Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Some thoughts on consent and legitimate interest under the GDPR


Published on

Please note that some comments/thoughts are typical for Belgium (repealed legislation).

Published in: Law

Some thoughts on consent and legitimate interest under the GDPR

  1. 1. Some thoughts on consent and legitimate interest DPO Circle – Solvay Graduation Ceremony Brussels – 18 September 2018
  2. 2. CONSENT: WHAT’S NEW? • Consent • Reinforced definition of consent • Consent must be based on a declaration or affirmative action • Consent can still be implicit, except if based on omission • Prohibition on bundling consents • Separate consents for separate matters • Practical difficulty: data subject do not understand the need for multiple consents • Right to retract consent • Permanent uncertainty in relation to data processing activities • Consent has lost importance as basis for processing activities 2
  3. 3. CONSENT: FREQUENT MISTAKES • Mixing up consent under the GDPR with consents under separate legislation • Direct marketing by e-mail towards persons that are not customer requires consent (soft opt-in regime) • Separate consent and separate opt-out • Opt-out on data collection for direct marketing purposes is obsolete • First communication requires specific information to the data subjects • Bundling consents • Asking consent for privacy statements • Article 13 & 14 of the GDPR are unilateral information obligations
  4. 4. LEGITIMATE INTEREST: WHAT’S NEW? • Whose legitimate interest? • Controller or a third party • Data subject interests cannot be invoked • GDPR considerations identify several legitimate interests • Impact of legitimate interest on data subject rights • Exclusion of data portability • Right to object on specific grounds • Privacy statement requirements • Identify the invoked legitimate interest • Additional communication obligation • Mention the right to object in the first communication
  5. 5. LEGITIMATE INTEREST: FREQUENT MISTAKES • Balancing test must be in favour of controller • Not overridden = at least in balance • Consent under separate legislation excludes legitimate interest as a legal ground • Direct marketing legislation • Effect should be opposite: reasonable expectations • Legitimate interest is not identified in the privacy statement • A documented balancing test is not available • Freedom to undertake is a generic, low weight interest
  6. 6. HOW TO PERFORM A BALANCING TEST? • Step 1: Identifying the interests of the stakeholders • Identify the legitimate interests of the controller or the third party • Identify the fundamental rights and freedoms and interests of the data subject • Step 2: Assess the impact of the intended processing activity • Negative impact • Positive impact • Step 3: Assess the (provisional) balance • Step 4 (if step 3 is negative): include additional safeguards to ensure the balance between interests • Document balancing test, unless outcome is manifestly positive
  7. 7. STEP 1: THE INTERESTS TO BE ASSESSED • Identify controller and third party interests • Benefit derived from the processing activity • Typical examples • Direct marketing • Freedom to undertake (article III.2 of the Code of Economic Law) • Fraud detection and prevention • Whistleblowing schemes • Credit checks • Information security • Research purposes • Claims management and enforcement of claims • Publication of data for transparency and accountability • Legitimate interest
  8. 8. STEP 1: THE INTERESTS TO BE ASSESSED • Step 1: Identifying the fundamental rights and freedoms and interests of the data subject • Right to privacy • Right to protection of personal data • Right to liberty and security • Right of access to public documents • Right to freedom of expression and information • Right to property • Interest not to be harmed physically, psychologically and/or financially • No requirement of legitimate interests
  9. 9. STEP 2: ASSESSING THE IMPACT OF THE PROCESSING • Key criteria for impact assessment • Impact as such • Nature of the data • Data processing activities • Reasonable expectations • Status of the controller and the data subject • Specific focus on children and (implicitly) vulnerable data subjects
  10. 10. STEP 2: ASSESSING THE IMPACT OF THE PROCESSING • Impact of the processing activities • Impact ≠ harm • Impact = consequences of the processing • Negative and positive impact • Risk methodology • Likelihood • Severity • Quantitative approach? • Older guidance: no • Still relevant with broader right to object?
