Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent.
Stringent new consent rules
The Regulation lays out strict new conditions for obtaining valid consent from the data subject.
For starters, if consent is given in a written document, and that document also concerns other matters (e.g. terms of service), then the request for consent must be presented in a form that is distinguishable from the rest of the document. It must also be formulated in clear and plain language. For many companies, this will require reviewing existing contracts, general terms and conditions, and other documents to clearly distinguish the consent portion and ensure it is written in layman’s terms. In addition, the Regulation requires that it be “as easy to withdraw consent as to give it” at any time the data subject wishes.
Consent must also be given freely. The Regulation flags up the common practice of making consent to data processing a condition for performance of a contract (like the provision of a service), even when such data processing is not necessary to performance. While the Regulation does not clearly outlaw this practice, it warns that “the utmost account” will be taken of such facts in determining whether consent was truly freely given. This may prove a significant hurdle for many companies. This provision will also, in all likelihood, cover situations of power imbalance, such as an employer-employee relationship, where the employee might feel that consent to data processing is not truly optional.
One grey area remains: the Regulation does not state clearly whether implied consent (i.e. consent inferred from the conduct of the individual) will be valid or not. The text defines consent as a specific, informed, and unambiguous indication of the subject’s wishes – and adds that it can be given “by a statement or by a clear affirmative action”. This suggests that consent may be construed from the subject’s actions, but that it will be subject to a strict test: those actions will have to be a clear manifestation of intent. The negotiation process that led to the adoption of the Regulation also sheds light on this. The Council’s draft initially required all consent to be “explicit”, but the final text does not. Tellingly, “explicit consent” is required where sensitive categories of personal data are concerned; but all other types of personal data processing require only “consent”. This suggests there will remain some place, however limited, for implied consent.
Protection of children
Children benefit from additional protection under the Regulation. Any consent given by a child (the cutoff age may vary from 13 to 16 depending on the Member State concerned) in an online context will only be valid if it is either given or authorised by the child’s legal guardian. The data controller also has the responsibility to make reasonable efforts to verify that consent was in fact given by the child’s legal guardian.
Other grounds for data processing
Contrary to popular belief, a data subject’s consent is not the most frequent justification for the use of personal data. A valid ground for data processing is where it is necessary for the performance of a contract concluded with the data subject or, prior to entering into a contract, if the data subject has requested that pre-contractual activities be undertaken.
Another basis, which is significant from a practical point of view, is where the processing is undertaken by the data controller in order to comply with a legal obligation.
Crucially, both the Data Protection Directive and the Regulation also contain a provision under which a controller can justify data processing on the basis of pursuing his/her/the company’s legitimate interests. When relying on this ground, those legitimate interests should be weighed against the fundamental rights and freedoms of the individual. Only when those rights do not override the legitimate interests of the controller are such legitimate interests a valid ground for processing. This balancing must be carefully assessed in practice in order for the controller to be confident that it provides a solid ground for on-going data processing activities.
Sensitive personal data
Under the Regulation, a special category of personal data – termed “sensitive personal data” – will continue to enjoy a higher level of protection. The types of information regarded as sensitive are expressly listed: they include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning a person’s health or sex life. The GDPR also adds new categories to those already protected under the Data Protection Directive: genetic data and biometric data where they are processed in order to uniquely identify a person.
The peculiarity of sensitive personal data is that, as a rule, its processing is prohibited, unless certain specifically listed exceptions apply. These include the consent of the data subject or the fact that the data subject has made the information public. Another justification for processing of sensitive personal data is the need to use such data in the establishment, exercise, or defence of legal claims. Some new processing grounds are added in the Regulation: the processing of sensitive data can be justified for reasons of substantial public interest, for individual health purposes, public health reasons, or for archiving, scientific, historical, or statistical purposes linked to the public interest. One must remember, however, that any exception to the general rule prohibiting the processing of personal data will be interpreted narrowly.
Other special categories of data
The GDPR provides additional safeguards in connection with the processing of data relating to criminal convictions and offences, as well as processing for historical, statistical and scientific research purposes. Member States are also free to adopt further safeguards for the processing of genetic, biometric, and health data.
Cessation of processing
The processing of personal data is both “purposelimited” and “storage-limited”: it can be carried out only for a specific purpose, cannot be stored longer than necessary for that purpose, and cannot be further processed in a way incompatible with that purpose.
What to do now
- Businesses will need to review their existing templates and procedures to ensure any consents requested from data subjects are easy to understand and clearly distinguished from other terms and conditions.
- Businesses processing personal data of minors under 13 on the basis of consent will need to prepare strategies for obtaining guardian consents or authorisations.
- Controllers in positions of power over the data subject (such as employers), or controllers who condition the provision of services on user consent to data processing, will need to minimise reliance on such consent.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.