Consenting to Consent Needs Consent?
UPDATE from the European Commission :
A very much timely clarification from the ICO :
Myth#9 We have to get fresh consent from all our customers to comply with the GDPR. Steve Wood, Deputy Commissioner busts this myth in his latest blog about consent. Read
So much confusion around Consent, one of the six lawful basis of processing Personal Data under the GDPR.
Some would argue consent is to be avoided at all cost. Too much risky with the right to withdraw and data portability. Go for contract or Legitimate Interest, they advise.
Others point that if consent is the first ground and Legitimate Interest the last, there is a good reason for that. ICO have stated “no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual”. Consent is not the ‘silver bullet’ for GDPR compliance
Legitimate Interest ? Too tricky others argue. It needs necessity and the right balance of rights and freedoms.
On Twitter, started a treat around the National Trust requesting new consents.
If you previously processed data based on Consent, should you, or should you not renew Consent?
@PrivacyMatters : It’s really quite simple if you have obtained consent for eMarketing under 2002/58 (& 95/46) then I don’t see the issue. The problem is many orgs haven’t or have incorrectly relied on the exception under R22(3). The big lie is that ‘we need to do this because of the GDPR
Consent under GDPR is of a higher standard than the Data Protection Directive 1998. GDPR requires consent to be “unambiguous” and demonstrable (i.e. auditable) according to the requirements of Art 7. The Working Party Article 29 states : ‘Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR’. If it wasn't documented or not at the standard, WP guidance recommends to renew Consent or exceptionally switch ground. So does the UK ICO.
Victoria Cetinkoya from the UK Information Office speaks [at around 21:14'] on this video where she says when you have Consent you might need to renew at GDPR standard to be compliant.
Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Therefore, no need for consent as long as an opt-out option is offered Art 21(2).
As Consent acquired prior to the GDPR can be undocumented. If Consent cannot be proved or because the pre-GDPR Consent is not sufficiently specific, unambiguous and freely given, it is not valid and therefore there is a need to renew consent. No?
How to renew Consent without sending unsolicited emails to ask for Consent?
Some complain these are unsolicited marketing emails. EPCR soft opt in electronic communication with previous clients with consent requirements for e-marketing.
What if these are sent to prospective clients and not existing clients?
What if you don’t get any answer to the re-consent requests ?
What about the new obligations of transparency?
Consent is only valid if freely given.
It should not be detrimental to the use of the service.
So much confusion around Consent that arrises in large part from Recital 171 of the GDPR, which reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.
This is partly why some would argue consent is to be avoided at all cost. Too much risky with the right to withdraw and data portability.
Go for contract or Legitimate Interest. To what others reply that if consent is the first ground and Legitimate Interest the last, there is a good reason for that. Personally, I am not convinced the order presentation has any significance.
Legitimate Interest ? Too tricky others argue. It needs necessity and the right balance of rights and freedoms as mentioned above.
On Twitter, started a treat around the National Trust requesting new consents.
If you previously processed data based on Consent, should you, or should you not renew Consent?
@PrivacyMatters : It’s really quite simple if you have obtained consent for eMarketing under 2002/58 (& 95/46) then I don’t see the issue. The problem is many orgs haven’t or have incorrectly relied on the exception under R22(3). The big lie is that ‘we need to do this because of the GDPR
The argument is that these are unsolicited marketing emails. Eprivacy soft opt in electronic communication with prior clients. consent requirements for e-marketing
What if these are sent to prospective clients?
What if you don’t get any answer to the re-consent request ?
What about the new obligations of transparency?
Consent is only valid if freely given.
It should not be detrimental to the use of the service.
I want to share an email I have recently received from an Alumni group :
I have recently received an email from an Alumni group:
"You may remember our recent email asking you to confirm how you would like to hear from us.
I hope you value being part of our international alumni and friends community and enjoy being kept up-to-date with what’s happening at XXXX. However, in May 2018 the law is changing the way we keep in touch with you. In preparation for this change, we want to be clear what relationship you want with us so that we can provide you with information and updates about us. Please click the button below to submit your communication preferences.
We would dearly like to stay in contact with you but without us knowing your preferences, it might be goodbye fromXXXXX!
Confirm preferences
By way of thanks for prompt replies, all forms submitted by 2nd March will be entered into a draw to win a £100 Amazon voucher.
An Amazon Voucher of 100£, Really?!
On 25 May 2018, the new General Data Protection Regulation (GDPR) will come into effect in the UK. This will replace the current Data Protection Act, but introduces new and different requirements for xxxxxxx around gaining consent to communicate with you as part of our alumni and friends community.
