The use of telemetry data has repeatedly been the focus of data protection supervisory authorities in recent years – especially because of Microsoft 365. If software providers want to collect telemetry data from the users of their software in connection with the provision of their services, the question arises as to the legal basis on which they can base this data processing.
This article shows viable ways for the legally compliant processing of telemetry data, which are strongly advised in view of the already increased attention of data protection authorities on this topic.
Telemetry data and data protection
Telemetry data is any data collected remotely that contains information that can identify a software user.
The processing of telemetry data is to be seen critically from a data protection perspective, as this information can be used to draw conclusions about the user and thus counts as personal data. As the controller of telemetry data, software providers must be able to prove that the processing is lawful as part of their accountability obligations under Article 5(2) of the GDPR (General Data Protection Regulation).
Consequently, you must check and document in advance on which legal basis you can base the processing of telemetry data.
Legal basis for the processing of telemetry data
Legitimate interest pursuant to Art. 6 (1) (f) of the GDPR is a provision with a broad and rather unspecific scope of application. On the one hand, this has the advantage that the provision can be applied to a large number of circumstances. On the other hand, this leads to legal uncertainties and questions in the application in concrete individual cases.
In principle, software providers have a variety of legitimate interests for processing telemetry data.
However, the mere existence of legitimate interests is not sufficient to legitimise the processing of personal data. It is imperative that the processing is necessary to safeguard the interests pursued and that the interests of the software providers outweigh the interests of the data subjects. The interests of the software providers are in fact offset by the fundamental rights of users to respect their private lives and the protection of personal data pursuant to Art. 7 and Art. 8 of the EU Charter of Fundamental Rights.
In any case, the existence of a legitimate interest must be weighed particularly carefully. In doing so, you should consider, among other things, that when processing telemetry data, a large amount of usage data is collected that enables extensive tracking. As a software provider, you gain additional knowledge about the software users that would otherwise not be accessible to you.
It must also be examined whether the processing of telemetry data is within the sphere of the expected for the data subjects. Software users generally expect that personal data will be collected by software operators. But the processing of telemetry data is outside what users would objectively reasonably expect, because such data collections are not necessary for the user’s traditional use of the software. Moreover, the collection of telemetry data has a detrimental effect on the ability of users to control and determine the use of their own data.
Even if the user had the right to object (by deactivation), this would not be sufficient, because this option would come too late to have the necessary protective effect with regard to the intensity of the interference.
Accordingly, you should not rely on your legitimate interest(s) as a legal basis. The processing of telemetry data should be made optional and it should be left solely to the user to decide whether or not to send telemetry data.
To ensure that software providers who want to process telemetry data are not treading on thin ice in terms of data protection law, they should obtain the consent of their users. The following requirements must be observed:
Date of consent
Consent pursuant to Art. 6(1)(a) of the GDPR should be obtained before the software is installed for the first time or before the software is started for the first time, but in any case before telemetry data is collected for the first time. Only when the user has given his consent through an active action (e.g. by clicking on a button) may the collection of telemetry data actually take place. This means that the option must not be already selected by default. This is because so-called opt-out procedures are not sufficient for a GDPR-compliant processing of telemetry data.
The consent should also be documented so that you can prove that it was given in case of doubt.
Since consent is revocable, a corresponding option for revocation must be implemented (deactivation button). Attention: The revocation must be just as easy to do as the granting of consent (Art. 7 para. 3 p. 4 GDPR).
Software providers must continue to describe transparently and comprehensively exactly what data is collected and for what purposes it is to be processed. Users need to know exactly what they are consenting to in the first place.
This requirement is particularly important because the lack of transparency is the main point of criticism by regulators of Microsoft’s use of telemetry data.
For example, Microsoft states that it uses the telemetry data to provide, improve and ensure the security of its products. However, these purposes are very vague. Accordingly, make sure that you inform your users sufficiently and extensively about the purposes of the collection of telemetry data so that they have an accurate overview of the processing.
Tipp: Read our guidance on complying with information obligations.
The selection of the correct legal basis should always be made carefully, because violations of the principle of lawfulness of data processing can be punished by the supervisory authorities with very high fines. Pursuant to Art. 83 (5) (a) GDPR, the supervisory authorities can impose fines of up to 20 million Euros or up to 4% of the total annual worldwide turnover of the previous financial year.
Great caution is required especially when processing telemetry data, as this topic has already been put on the agenda of the supervisory authorities due to Microsoft. However, if you design the consent as described herein, nothing should stand in the way of your lawful processing of telemetry data.
The German original of this article was published by our partner activeMind AG.