Last Wednesday, President Trump signed an immigration-related Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States” that, among other...30 January 2017
Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups
What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.
Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. The Article 29 Working Party pointed to the 2010 opinion of the Advocate General in a case involving agricultural funds in Europe, in which the Advocate General held that a broad consent in the fund’s terms and conditions was not sufficiently precise to conclude that the beneficiary of the fund had given unambiguous consent to the publication of his or her name.
The guidelines helpfully remind us also that consent can, in some cases, be implicit. For example, if an online merchant asks a consumer to provide personal information and the consumer provides it, the consumer will have implicitly consented to the merchant’s use of that information in order to process orders and deliver the goods and services ordered by the consumer. There is no need for a separate consent because the purpose for which the consumer provided the information is obviously to permit the merchant to provide the online goods and services and such processing is therefore reasonably expected by the consumer. On the other hand, if the merchant wishes to use the data for another purpose, such as selling behavioural advertising, a separate specific consent would be needed.
A stricter regime for profiling07 June 2016
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016