TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Global recall: How the GDPR impacts product recalls Related reading: The AI Act's debiasing exception to the GDPR




On April 27, 2016, the European Parliament passed Regulation (EU) 2016/679, better known as the EU General Data Protection Regulation. The extensive consumer data privacy bill has an overarching goal to give European Union residents control over their personal data and to provide transparency between companies and consumers, causing wide-reaching effects on businesses and organizations worldwide. Further, many other jurisdictions have introduced their own consumer data privacy bills in line with the GDPR. Not all potential consequences of the GDPR (and similarly situated laws) are clearly evident quite yet, but companies nonetheless will encounter challenges in their dealings with consumers in the global marketplace, pursuant to the GDPR and other such regulations. One of the hidden consequences this new proliferation of consumer data privacy measures throughout the world will affect product liability matters, specifically concerning product recalls.

Conducting a product recall is extremely challenging for manufacturers. A recall is vital for a company to mitigate several harms, including liability exposure for injury, illness or property damage that could possibly occur from the use of its defective product, in addition to reputational damage. In conducting a recall, a company first must contact its distributors to halt the sale of the defective product. It then must notify possibly impacted consumers in an effort to prevent injuries from the dangers that the defective product poses. Depending on the risk of injury, the urgency to notify consumers of the recall may be high.

Manufacturers may publicize a product recall on their websites, in distributor’s stores, through the press and on social media. In addition, manufacturers are encouraged (and, at times, required) to provide direct notice of the product recall to consumers via mail, email, telephone call, or text message to individual customers possibly impacted by the defective product. In anticipation of potentially being required to properly notify consumers of a subsequent product recall, manufacturers must actively collect and maintain personal data of the purchasers of their products. However, with the GDPR and other consumer privacy laws in effect, manufacturers will face challenges in notifying consumers of product recalls due to the restrictions in collecting and storing consumer data.

The first issue manufacturers will face is changing the manner in which they collect, store and use the personal data of consumers. The GDPR requires companies to obtain consent through clear and plain language documents, absent of legalese, that inform the consumer what information is being collected, with whom it will be shared, and the purpose for collecting and storing it. This will translate to manufacturers being required to draft updated terms-of-sale agreements that detail what information will be collected and stored, in addition to their purposes for doing so. Beyond that, it would behoove manufacturers to include this language in their privacy policies or other forms accessible through their online platforms (potentially including terms of use and other documentation, depending on the particular type of product and possibly the company’s industry). From a conservative standpoint, these manufacturers should seek for consumers/customers to provide expressed consent to all terms contained in these forms.

Another issue facing manufacturers will be obtaining consumer’s personal information from their distributors. Generally, a company that does not interact with consumers directly, but rather furnishes products to distributors, would need to obtain customer lists from those distributors to notify the impacted consumers. This presents a challenge for manufacturers, due to the restrictions upon the transferring (or processing) of a consumer’s personal data. The transferring of personal data from the data controller to a third party under the GDPR (see GDPR Article 6 §1) is lawful only when:

  • Data subject has consented to that specific purpose.
  • Necessary for performance of contract to which data subject is a party.
  • Necessary for compliance under a legal obligation to which the controller is subject.
  • Necessary to protect the vital interests of the data subject or another natural person.
  • Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of the legitimate interests pursued by the controller or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Since there are narrow circumstances under which a controller of data is legally permitted to transfer personal data to a third party, manufacturers will need to take steps as soon as a consumer purchases its products to ensure that a product recall will be possible at all. It will be best practice for a manufacturer to include (1) language in its contracts with distributors that obligates those distributors to be GDPR compliant; and (2) specific language in its terms of sale and other forms detailing that the distributor is obligated to transfer its consumer data to the company for a product recall. This will ensure that the distributor has received the consent of the consumer, enabling the controller to transfer that data to the third-party manufacturer so that it may use that data to conduct the product recall.

An additional, more overarching issue that manufacturers will face, regardless of the first two issues discussed above, will be what to do when an EU data subject exercises their “right to be forgotten” under the GDPR prior to a product recall. If a consumer exercises this right prior to a product recall, it would be impossible for a company to contact that individual regarding the defective product. It is too early to determine how a court would analyze liability in such a case, but if a company used all other avenues (press release, social media, etcetera) to notify the consumer, it may be able to mitigate liability for harm. However, that is a major issue that businesses will need to consider and to work through comprehensively.  

The GDPR has had wide-reaching effects, both anticipated and unanticipated by manufacturers. As similar legislation is passed and enacted in other jurisdictions, individual businesses and, on a larger scale, entire industries are discovering they must alter the manner in which they conduct business. Product recalls are an already complicated process requiring a great deal of planning. The GDPR requires manufacturers to begin thinking about recalling products much earlier in the process than they traditionally have. As more jurisdictions introduce their own versions of consumer privacy laws, manufacturers will have to move consumer data privacy concerns and action items at the top of their list of priorities.


Photo by Markus Spiske on Unsplash


If you want to comment on this post, you need to login.

