New EU General Data Protection Regulation: Advice Note 3 (Consent to Processing and New Sanctions)

Published 13 April 2016

In this our third blog about the GDPR, I am going to look at the new rules on data subject consent to processing of their data, and the new regime of sanctions proposed by the GDPR for non-compliance. Also, to continue the theme from the previous blogs, I am going to compare the GDPR provisions with the corresponding provisions in the existing EU Directive 95/46EC (the “Original EU Data Protection Directive”).

GDPR Sanctions, Fines and Penalties

In the Original EU Data Protection Directive, there were no provisions for direct judicial remedies against data processors. Article 75 of the GDPR will now give data subjects a right to issue proceedings against a data controller or a data processor directly, if they consider that their rights have been infringed.

GDPR allows for fines up to the greater of €10,000,000 or 2% of annual turnover to be imposed even for “lesser” breaches of GDPR, particularly if there have been repeat or multiple infringements. As if that was not eye watering enough, maximum fines will be increased to the greater of €20,000,00 or 4% of annual turnover, although this level of sanction is likely to be reserved for the most egregious breaches, and in particular for breaches involving misuse of the “special categories of personal data” now referred to in Article 9 of the GDPR (ie personal data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures).

Data Subject Consent to Processing of their Data

Back in 1995 when the Original EU Data Protection Directive sprung into life, none of us could have anticipated the peculiar nature of one of the arguments, which was to ensue over the meaning of the apparently straightforward statement, “the data subject has unambiguously given his/her consent” [to the processing of his/her data].

The entire legal and political establishment seemed to disappear down an Alice in Wonderland style “rabbit hole” from which it never really emerged, surrounding whether a data subject could only really consent to the processing of their personal data if they had “opted in” to the processing (by ticking an opt in box) or whether it was OK for the data processor just to set out in a densely worded privacy policy what they intended to do with the subject’s data and then give the data subject the right to “opt out” if they bothered to read and appreciate the full horror of what they were being asked to sign up to.

Some countries tried the “opt in only” route and found that they were crippling their online industries. Others, like the UK, which seemed content with “opt out” found their online industries were relieved but that the real issue of whether anybody really understood what they had agreed to be done with their data, rumbled on.

Article 7 of the GDPR is a gentle but tidy attempt at squaring this particular opt in/opt out circle. It provides that the controller will bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes, so that whether a data subject “opts in” or “opts out” to the processing of their data, the purposes for which their data is going to be used has to be stated in a clear and straightforward manner (and not tucked away at page 84 of a 100 page set of corporate data privacy principles, which a data subject just clicks “accept” to so that they can buy a salt and pepper pot in two minutes instead of seventy-two).

It will almost certainly be time for some businesses to start looking at their data privacy policies and making moves towards compliance with the new GDPR consent standards.

Informed Consent – the Data Collection Notice Rules

On reflection, Article 10 of the Original EU Data Protection Directive was frankly a teensy bit vague about what information had to be given to a data subject in order to allow them to give informed consent to the processing of their data, focusing on the provision of (a) the identity of the data controller and any representative, (b) the purpose of the intended processing, and (c) the effect of refusing to disclose data. The rest of the Article had rather an optional feel about it, as though the data controller might mention other stuff if it seemed relevant but that they had quite wide discretion to mention or not mention it.

In Article 14 of GDPR, the requirements are much clearer (and stricter). In addition to the original requirements set out in the Original EU Data Protection Directive, the data subject also needs to be informed about (i) the purpose of the processing and the reasons why that processing is legitimate; (ii) the period for which the data will be stored; (iii) who will get to receive the data and why; (iv) whether or not that data might be transferred to another country and the protections it will receive there; (v) the right of access to check, rectify and erase data; and (vi) details of the supervisory authority to enable a complaint to be made.

Additional Rules for Processing Sensitive Data

Explicit consent has always been required for the processing of sensitive personal data (ie consent to exactly what is going to be processed and for precisely what reasons). However, whilst the language here may not have changed significantly, the additional rules around the content of the data protection notices in Article 14 of GDPR means that any wiggle room there may have been for a data processor to be less than forthright about the exact nature of the processing has now evaporated.

Consent to the Processing of Children’s Personal Data

Article 8 of GDPR has now introduced specific rules on processing the data of children and in particular that no child under 13 is authorised to give consent to the processing of their data. Many industry bodies already adhere to this principle as a matter of good business ethics but it was not previously a formal legal obligation in the Original EU Data Protection Directive.

If your business needs more information about GDPR or if you need to update your policies in anticipation of GDPR, please contact Katherine@mirkwoodevansvincent.com .