News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Global recall: How the GDPR impacts product recalls Related reading: A view from DC: Will Maryland end the era of notice and choice?

rss_feed

On April 27, 2016, the European Parliament passed Regulation (EU) 2016/679, better known as the EU General Data Protection Regulation. The extensive consumer data privacy bill has an overarching goal to give European Union residents control over their personal data and to provide transparency between companies and consumers, causing wide-reaching effects on businesses and organizations worldwide. Further, many other jurisdictions have introduced their own consumer data privacy bills in line with the GDPR. Not all potential consequences of the GDPR (and similarly situated laws) are clearly evident quite yet, but companies nonetheless will encounter challenges in their dealings with consumers in the global marketplace, pursuant to the GDPR and other such regulations. One of the hidden consequences this new proliferation of consumer data privacy measures throughout the world will affect product liability matters, specifically concerning product recalls.

Conducting a product recall is extremely challenging for manufacturers. A recall is vital for a company to mitigate several harms, including liability exposure for injury, illness or property damage that could possibly occur from the use of its defective product, in addition to reputational damage. In conducting a recall, a company first must contact its distributors to halt the sale of the defective product. It then must notify possibly impacted consumers in an effort to prevent injuries from the dangers that the defective product poses. Depending on the risk of injury, the urgency to notify consumers of the recall may be high.

Manufacturers may publicize a product recall on their websites, in distributor’s stores, through the press and on social media. In addition, manufacturers are encouraged (and, at times, required) to provide direct notice of the product recall to consumers via mail, email, telephone call, or text message to individual customers possibly impacted by the defective product. In anticipation of potentially being required to properly notify consumers of a subsequent product recall, manufacturers must actively collect and maintain personal data of the purchasers of their products. However, with the GDPR and other consumer privacy laws in effect, manufacturers will face challenges in notifying consumers of product recalls due to the restrictions in collecting and storing consumer data.

The first issue manufacturers will face is changing the manner in which they collect, store and use the personal data of consumers. The GDPR requires companies to obtain consent through clear and plain language documents, absent of legalese, that inform the consumer what information is being collected, with whom it will be shared, and the purpose for collecting and storing it. This will translate to manufacturers being required to draft updated terms-of-sale agreements that detail what information will be collected and stored, in addition to their purposes for doing so. Beyond that, it would behoove manufacturers to include this language in their privacy policies or other forms accessible through their online platforms (potentially including terms of use and other documentation, depending on the particular type of product and possibly the company’s industry). From a conservative standpoint, these manufacturers should seek for consumers/customers to provide expressed consent to all terms contained in these forms.

Another issue facing manufacturers will be obtaining consumer’s personal information from their distributors. Generally, a company that does not interact with consumers directly, but rather furnishes products to distributors, would need to obtain customer lists from those distributors to notify the impacted consumers. This presents a challenge for manufacturers, due to the restrictions upon the transferring (or processing) of a consumer’s personal data. The transferring of personal data from the data controller to a third party under the GDPR (see GDPR Article 6 §1) is lawful only when:

  • Data subject has consented to that specific purpose.
  • Necessary for performance of contract to which data subject is a party.
  • Necessary for compliance under a legal obligation to which the controller is subject.
  • Necessary to protect the vital interests of the data subject or another natural person.
  • Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Since there are narrow circumstances under which a controller of data is legally permitted to transfer personal data to a third party, manufacturers will need to take steps as soon as a consumer purchases its products to ensure that a product recall will be possible at all. It will be best practice for a manufacturer to include (1) language in its contracts with distributors that obligates those distributors to be GDPR compliant; and (2) specific language in its terms of sale and other forms detailing that the distributor is obligated to transfer its consumer data to the company for a product recall. This will ensure that the distributor has received the consent of the consumer, enabling the controller to transfer that data to the third-party manufacturer so that it may use that data to conduct the product recall.

An additional, more overarching issue that manufacturers will face, regardless of the first two issues discussed above, will be what to do when an EU data subject exercises their “right to be forgotten” under the GDPR prior to a product recall. If a consumer exercises this right prior to a product recall, it would be impossible for a company to contact that individual regarding the defective product. It is too early to determine how a court would analyze liability in such a case, but if a company used all other avenues (press release, social media, etcetera) to notify the consumer, it may be able to mitigate liability for harm. However, that is a major issue that businesses will need to consider and to work through comprehensively.  

The GDPR has had wide-reaching effects, both anticipated and unanticipated by manufacturers. As similar legislation is passed and enacted in other jurisdictions, individual businesses and, on a larger scale, entire industries are discovering they must alter the manner in which they conduct business. Product recalls are an already complicated process requiring a great deal of planning. The GDPR requires manufacturers to begin thinking about recalling products much earlier in the process than they traditionally have. As more jurisdictions introduce their own versions of consumer privacy laws, manufacturers will have to move consumer data privacy concerns and action items at the top of their list of priorities.

 

Photo by Markus Spiske on Unsplash

Authors
Headshot Derrick Maultsby Nonmember Contributor
Headshot Jason Ott Nonmember Contributor
Tags
Privacy Law
6 Comments

If you want to comment on this post, you need to login.

  • comment Peter Dinsdale • Apr 9, 2019 
    There are a few issues with this article, which don't reflect my understanding of GDPR.

1) "The GDPR requires companies to obtain consent through clear and plain language documents, absent of legalese, that inform the consumer what information is being collected, with whom it will be shared, and the purpose for collecting and storing it."
 - This isn't the case. It requires companies to inform consumers about the data processing, but it doesn't necessarily require consent. In fact, if the consumer's data is being collected for delivery of the product, it is likely being processed under Art 6(1)(b) - necessary for the performance of a contract. Please do not conflate the transparency requirements and the need for a lawful basis for processing.

