The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the third in a series of articles addressing the top 10 operational impacts of the GDPR. Find Parts 1 and 2 here.
GDPR enhances requirements for obtaining data subject consent
Consent remains a lawful basis to transfer personal data under the GDPR; however, the definition of consent is significantly restricted. Where Directive 95/46/EC allowed controllers to rely on implicit and “opt-out” consent in some circumstances, the GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action.” The new law maintains the distinct requirements for processing “special categories of personal data” that were present in the Directive, but it expands the range of what is included in those special categories. Finally, the GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization. This article addresses each of these GDPR consent provisions in turn.
GDPR mandates affirmative consent for data processing
Under the GDPR, consent must be “freely given, specific, informed and unambiguous.” There was uncertainty leading up to this final draft whether the EU would settle on “unambiguous” consent as required by the Directive, or the higher standard of “explicit” consent. The final draft has staked out a middle position, on the one hand opting for unambiguous consent, while on the other hand requiring such consent to be expressed “by a statement or by a clear affirmative action.” Recital 32 clarifies that an affirmative action signaling consent may include ticking a box on a website, “choosing technical settings for information society services,” or “another statement or conduct” that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent.
[quote]“Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent.[/quote]
The GDPR, therefore, creates additional hurdles for consent over what was required by the Directive. As interpreted by the Article 29 Working Party’s Opinion 15/2011 on the definition of consent, the Directive required the controller to provide “accurate and full information on all relevant issues,” including the nature of the data that will be processed, the purposes of processing, the identity of the controller, and the identity of any other recipients of the data. Consent had to be specific to the processing operations and the controller could not request open-ended or blanket consent to cover future processing. Significantly, while consent could be satisfied by an express statement, it also could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” consent.
The GDPR removes that possibility by requiring the data subject to make a statement or clear affirmative action. In particular, the GDPR includes three additional requirements:
First, Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
Second, in Recital 43, the GDPR adds a presumption that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service.
Third, the GDPR adds that consent must be specific to each data processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.” However, the law exempts controllers from obtaining consent for subsequent processing operations if the operations are “compatible.” Recital 50 states that compatibility is determined by looking at factors including the link between the processing purposes, the reasonable expectations of the data subject, the nature and consequences of further processing, and the existence of appropriate safeguards for the data.
Under Article 5(1)(b), additional processing for archiving in the public interest (as defined by the member state), statistical purposes or scientific and historical research generally will be considered compatible, and, therefore, exempt from specific consent. This exception potentially is quite broad. Where it applies, under Article 89, controllers will not have to erase or rectify data after the data subject has withdrawn consent. It also impacts restrictions on processing, data portability and the data subject’s rights to object to and to be notified of processing operations. (The broader contours of this exception will be further discussed in a forthcoming article on the rules for research in the GDPR.)
Although the GDPR removes the possibility of “opt-out” consent by forbidding silence, inactivity, and pre-ticked boxes as a means of providing consent, Recital 32 states that the data subject may consent by “choosing technical settings for information society services.” It remains to be seen how this provision will be interpreted, but the language may leave intact the provisions of the e-Privacy Directive relating to cookies and other tracking technologies. Specifically, Article 5(3) of that Directive states that, generally, a data subject must provide specific, informed consent to the use of cookies or comparable tracking technology. However, Recital 66 provides an exception where cookies are “strictly necessary for the legitimate purpose of enabling the use of a specific service requested by the subscriber or user.” It also provides that “the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.” Under the Article 29 Working Party’s interpretation of this provision, the browser settings exception applies only if the browser’s default rejects the placement of cookies, thereby requiring the user to actively opt-in to receiving cookies. This interpretation may accord with the GDPR’s language requiring “a clear affirmative action.”
Whenever a controller relies on consent as a basis for processing, under Article 7(1), the controller bears the burden of demonstrating that consent was obtained lawfully according to the principles above.
GDPR requires explicit consent for special categories of personal data
GDPR Article 9 requires a higher level of consent – “explicit” consent – for the processing of “special categories of personal data.” These special categories relate to personal data that are “particularly sensitive in relation to fundamental rights and freedoms” and, therefore, “deserve specific protection.” They include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.”
The standard for explicit consent likely remains the same as under Directive 95/46/EC, which also required controllers to obtain explicit consent for processing special categories of personal data. Under the Directive, the Article 29 Working Party defined explicit consent as “all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing.” Thus, a user’s conduct or choice of browser settings probably will not be sufficient to meet this high bar. The GDPR also allows member states to enact laws that restrict the processing of some categories of data even if the data subject explicitly consents.
[quote]The GDPR also allows member states to enact laws that restrict the processing of some categories of data even if the data subject explicitly consents.[/quote]
The only distinction between the Directive and the GDPR on this issue is that the GDPR expands the definition of sensitive data to include genetic data, biometric data, and data concerning sexual orientation. Genetic data is defined, under Article 4, as “personal data relating to the inherited or acquired genetic characteristics of natural persons which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.” Biometric data is personal data that identifies an individual based on the “specific technical processing” of the individual’s physical or behavioral characteristics. Recital 51 notes that photographs will qualify as biometric data only when they are processed “through a specific technical means allowing the unique identification or authentication of a natural person.”
GDPR requires parental consent for processing children’s personal data
In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorization. Previous drafts of the regulation set the age of consent at 13 years old, which would have been consistent with the age of consent set by COPPA in the U.S. However, a last-minute proposal aimed to raise the age of consent to 16 years old. After the last round of trilogue negotiations, the final draft opted for the age of consent to be set at 16 years, but it allows member states to set a lower age not below 13 years. Thus, unless otherwise provided by member state law, controllers must obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16. They also must make “reasonable efforts” to verify that a parent or guardian has provided the appropriate consent. Differing rules on the age of consent in EU member states, as well as between the EU standard and the COPPA age 13 rule applicable in the U.S., could create significant challenges for companies that offer international services. It is unclear whether member states will act together on this issue. At this time, at least one member state, the UK, has vowed to lower its age of consent to 13.
Other Provisions
Consent features in a variety of other sections of the regulation. For example, under the right to erasure, in Article 17, the data subject has the right to have the controller erase her data if she withdraws consent and the processing had been based on her consent. Under Article 18, where the data subject exercises her right to restrict data processing, the controller may only continue to process the data if it obtains the data subject’s consent or if processing is necessary for a legal claim. Article 20 grants the data subject the right to receive all the personal data about her in the controller’s possession where the processing is based on her consent. In these circumstances, the required level of consent is “unambiguous” consent.
The GDPR requires the data subject’s explicit consent in two other circumstances. Under Article 22, controllers need to obtain explicit consent to make decisions about the data subject “based solely on automated processing, including profiling.” Controllers also must seek explicit consent, under Article 49, to authorize transfers of personal data to countries that do not provide an adequate level of protection, if no other transfer mechanism is in place.
Penalties
The GDPR provides for two different levels of administrative penalties. Some violations are subject to fines up to 10,000,000 EUR or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR or four percent of global turnover. Violation of the rules around consent generally subject controllers to the higher level of fines, but violations of the rules concerning age of consent are subject to the lower level of penalties.
Photo credit: checked_tick via photopin (license)