Andre Walter and Wouter Seinen of Pinsent Masons said the recent guidance issued by the Commission Nationale de l’information et des Liberties (CNIL) helps to clarify how data processors can secure rights to re-use data shared with them by data controllers in a way that complies with EU data protection law – without having to obtain the consent of data subjects to further processing.
CNIL’s guide addresses specifically how compatibility assessments, provided for under the EU General Data Protection Regulation (GDPR), can be applied in practice to authorise planned re-use of data by processors. CNIL is one of the leading data protection authorities in Europe and guidance it issues often helps direct compliance efforts across the rest of Europe.
Walter said: “The relationship between controllers and processors is tightly regulated, with the law requiring that processors only process personal data shared with them by controllers for purposes specified in the terms of a written agreement put in place between them. Strict conditions are also outlined in law around the further processing of personal data under the GDPR. The provisions constrain the activities of data processors, and they can present a barrier to their re-use of customer data – even for worthwhile and low-risk purposes.”
“In our daily practice, many AI processors approach us for a solution, so they can not only process the data on behalf of their customers, but also use this data on their own behalf, for example to train their algorithms. We have developed hybrid data processing and sharing agreements, where the ‘sharing’ part creates a relationship that enables data processing for product improvement purposes, including algorithm training of AI processors,” he said.
“With its new guidance, CNIL has explained how businesses can assess the legitimacy of further processing of personal data by, for example, cloud or AI processors, for their own purposes. It has signalled that a, so called, compatibility assessment can be carried out to ensure the further processing envisaged by the processor is compatible with the original purposes for which the data was collected. This procedure negates the need to obtain consent from data subjects to the further processing for very obvious and well accepted purposes and is therefore a very useful tool for businesses to avoid adding to the existing ‘consent fatigue’ among consumers,” he said.
Seinen said: “We have seen many respectable companies with well-intentioned innovations get stuck over GDPR concerns and have always believed that the ‘further use’ provisions in the GDPR can provide outcomes. It is a positive sign that the French regulator is providing practical guidance on a topic that can be applied to something as impactful as AI.”
In its guidance, CNIL said, in the absence of consent, parties must determine whether the processor’s planned re-use of data is “compatible with the purpose for which the data were originally collected”.
CNIL listed factors that must be taken into account when conducting its compatibility assessment. It said the following aspects should be considered:
- the link between the purposes for which the personal data were collected and the purposes of further processing envisaged;
- the context in which the personal data were collected, in particular if there is a power imbalance in the relationship between the data subjects and the processor;
- the nature and sensitivity of the personal data involved;
- the possible consequences of the envisaged further processing for the data subjects;
- the existence of appropriate data security safeguards.
In an example it provided, CNIL said that if a cloud provider plans to re-use a controller’s data to improve its cloud services then this “could be considered compatible with the original processing, subject to appropriate safeguards”. Re-use of personal data for “commercial prospecting purposes” would most likely fail the compatibility test, it said.
CNIL noted that controllers cannot provide processors with a prior, general authorisation to further processing, and that a controller’s authorisation based on the compatibility assessment must be outlined in writing. Andre Walter said: “Such a written authorisation of the compatibility of further use will be a very valuable addition to existing and future data processing agreements with AI solutions providers.”