2) "Another issue facing manufacturers will be obtaining consumer’s personal information from their distributors."
 - Even if it isn't considered part of the contractual obligations to the consumers, there is a very strong case for legitimate interests to be used as a basis for this processing. Alternatively, just get the distributors to issue the recall notices to the consumers, if this is viable.

3) "An additional, more overarching issue that manufacturers will face, regardless of the first two issues discussed above, will be what to do when an EU data subject exercises their “right to be forgotten” under the GDPR prior to a product recall. "
 - This fails to acknowledge that the right to erasure is not absolute, and only applies under certain conditions. If the data is still required for the purposes of the contract, in the event of a product recall, or for other legitimate grounds, then the right to erasure request does not necessarily need to be actioned.
  • comment Jason Albuery • Apr 9, 2019 
    I would agree with Peter that consent would not likely be the primary mechanism for processing their data and in the event of a recall, Legitimate Interests would be a viable method for processing data.  As a data subject would you be offended if a manufacture notified you of a recall for a faulty product that could cause you or others injury but you hadn’t given them consent to do so.  Not sure how the reverse would work if you got injured but had not been notified.  Surely the manufacturer has a duty of care to its customers if it finds fault with its products. 
When EU data subject exercises their “right to be forgotten” under GDPR I have found that this is a method used to stop receiving unwarranted marketing.  If that is the case then much better to add the data subject to a suppression list if you still have a valid reason such as a contract, warranty or financial reasons for processing their data.
  • comment Derrick Maultsby • Apr 9, 2019 
    Peter, thank you for your comment. This article is raising issues manufacturers will have to think about and discuss. We approach all of our interpretation of legislation from a conservative standpoint. Nevertheless, your points are valid and I will answer each in turn:

 1) We are not attempting to conflate anything. While we know there are exceptions to this consent rule, we practice conservatism. As we expressly say in our article, "From a conservative standpoint, these manufacturers should seek for consumers/customers to provide expressed consent to all terms contained in these forms." We fully understand the exceptions may bar this practice, but we would never advise someone to take an unnecessary risk. I firmly believe it is best practice that all consumer facing forms are updated in light of the GDPR, and companies seek the consent of consumers to those policies or forward the updated versions to them to place the consumer on notice. 

2)As you see we list the circumstances in which a controller may process a data subjects information, and I concur there is a strong case for legitimate interest. However, it behooves a company to simply just get consent. Then they do not have to argue legitimate interest, because they will have evidence of the consent. 

3) Once again, I agree. However, it is an issue that needs to be raised in order for companies to identify they do not need to erase this data due to legitimate grounds. There are also significant repercussions if a retailer erases the information (not thinking of product recalls) prior to the retailer/distributor processing the information to the manufacturer. By raising this issue, the distribution contracts can address this issue putting all parties on notice of the legitimate interest. 

Once again, I appreciate the comment. When drafting articles with a word limit, it is often hard to cover everything especially with such a grand piece of legislation. We believe these are all issues that have solutions, some of which you raised. These issues we discuss are all challenges that will alter how manufacturers have conducted the practice of recalls for years prior to the GDPR's introduction and implementation.
  • comment David Draycott • Apr 10, 2019 
    I am disappointed that the IAPP has put out such an article. Privacy Professionals are attempting to calm things down for our customers, articles like this seem to throw petrol on the fire. If the product recall is in the customers best interest then I fail to believe any legislation would attempt to restrict the processing. To suggest if "consent" was not collected in the first instance and that the data may be processed in the event of a product recall (this toaster catches fire due to faulty wiring) seems to be a crazy perspective. Common sense must prevail....and Peter is correct another lawful basis would prevail...
  • comment Derrick Maultsby • Apr 10, 2019 
    David, thank you for your comment. I must start by saying IAPP is a place for different perspectives to come together and analyze issues. I find great joy in reading the different interpretations and view points on various privacy issues that occur in our global society, especially those that differ from my understanding or beliefs. I understand that as a privacy professional your goals differ from ours, but as  legal professionals it is our fiduciary duty to provide all possible risks and identify all possible issues. That is what this article does, it identifies issues and risks. As Peter pointed out, there are legitimate reasons that would likely make the processing proper regardless of whether consent was received or not. However, we would be doing a disservice to our audience and our clients if we did not mention that it is best practice (in our opinion) to be transparent upfront with a consumer and include language in the initial interactions that detail all foreseeable reasons one would need to process/store their information. I appreciate the opinion and perspective of a privacy professional, and I hope that you can at the very least respect the opinions and perspectives of legal professionals who for fiduciary purposes take a conservative approach to analyzing legislation and statutes.
  • comment Donald DeMayo • Apr 21, 2019 
    It appears that several privacy professionals have taken issue with this article.  The article does take a "conservative" approach, which is understandable.  However, the commentary is correct.  A manufacturer could properly rely on a legitimate interest basis for such processing (assuming transparency is achieved), which would accomplish two goals simultaneously:  it would obviate all the risks associated with consent; and it would prevent a "deletion/right to be forgotten" request from being applicable, as the basis for processing was not consent or contract.  Further , the manufacturer may not have collected the personal data from data subjects directly, further distancing a "right to be forgotten" request from being valid.  Here, the authors pay homage to the "false primacy" of consent, as if it were safer, or more valid than the other legal basis in the Regulation.  All six (6) of the legal basis provided in the Regulation (and listed in the article) are of equal merit, and they carry equal weight; there is no safety or primacy in seeking consent where it is not needed...just the opposite may result.
Related Stories
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
Related Stories
Tags
Privacy Law
Recent Comments