Thought Leadership and Industry Trends
Data Processing Under the GDPR: Consent as the Primary Legal Basis
By Dino Medina, Esq., General Counsel, CDS.
Set to take effect on May 25th, 2018, the General Data Protection Regulation (GDPR) is the European Commission’s latest attempt to strengthen the protections afforded the personal data of EU natural persons in connection with third-party processing activities. According to GDPR Article 5, “’processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction[.]” As a global provider of eDiscovery services, CDS is taking the necessary steps to comply with these enhanced requirements.
Chief among the GDPR’s protection enhancements are those surrounding the concept of data subject consent. Though consent – including the ability to refuse and withdraw consent – has remained a fundamental right under both the current EU Directive 95/46/EC and the upcoming GDPR, GDPR-compliant consent requires a dynamic, actively managed, transparent process. The text of the GDPR stresses:
[consent] of the data subject [must be] freely given, specific, informed, and [an] unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In other words, data subjects must be afforded a meaningful opportunity to consent with knowledge of the precise purpose(s) for which consent is sought. Any resulting consent must take the form of an explicit, unmistakable action taken by the data subject permitting the processing activities enunciated in the consent request.
Further, the GDPR mandates that comprehensive background information be provided to data subjects. This information includes how the personal data will be processed, what the personal data will be used for, who the data processor is (defined as the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”), who the data controller is (defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”), and the identities of any other third parties who will have access to the personal data.
Situations in which there is a real or perceived disparity in bargaining power between the data subject(s) and the data controller will prove particularly difficult, as EU data protection authorities have expressed a reluctance to deem consent the product of “free will” when this power dynamic is present. The following types of data subjects fall into this problematic category: employees, mentally ill, children, patients, and the elderly.
In sum, the concept of consent may seem straightforward at first glance, however as a fundamental right in the EU, there are stringent requirements which must be satisfied to ensure GDPR compliance. As such, consent by default and mass opt-out schemes for multiple data subjects are to be strictly avoided. Instead, consent requests should be presented in clear, readily understandable language, setting forth the exact purpose(s) for which consent is sought, and special consideration must be given in cases where an imbalance of power between the data controller and the data subject(s) exists.
If you are involved in a litigation or investigation with a European data component, contact us for a litigation support consultation. CDS has a full service data center and support staff based in London and offers the portable Digital Customs eDiscovery appliance where further data privacy is required.
CDS is not a law firm and is not authorized to provide legal advice in any jurisdiction. These materials are for informational purposes only. They are not intended, and should not be construed, as legal advice on any particular set of facts or circumstances.
Read more about cross-border eDiscovery and the GDPR here:
About the Author