Getting to know the General Data Protection Regulation, Part 3 – If you receive personal data from a third party, you may need to "re-think" your legal justification for processing it
Posted on 13 November 2015 (updated 4 March 2016).
One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. The controversy arises from the proposed stricter requirements for consent and reforms to the so called “legitimate interests” grounds.
While the “consent” and “legitimate interests” grounds are just two of a number of grounds for justifying the processing of personal data, they are the grounds that are most commonly relied upon for the purposes of the Directive. The proposals under the GDPR with regard to these data processing grounds could have serious practical implications for business.
What does the law require today?
At present, in order to validly obtain consent, businesses need to provide sufficient information to individuals about how and why they process their personal data and provide a mechanism whereby individuals can indicate their consent. In this sense, consent can be implied under the Directive and it is only in specific cases, such as the processing of sensitive personal data (i.e. data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data relating to the data subject’s health or sex life) that consent needs to be explicit.
The ‘legitimate interests’ condition provides grounds to process personal data in a situation where a business needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party to whom the information is disclosed. The legitimate interests of the business or the third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual whose data is being processed.
In a number of jurisdictions, including the UK, the “legitimate interests” condition provides a degree of data processing flexibility that might not otherwise exist. On the other hand, some DPAs have taken a more restrictive approach – for example, the Spanish data protection regulator considers that personal data should only be processed for the purposes it was collected, with very limited exceptions.
Nevertheless, the Directive offers a business-friendly approach that has been somewhat re-defined by the GDPR.
What will the General Data Protection Regulation require?
During the drafting process, the Commission proposed (and the Parliament agreed) that consent should always be “explicit, freely given, specific and informed”. It also noted that consent should be obtained through a statement or “clear affirmative action”, that it could be withdrawn at any given time by the data subject, and that it would not be legally valid if there is “a significant imbalance between the position of data subject and the controller”.
On the other hand, the Council suggested that consent under the GDPR need not be “explicit” – it need only be “unambiguous”.
After much debate, the proposal from the European Parliament that, where processing is based on the data subject’s consent, such consent must be “explicit” (i.e. opt-in) was dropped in the compromise text of the GDPR. Instead, the “explicit” consent requirement applies when relying on consent in the context of processing sensitive personal data (as is the case under the Directive today).
The GDPR expressly defines the term “data subject’s consent” to require that it must always be unambiguous. It also establishes other requirements which include the need for “consent” to be (i) informed, (ii) freely given, (iii) expressed through a clear affirmative action and (iv) clearly distinguishable from other matters. The GDPR also warns that consent will not be considered legally valid if there is “a significant imbalance between the position of data subject and the controller”.
Extra requirements are also set out in relation to obtaining the consent of minors. Also, more types of data (such as biometric data) are included in the category of “sensitive data”, the processing of which require “explicit” consent. In addition, the GDPR requires companies to demonstrate that they have effectively obtained users’ consent – which could imply a significant practical burden on businesses.
Given the increased difficulty of relying on consent, the possibility of relying on the “legitimate interests” ground will be crucial from a business perspective.
During the drafting process of the GDPR, the Commission and Parliament suggested individuals’ data can only be processed: (i) for a purpose to which they have consented; or (ii) for such legitimate interests of the controller or relevant third parties as individuals could reasonably expect.
On the other hand, the Council proposed a more business-orientated approach, which would allow controllers and processors alike to process data on the “legitimate interests” ground even for purposes that are incompatible with the original purposes of the processing, provided that the interests or the fundamental rights and freedoms of the individual are not overriding.
The agreed text of the GDPR establishes that processing is still permitted if it is in the legitimate interests of a controller (including of a controller to which the data may be disclosed) or of a third party, provided that those legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.
In practice, this means companies will need to be careful in assessing if a legitimate interest exists by taking into account, among other things, the data subject’s reasonable expectations at the time that processing takes place and the specific examples that the GDPR lists of when a legitimate interest may arise (which include, for example, processing of data for the purposes of preventing fraud or for direct marketing).
What are the practical implications?
Even though the mechanisms to obtain consent have not hugely varied under the GDPR, a significant burden of proof has been placed upon the controller to evidence that it has obtained valid consent for each processing activity (so businesses will need to keep track of the consents users give and withdraw in a thorough and orderly manner). This development will undoubtedly have a material business impact.
Moreover, businesses will have to decide what legal grounds they wish to rely on for their processing activities, as consent, legitimate interest or other legal grounds (such as a legal obligation, public interest or vital interests) could all, potentially, have significant practical implications. For example, where processing is based on the legitimate interests ground, businesses will need to inform the individual (e.g. in their data protection notices) about the legitimate interests upon which they are seeking to rely.
So, what can businesses do now?
Start auditing all their various uses of data;
Understand the grounds on which they collect and use data;
Identify the mechanisms through which individuals’ consents are obtained and through which they are informed of the grounds relied upon to process their data; and
Assess whether these grounds remain valid under the GDPR and, if not (or if those grounds become marginalised) have in place plans to transition to new grounds.