0

The GDPR makes use of the word "necessary". For example article 6. Lawfulness of processing 1. (f) says "processing is necessary for the purposes of the legitimate interests pursued by the controller". This is frequently used for cookie consent (including by stack exchange) to have a minimum set of cookies that one cannot refuse.

The ICO defines necessary as:

When is processing 'necessary'?

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.

It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is objectively necessary for the stated purpose, not whether it is a necessary part of your chosen methods.

In logic discussions, and I think common english, necessary is synonymous with essential in that A is a necessary/essential condition for B if B cannot occur without A. While the paragraph above indicates that there is a legal difference between these two terms, it does say what this difference is.

In the case of cookies it is quite easy to objectively define a minimum for how much influence they have the functionality of a site. I could for example, crawl this site twice, once while respecting cookies and once while not returning any cookies provided (I could even repeat this for individual cookies). It would be correct to say that cookies are not essential for any functionality that is returned by both crawls. From a logic point of view necessary would be synonymous with essential in that statement. What does necessary mean in this context from a legal point of view?

Improve this question

3 Answers 3

Reset to default
2

Reality is complex and nuanced, so it doesn't make sense to interpret words in the same strict sense as they would be used in formal logic.

GDPR legal bases relate to processing purposes, i.e. goals that shall be achieved via the processing of personal data. The GDPR has principles such as data protection by design and by default and data minimization. These principles tell us that we should only process the minimum data necessary to achieve the purpose, and should use the most privacy-friendly means to do so. The use of the word “necessary” in Art 6(1) GDPR is an expression of these principles, and restricts which means we can use towards these purposes.

The word “necessary” was at the heart of the Munich “Google Fonts” case. A website operator claimed that they had a legitimate interest for embedding fonts from a third party server (Google) on their website. The court did not even consider whether that legitimate interest was valid. Because even if it was valid, there would be the question whether embedding fonts from a third party server was necessary to achieve those interests. The court found that this was not necessary, as there would be more privacy-friendly means to achieve the same interest, namely self-hosting the fonts.

The word “necessary” also appears in the context of the ePrivacy Directive, which regulates the use of client-side storage such as cookies. The default is that accessing or storing information on a client-side device requires GDPR-consent. However, there is an exception, in case that access or storage is strictly necessary to provide a service that was explicitly requested by the user. Here, the words such as “strictly”, “necessary”, and “explicitly” all help to show that this exception must be interpreted fairly narrowly. The main point of debate in this context is then which services were “requested”, i.e. which services of an app or website are core parts of the offering, and which are optional. This becomes tricky in particular when such client-side storage is strictly necessary for providing the service in a safe and scaleable manner (e.g. cookies for load balancing, bot detection, rate limiting), even though the service could technically work without them. It is thus not always possible to draw a bright line, though regulatory guidance has made some aspects perfectly clear. For example, ads are never strictly necessary for providing a service in the sense of the ePrivacy Directive, even though they might be necessary for a website's business model. Whether cookies are necessary must always be considered from the perspective of the user.

A note on word choice in EU law: Drafting EU laws is a linguistically challenging process because the law must be translated into all member state's languages, and all of these versions are the authoritative document. Thus, they must express the exact same meaning. It is more preferable that the different versions are aligned in word choice and sentence structure, than making sure that the English version has elegant prose. Also, laws tend to use a formal and neutral linguistic register.

Words like “necessary” or “required” are useful here, given their plain meaning with few distracting connotations. Also, “necessary” has exactly equivalent words in Romance languages.

The word “essential” is more complicated. It is more difficult to find exact equivalents in other languages. It has potentially distracting metaphysical and biochemical connotations. While it is also used in formal writing, it has a more argumentative tone there, similar to “imperative”. For example, a business memo might use emotive language like “It is essential that we achieve our KPIs for this quarter”, where the word carries more emphasis than the more neutral “necessary”. That linguistic register would be inappropriate for laws.