As Xxxxxx makes the transition to becoming a UK registered charity in 2018, it is important that we are able to communicate the changes happening and our future plans as a charity with you.
Charities, alongside any private sector organisations, must follow the legal requirements of the General Data Protection Regulation coming into effect in May. The biggest change is that Xxxxxx Alumni and Friends must give permission to Xxxxxxx to send communications. Permission needs to be given by confirming your communication preferences through an online form, ensuring you opt-in to future communications from Xxxxx departments, including Marketing, Development and Alumni Relations.
An email will be sent next week from the Development and Alumni Relations Office at Xxxxxxx in which you will need to update your communications preferences to receive communications from us via a short online form. Completing this will only take a few seconds of your time.
We want to ensure we can provide the best service to you as one of our esteemed member of our international alumni and friends community, but we can only do this if we have your active consent to update you about xxxxxx news. As it is now a legal requirement to gain your permission, if you do not opt-in to receiving these, unfortunately Xxxxxxx may not be able to send you future communications.
The best part of the privacy policy, when you click the link, is “From this information, xxxx may carry out wealth screening. Wealth Screening involves reviewing personal informatoin, such as the information listed above, to undertake an analysis of who might support the organization, in the future and to what degree that support might be made available and to understand the preferences of current parents, staff and students about events, communications and services.” Surprising! Is this not why the ICO fined 12 UK charities. [The Information Commissioner’s Office has fined eleven charities that breached the Data Protection Act by misusing donors’ personal data. ICO investigations found many of the charities secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.] A summary of how each charity breached the law can be found here.
Additionally, you are telling me you share my data with your US office. You forgot to tell me how as US is a country of non adequate data protection.
By sending me an email to re-consent, I am discovering you’ve been infringing the law. Can I sue you?
I do not Consent to wealth profiling, I still want to be part of the alumni group, is this possible? Consent in principal should not be detrimental to the use of the service.
You tell me you share my data with your US office. You forgot to tell me how?
By sending me an email to re-consent, I am discovering you’ve been infringing the law. Can I sue you?
Honda Motor played the risky game by sending 289,790 emails aiming to clarify certain customers’ choices for receiving marketing to be fined by the ICO.
As you see, I remain confused.
As for marketing, sending emails or SMSs, the regulation under the GDPR is completed by the Privacy and Electronic Communications Directive. Marketing emails or SMSs can be sent on an opt-out basis where the mailing list is collected following the sale of a product or service. The e-Privacy Regulation is, undergoing reform presently - to be replaced by a new e-Privacy Regulation.
Further reading by Stewart Room of PwC 'The idea of refreshing consents is that same as refreshing processor engagement frameworks.'
Valerie Lyons from BHconsulting Permission slip: what consent means and where it really applies to GDPR.
- This work is licensed under a Creative Commons Attribution 4.0 International License.
SAP Project / Cutover Manager | SAP Activate Certified Trainer
6 年Mind your step as any renewal may be treated as lack of conformity so far and by the way gdpr brings many reliefs like consent may be in some cases presumed. Think twice before any action!
From the ICO : Myth#9 We have to get fresh consent from all our customers to comply with the GDPR. Steve Wood, Deputy Commissioner busts this myth in his latest blog about consent: iconewsblog.org.uk/2018/05/09/rai… #bizhour
Thanks for your comment Rowenna. I hade made some amendement trying to be make it more clear. How do you explain the ICO requiring to revisit the consent as stated on he video?
Data protection, data ethics and digital privacy nerd | #ActuallyAutistic
6 年The charities didn’t get fined for wealth profiling, or for wealth profiling without consent - they were fined for a combination of *stealth* wealth profiling (ie not telling anyone they were doing it), data-trading without transparency and augmenting of data beyond what was reasonable (again, without telling people). Wealth profiling can be done on the basis of legitimate interests provided there is a robust LIA behind it. Privacy law doesn’t actually say that emails asking for consent are themselves direct marketing but that’s the approach the ICO has adopted and they’re the ones who decide if you’re naughty or nice. If you have no consent to electronic direct marketing - get it without sending emails asking for it. If you have consent but not to GDPR standards, go and get it to GDPR standards If you have consent but no evidence, ask for a re-affirmation of consent that you can record and keep If you don’t need consent.....don’t ask for it
Solving Data Protection Challenges | CDPO-CIPP/E | GDPR-DORA-NIS/2...
6 年Really good reading