a substitute for legal counsel, and do not create any lawyer-client relationship, nor do they constitute advertising or provision of a legal service, nor are they the opinion of this web site or of its owner. The author is a co-founder of GDPR360 but does not speak in that capacity or in the capacity of a lawyer.