The GDPR and ePrivacy directive do use the word “essential”, but the GDPR only uses it in the recitals (which argue why the law is necessary), and the ePrivacy Directive uses it in the sense of “relating to core aspects”. The GDPR also uses the word “essence” in three articles, where it is used in the “central aspects” sense. For example Art 23 GDPR contains both relevant words which perhaps highlights their not-quite-interchangeability:

Union or Member State law […] may restrict [data subject rights], when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society […]

Of course, the phrase “necessary in a democratic society” is borrowed from the ECHR and has substantial amounts of case law around it.

Improve this answer
6
  • While this is an interesting answer, it seems a bit more answering what things could be necessary, rather than the meaning of the word. What does the word "necessary" say about the relationship between two things, and how does that differ from "essential"? In your examples, it seems the word "essential" could be substituted for "necessary" and the meaning would not change.
    – User65535
    Commented Feb 24, 2023 at 12:27
  • @User65535 I edited the answer to discuss word choice in EU laws. However, detailed discussions of word meanings could be more appropriate on English Language & Usage
    – amon
    Commented Feb 24, 2023 at 13:58
  • Your edit certainly does illustrate the issues relating to word choice here. I did not expect the answer to end up in european language evolution.
    – User65535
    Commented Feb 24, 2023 at 14:05
  • I feel like you're giving the judges and legislature more credit than is due. They didn't know what they wrote and as someone who has been dealing with GDPR for a while neither do the lawyers or the national agencies that are supposed to be interpretting the law. There are some things which are clearly beyond the line, there are others (very very few) that are ok. Then there is a huge middle ground where you do your best and pray you don't get sued or have enough money if you do.
    – DRF
    Commented Feb 24, 2023 at 17:24
  • @DRF the legislators? Sure, they can't spend the time on these details. But the translators that prepare the draft documents absolutely do have to think about how to clearly express the intended meaning in each language. And sometimes, courts pay attention to specific words. That it's difficult to know whether some organization is truly GDPR-compliant is a different matter, but that has nothing to do with word choices.
    – amon
    Commented Feb 24, 2023 at 17:48
1

Since the meaning given to the word "necessary" seems apparent in the material you quoted, I first thought you might be looking for examples, but you have criticized amon's answer for merely providing examples. So, I now understand you to be asking a question that appears to be actually answered in the material you quoted.

You quote:

Many of the lawful bases for processing depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means, or by processing less data.

  • This makes it clear that "necessary" does not mean "essential" in this context.
  • Necessary falls somewhere between "just useful"/"standard practice" and "essential".
  • For a use to be "necessary" it must have a specific purpose and be a "targetted and proportionate way" of achieving that purpose.
  • If that purpose was "reasonably" achievable by "less intrusive means" then the use of the cookie would not be considered necessary.

I agree with amon that the latter concepts (of proportionality, targetting, consideration of less intrusive means) are borrowed from international human rights norms and there is a large body of jurisprudence applying this kind of balancing.

Improve this answer
2
  • I interprete amons answer to be not that there is a spectrum of difficulty on which there are points "necessary", "just useful", "standard practice" and "essential" but that they are referring to different aspects. Necessary means functionally required, essential means related to the “central aspects”. I agree your reading makes more sense, but it is not the only possible one. Your third and fourth points seem to refer to attributes that a use must have, that would also apply if a use was essential.
    – User65535
    Commented Feb 24, 2023 at 14:16
  • @User65535 There is definitely such a spectrum, which I didn't discuss in my answer. “Essential” would suggest “impossible to do without”, which would be a bit more narrow than “necessary” or “required” which leaves more room for nuance. However, these three words are often used synonymously, so in less careful writing there might indeed be no intended difference.
    – amon
    Commented Feb 24, 2023 at 14:22
1

Necessary is legally broader than essential

Something is essential if the process will simply not work without it; something is necessary if, without it, the process becomes inefficient, uncommercial or overly complex.

So, for example, it is necessary for an online sales of physical products to collect your address (personal information) in order to deliver the goods to you. It is not essential because they could instead have a huge network of collection centres where customers could collect the goods - just like a bricks and mortar retailer. Both that is inefficient, uncommercial and overly complex.

While it’s necessary to have the address for the delivery it’s not necessary to keep it indefinitely. Once the delivery has been made and for a reasonable period after that to allow to correct delivery errors, the address should be deleted unless consent has been given to keep it for the next delivery.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .