One of the most striking changes to EU privacy law under the EU’s General Data Protection Regulation (which goes into effect May 25, 2018) is the very strict approach to user consent.    For many years, companies operating in the EU (as elsewhere) have relied heavily on user consent to achieve compliance with the relevant data protection and direct marketing laws.   When the GDPR was first published, it became clear that the EU intended to crack down on the use of consent in many common situations where the EU felt that individuals were not being treated fairly.

Draft guidance published on Dec. 18 by a key advisory body representing the EU’s national data protection authorities , the Article 29 Working Party (WP29),  has confirmed that regulators will approach consent strictly.  The guidance is worth reading in full.  Some highlights:

  • Consent cannot be bundled.  Instead, consents must be granular.  You will need a separate consent for each purpose for which data will be processed.  WP29 notes that this could easily lead to “click fatigue” (implicitly casting doubt on the validity of the consent) when individuals are routinely presented with a long set of check boxes, but WP29 says that this is a problem for data controllers to solve.
  • Consent to “unnecessary” uses of personal data cannot be used as a quid pro quo for access to a service.  This confirms our previous suggestion that the GDPR invalidates the prevalent business model of providing free services (such as a free app) in exchange for access to personal data that is used for behavioral advertising or other marketing purposes.
  • The “explicit” consent needed for processing sensitive personal data requires something even stronger than the already-stringent standard for “normal” consent under the GDPR.  The guidance suggests several mechanisms that primarily involve an extra confirmation step by the user, such as clicking on an opt-in box and then responding affirmatively to a text or e-mail to confirm the consent.  It’s not clear that users will welcome the extra steps and delay, but WP29 maintains that there needs to be something “more” to reach the level of “explicit” consent.
  • Data controllers must identify their legal bases for processing in advance and cannot “swap” bases if the initial basis for processing proves defective.  In other words, controllers cannot have a “backup” basis for a given processing operation, even when a given processing activities could be done on one of a number of bases, such as necessity for contract performance, legitimate interest, or consent.

The draft guidance is open for public comment until January 23, 2018.

The European Union’s General Data Protection Regulation (the “GDPR”) goes into effect in a little over fourteen months and from a quick glance at our bullet points analysis you can see there is a lot to consider.  One crucial aspect you need to be thinking about now is how your organization collects and manages consents from individuals for processing their personal information.  Without a strong understanding of what valid consent means under the GDPR, before long you may find yourself holding valuable data that you are not able to process as you need to for your business.

To this end, the Information Commissioner’s Office (the “ICO”), the data protection authority for the UK, last week published a consultation draft of its GDPR consent guidance.  This is a practical resource meant to help organizations get to grips with the GDPR’s consent requirements and align their internal procedures and processing activities, as well as their customer-facing websites, marketing materials, and product infrastructure.   Although the UK ICO cannot speak for the other EU data protection authorities, they have a good track record of producing practical guidance set out in accessible language, which makes the ICO website a good first stop for US companies seeking to understand their obligations in the EU.  We encourage you to review this helpful resource and provide feedback to the ICO using their comment form by March 31.  We also offer this high-level snapshot of a few key points: Continue Reading It’s Not Too Early! ICO Guidance Regarding Consent Under GDPR

The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor.  Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.

As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses.  LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers