Thank you for the citation; this is an interesting and useful discussion.
The contract that Facebook has with its users is not merely to serve as their social media platform. The contract includes personalized advertising.
Facebook, in the terms of their contract with you, give you X in exchange for Y. X is the social media platform. Y is personalized advertising. This is the contract. AFAICT from the GDPR, they don't specify boundaries for the terms of the contract itself, do they?
The ICO talks at length about what it means for processing to be "necessary" for the purpose of fulfilling a contract. But it doesn't state what the boundaries are as far as what constitute legitimate contracts.
For example, this would be a valid contract under the GDPR, AFAICT:
I offer to make you free sandwiches in exchange for you telling me some personal information about you and targeting you with advertisements while you're my sandwich shop or elsewhere; and I provide you an ability to revoke this contract at any time (and whereupon I will delete the data I've collected). Of course, this means you don't get free sandwiches anymore. This would not be an illegal contract under the GDPR, AFAICT.
Now, if my contract were just "I'm going to give you free sandwiches." Then yes, collecting data and advertising would not be necessary for that contract. But that isn't the contract.
From same source: "The processing must be necessary to deliver your side of the contract with this particular person."
That is - these regulations refer to the performance of a contract by the service provider. If the data isn't necessary for creating the sandwich, you're not allowed to deny use of the service based on the user not giving you the data.
GDPR was specifically written by smart lawyers and regulators to prohibit the specific kind of contract you're describing. The whole point of regulations like this (also minimum wage, regulation of arbitration agreements, etc.) is to limit the kinds of contracts people can enter into.
Specifically, they're allowed to consent to give you that data, but that's not allowed to be a condition for the use of the service.
EDIT: More specific sourcing on the way that GDPR regulates contracts, in Article 7(2): "Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding."
EDIT 2: And in fact, we've gone in a circle. Again, as Recital 43 states: "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
> Specifically, they're allowed to consent to give you that data, but that's not allowed to be a condition for the use of the service.
You seem to be trying to say that Recital 43 rules out certain types of items as being part of the terms of a contract between a person and a service provider. Namely, the term `you will be shown targeted ads` is an invalid term in a contract. (If this is a misunderstanding of your position, please let me know.)
But this is not what Recital 43 actually says. Recital 43 talks about the performance of a contract. It does not speak to the terms of a contract.
The phrase "performance of a contract" is, I believe, a specific thing in contract law: it refers only to the execution of some established contract.
If Recital 43 or some other part of the GDPR wanted to limit the terms of legal contracts to exclude targeted advertising, they could have done that. But they did not, AFAICT.
The activity they restrict isn't showing targeted ads; it's collecting the data necessary to show targeted ads. That is to say, you're not allowed to collect data that would show that the user is e.g. a 33-year-old African-American male living in Fremont, CA and with an interest in certain sports, which is necessary to show targeted ads. If you could show such ads without collecting that information, I'm sure GDPR drafters would be totally fine with it.
Recital 43 says you're not allowed to collect any data that isn't necessary for performance of a contract. In contract law, "performance" specifically refers to the actions one side is obligated to take by a contract; that is, the service provider is only allowed to collect information that is required in order to "perform" (that is discharge their obligations under) the contract. If the contract says the user's performance of the contract requires handing over data? Tough luck. The service provider isn't allowed to collect it.
You’re saying that Recital 43’s citation of “performance of a contract” refers to merely the performance of the provider — the good or service handed off by the provider to the customer. (It’s the sandwich in our example from earlier.) It does NOT also include whatever good the user provides to the service provider as their side of the contract.
So if a service provider says “You need to give me data in order for me to serve you targeted ads, and this is payment for the free service,” the user could not “freely consent” to providing that data, because it is a condition that is not necessary to provide the free service.
Okay, now another question: If the data given by the sandwich eater to get his free sandwich isn’t “freely given consent,” does that matter? Consent was never the legal basis under which the data was handed over in the first place; it was contractual fulfillment, which is a valid legal basis for processing personal data.
What am I missing?
Edit: I do remember the citation you gave earlier from ICO saying that contractual obligation is not a legal basis in the case where it has nothing to do with the performance of services on the part of the provider. I reviewed their site again, looking for a citation for why this is, but they don’t say. I assume they’re pulling that from recital 43, but again — that would seem to me to be a misreading of 43. That only means that the user didn’t freely consent to give that data. But that doesn’t matter because their data is not being processed under the legal basis of consent.
You're correct about Recital 43 not applying to the contract case - what it does is establish that the main alternative to "necessary for the performance of a contract" isn't there in the sandwich example.
The core of the regulation is Article 6(1), which is basically a big old "or" statement; you have to fulfill one of the conditions listed in order to lawfully process data. [1]
a) is consent, as explained in Recital 43 and clarified in other places. The sandwich vendor clearly doesn't have that, since they've conditioned the service on the delivery of data.
b) is "necessary for the performance of a contract". This is the option on which your free-lunch-giver is leaning. "Necessary" is not well-defined in the EU-wide regulation, but judging by the UK example I linked (the ICO), implementing Member State agencies are going to take a narrow view of "necessary" - as in where it's impossible for the controller to perform the contract without processing the data. By contrast, Recital 43 uses "dependent" to refer to the service provider establishing conditions. This also fits well with the usage of the word in the other tines of the Article 6(1) fork. (c: "necessary for the compliance with a legal obligation", d: "necessary to protect the vital interests of [actual people]", e: "necessary for the performance of a task carried out in the public interest or in in the exercise of official authority" [2]). This interpretation is also, in practical terms, the only one that makes sense, as otherwise the consent option (a) would be redundant.
[2] This interesting clause stemming from an even more interesting feature of GDPR: it applies to government agencies. Meaning the regulation needs specific language to specify that yes, the Ministry of Transportation in your country is allowed to use your vehicle registration information as part of its road planning process.
The contract that Facebook has with its users is not merely to serve as their social media platform. The contract includes personalized advertising.
Facebook, in the terms of their contract with you, give you X in exchange for Y. X is the social media platform. Y is personalized advertising. This is the contract. AFAICT from the GDPR, they don't specify boundaries for the terms of the contract itself, do they?
The ICO talks at length about what it means for processing to be "necessary" for the purpose of fulfilling a contract. But it doesn't state what the boundaries are as far as what constitute legitimate contracts.
For example, this would be a valid contract under the GDPR, AFAICT:
I offer to make you free sandwiches in exchange for you telling me some personal information about you and targeting you with advertisements while you're my sandwich shop or elsewhere; and I provide you an ability to revoke this contract at any time (and whereupon I will delete the data I've collected). Of course, this means you don't get free sandwiches anymore. This would not be an illegal contract under the GDPR, AFAICT.
Now, if my contract were just "I'm going to give you free sandwiches." Then yes, collecting data and advertising would not be necessary for that contract. But that isn't the contract.