Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent.
Stringent and uncertain consent rules
For starters, under the draft Regulation, if the data subject’s consent is given in a written document, and that document also concerns other matters (e.g. terms of service), the consent must be presented in a form that is distinguishable from the remaining contents of that document. This will result in the need to review existing contracts, general terms and conditions and other existing documents, in order to differentiate the consent language from the remaining subject matter.
The draft Regulation does not clarify whether implied consent (i.e. consent inferred from the conduct of the individual) will be valid or not. The reference to “clear affirmative action” in the definition of consent in the draft Regulation points towards the rejection of implied consent. However, the deletion of the words “explicit” from such definition in the Council draft and the fact that the same draft distinguishes between “explicit consent” for special categories of personal data and just “consent” for other type of personal data, open the window to a potential acceptance of implied consent in the final draft of the Regulation.
Consent not freely-given and significant imbalance of positions
To be valid, consent must be freely given. This means that the individual must have a free choice to accept (or not accept) the proposed uses of personal data. In the Commission draft one of the cases where consent may not be regarded as free is where there is a “significant imbalance” between the positions of the data subject and the controller. This may prove a significant hurdle in contexts where the respective positions of the parties are mostly inherently unequal, such as the employee-employer relationship.
Protection of children
Any consent given by a child under 13 in an online context will only be valid, according to the Commission draft, if that consent is either given or authorised by that child’s legal guardian. The other drafts extend that requirement beyond the online context, to cover situations where any goods or services are offered directly to a child under 13.
Processing not based on consent
Contrary to popular belief, a data subject’s consent is not the most frequent justification for the use of personal data. A valid ground for processing operations is where the data processing activities are necessary for the performance of a contract concluded with the data subject or, prior to entering into a contract, if the data subject has requested that the pre-contractual activities are undertaken.
A further basis for processing, which is significant from a practical point of view, is where the processing is undertaken in order to comply with an obligation imposed on the controller by applicable law.
Crucially, both the Data Processing Directive and the draft Regulation contain a provision under which the legitimate interests pursued by a controller can justify the data processing. When relying on this ground, those legitimate interests should be weighed against the fundamental rights or freedoms of the individual. Only when such rights do not override the legitimate interests of the controller are such legitimate interests a valid ground for processing. This balancing test between the controller’s legitimate interests and the rights of individuals must be carefully assessed in practice in order to be confident that it provides a solid ground for ongoing data processing activities.
Sensitive personal data
Under the Regulation, a special category of personal data – so-called sensitive personal data – will continue to enjoy a higher level of protection. The types of information that are regarded as sensitive personal data are expressly enumerated and include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life. The draft Regulation adds certain new categories to the existing list under Data Protection Directive, including genetic data and data about criminal convictions or related security measures.
The peculiarity of sensitive personal data is that, as a rule, its processing is prohibited, unless certain specifically listed exceptions apply. These include the consent of the data subject or the fact that the data subject has made the data public. Another justification for processing of sensitive personal data is the need to use such data in the establishment, exercise or defence of legal claims. A new processing ground is proposed in the Parliament draft: the processing of sensitive data should be justified if it is necessary to perform a contract concluded with the data subject or prior to entering into a contract – if the data subject requested that the pre-contractual activities are undertaken. One must remember, however, that any exception to the general rule prohibiting the processing of personal data will be interpreted narrowly.
Other special categories of data
The draft Regulation provides additional safeguards in connection with the processing of health-related data as well as the processing of personal data for historical, statistical and scientific research purposes.
Cessation of processing
The processing of personal data must cease if the basis for processing that provided the justification for the processing activities is no longer applicable, unless there is another justification for data processing that is still valid.
What to do now
- Businesses will need to review existing templates and procedures to ensure any consents are clearly distinguished.
- Businesses processing personal data of minors under 13 on the basis of consents will need to prepare strategies for obtaining guardian consents or authorisations.
- Employers and other controllers in positions of significant imbalance of powers will need to minimise the need for obtaining employee or other similarly positioned data subjects’ consent.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.