  11. 11. STEP 2: ASSESSING THE IMPACT OF THE PROCESSING • Likelihood • Negligible (1): threat does not appear possible or at least very unlikely to happen • Limited (2): difficult to realize threat • Significant (3): threat appears to be possible • Maximum (4): threat is easy to realize • Severity levels • Negligible (1): no effect on data subject or only minor inconvenience (e.g. waste of time, annoyance, …) • Limited (2): significant inconvenience (extra costs, loss of service, fear, serious stress, …) • Significant (3): significant consequences that data subjects may still overcome (consequences of identity theft, loss of employment, blacklisting, …) • Maximum (4): significant consequence that may be irreversible or that data subject cannot overcome (long-term illness, inability to work, irreversible blacklisting, …)
  12. 12. STEP 2: ASSESSING THE IMPACT OF THE PROCESSING • Nature of the personal data • Generic personal data • Public data • Highly sensitive personal data • Data processing activities • Scale • Combination of personal data • Publication of personal data • Disclosure to a large group of recipients
  13. 13. STEP 2: ASSESSING THE IMPACT OF THE PROCESSING • Reasonable expectations of the data subject • Expectations of the data subject are a key element in the balancing test: the more a data subject expects the processing, the more likely the processing will pass the balancing test • Status of the controller and the data subject • Mainly status of the data subject • Vulnerable data subjects • ‘Protected persons’, e.g. consumers, minors, … • Data subjects acting in a professional capacity
  14. 14. STEP 3: PROVISIONAL BALANCE • Outcome of the analysis of step 1 and 2 • At least a balance: no further steps required • Imbalance weighing against the controller: • Assess whether changes to the processing activity may result in a balance • Assess whether additional safeguards may be implemented to create a balanced situation • In short: reverse-engineer to obtain a balance or abandon legitimate interest as legal ground
  15. 15. STEP 4: ADDITIONAL SAFEGUARDS • Provisional balance is negative: implement additional safeguards • Increased transparency • Additional data subject rights • Removing conditions for data subject rights • Facilitating access to data subject rights • Asking consent? • Privacy enhancing technologies, privacy by design, data protection impact assessments? • Data obfuscation?
  16. 16. DATA SUBJECT RIGHTS • Right to object • General right to object • Applies to all purposes but only when specific legal grounds are invoked • Specific right to object to processing of personal data for marketing purposes (“opt-out”) • Applies only to direct marketing purposes irrespective of the legal ground • Transparency obligation • Article 13 and 14 GDPR: existence of these rights • Article 21 GDPR: “confirmation” of the existence of these rights • At the latest at the time of the first communication • Explicit confirmation • Clear and separate from any other information
  17. 17. DATA SUBJECT RIGHTS • General right to object • Grounds relating to his or her particular situation • Restricted to certain legal grounds for processing • General interest • Legitimate interest • No automatic application • Data subject has to adduce evidence of grounds relating to his particular situation • Controller may override • Compelling legitimate grounds • Establishment, exercise or defence of legal claims
  18. 18. DATA SUBJECT RIGHTS • Specific right to object to processing of personal data for marketing purposes • Limited to marketing purposes • No restrictions in terms of legal grounds for processing • No further conditions • At any time • Free of charge • No reasons required
  19. 19. CONCLUSION ❖ Major changes to the definition of consent ❖ Subtle impact on processing activities ❖ Right to withdraw consent severely restricts the use of consent as a legal ground ❖ Subtle changes to legitimate interest ❖ Major impact on processing activities based on legitimate interest ❖ Easier objection = more success in balancing test? ❖ Changes in transparency requirements for indirect data collection facilitates legitimate interest and indirect data collection (e.g. data brokerage) 19
  20. 20. USE CONSENT OR USE LEGITIMATE INTEREST? … THAT’S NOT EVEN A QUESTION. Johan Vandendriessche ICT & Data Protection Lawyer | Partner | External DPO| Erkelens Law Visiting Professor ICT and Data Protection Law | UGent | HoWest Guest Lecturer Information Security Law | Solvay Brussels School +32 486 366 234