  • comment Peter Dinsdale • Apr 9, 2019
    There are a few issues with this article, which don't reflect my understanding of GDPR.
    1) "The GDPR requires companies to obtain consent through clear and plain language documents, absent of legalese, that inform the consumer what information is being collected, with whom it will be shared, and the purpose for collecting and storing it."
     - This isn't the case. It requires companies to inform consumers about the data processing, but it doesn't necessarily require consent. In fact, if the consumer's data is being collected for delivery of the product, it is likely being processed under Art 6(1)(b) - necessary for the performance of a contract. Please do not conflate the transparency requirements and the need for a lawful basis for processing.
    2) "Another issue facing manufacturers will be obtaining consumer’s personal information from their distributors."
     - Even if it isn't considered part of the contractual obligations to the consumers, there is a very strong case for legitimate interests to be used as a basis for this processing. Alternatively, just get the distributors to issue the recall notices to the consumers, if this is viable.
    3) "An additional, more overarching issue that manufacturers will face, regardless of the first two issues discussed above, will be what to do when an EU data subject exercises their “right to be forgotten” under the GDPR prior to a product recall. "
     - This fails to acknowledge that the right to erasure is not absolute, and only applies under certain conditions. If the data is still required for the purposes of the contract, in the event of a product recall, or for other legitimate grounds, then the right to erasure request does not necessarily need to be actioned.
  • comment Jason Albuery • Apr 9, 2019
    I would agree with Peter that consent would not likely be the primary mechanism for processing their data and in the event of a recall, Legitimate Interests would be a viable method for processing data.  As a data subject would you be offended if a manufacture notified you of a recall for a faulty product that could cause you or others injury but you hadn’t given them consent to do so.  Not sure how the reverse would work if you got injured but had not been notified.  Surely the manufacturer has a duty of care to its customers if it finds fault with its products. 
    When EU data subject exercises their “right to be forgotten” under GDPR I have found that this is a method used to stop receiving unwarranted marketing.  If that is the case then much better to add the data subject to a suppression list if you still have a valid reason such as a contract, warranty or financial reasons for processing their data.
  • comment Derrick Maultsby • Apr 9, 2019
    Peter, thank you for your comment. This article is raising issues manufacturers will have to think about and discuss. We approach all of our interpretation of legislation from a conservative standpoint. Nevertheless, your points are valid and I will answer each in turn:
     1) We are not attempting to conflate anything. While we know there are exceptions to this consent rule, we practice conservatism. As we expressly say in our article, "From a conservative standpoint, these manufacturers should seek for consumers/customers to provide expressed consent to all terms contained in these forms." We fully understand the exceptions may bar this practice, but we would never advise someone to take an unnecessary risk. I firmly believe it is best practice that all consumer facing forms are updated in light of the GDPR, and companies seek the consent of consumers to those policies or forward the updated versions to them to place the consumer on notice. 
    2)As you see we list the circumstances in which a controller may process a data subjects information, and I concur there is a strong case for legitimate interest. However, it behooves a company to simply just get consent. Then they do not have to argue legitimate interest, because they will have evidence of the consent. 
    3) Once again, I agree. However, it is an issue that needs to be raised in order for companies to identify they do not need to erase this data due to legitimate grounds. There are also significant repercussions if a retailer erases the information (not thinking of product recalls) prior to the retailer/distributor processing the information to the manufacturer. By raising this issue, the distribution contracts can address this issue putting all parties on notice of the legitimate interest. 
    Once again, I appreciate the comment. When drafting articles with a word limit, it is often hard to cover everything especially with such a grand piece of legislation. We believe these are all issues that have solutions, some of which you raised. These issues we discuss are all challenges that will alter how manufacturers have conducted the practice of recalls for years prior to the GDPR's introduction and implementation.
  • comment David Draycott • Apr 10, 2019
    I am disappointed that the IAPP has put out such an article. Privacy Professionals are attempting to calm things down for our customers, articles like this seem to throw petrol on the fire. If the product recall is in the customers best interest then I fail to believe any legislation would attempt to restrict the processing. To suggest if "consent" was not collected in the first instance and that the data may be processed in the event of a product recall (this toaster catches fire due to faulty wiring) seems to be a crazy perspective. Common sense must prevail....and Peter is correct another lawful basis would prevail...
  • comment Derrick Maultsby • Apr 10, 2019
    David, thank you for your comment. I must start by saying IAPP is a place for different perspectives to come together and analyze issues. I find great joy in reading the different interpretations and view points on various privacy issues that occur in our global society, especially those that differ from my understanding or beliefs. I understand that as a privacy professional your goals differ from ours, but as  legal professionals it is our fiduciary duty to provide all possible risks and identify all possible issues. That is what this article does, it identifies issues and risks. As Peter pointed out, there are legitimate reasons that would likely make the processing proper regardless of whether consent was received or not. However, we would be doing a disservice to our audience and our clients if we did not mention that it is best practice (in our opinion) to be transparent upfront with a consumer and include language in the initial interactions that detail all foreseeable reasons one would need to process/store their information. I appreciate the opinion and perspective of a privacy professional, and I hope that you can at the very least respect the opinions and perspectives of legal professionals who for fiduciary purposes take a conservative approach to analyzing legislation and statutes.
  • comment Donald DeMayo • Apr 21, 2019
    It appears that several privacy professionals have taken issue with this article.  The article does take a "conservative" approach, which is understandable.  However, the commentary is correct.  A manufacturer could properly rely on a legitimate interest basis for such processing (assuming transparency is achieved), which would accomplish two goals simultaneously:  it would obviate all the risks associated with consent; and it would prevent a "deletion/right to be forgotten" request from being applicable, as the basis for processing was not consent or contract.  Further , the manufacturer may not have collected the personal data from data subjects directly, further distancing a "right to be forgotten" request from being valid.  Here, the authors pay homage to the "false primacy" of consent, as if it were safer, or more valid than the other legal basis in the Regulation.  All six (6) of the legal basis provided in the Regulation (and listed in the article) are of equal merit, and they carry equal weight; there is no safety or primacy in seeking consent where it is not needed...just the opposite may result.