Five things to take from the European Parliament's response to the Commission on the GDPR
The European Parliament has published its report on the European Commission's report on the implementation of the GDPR, which the Commission published two years after its application.
Yes, it's a report about a report. And this is a blogpost about a report about a report.
Here are five things which stood out to me.
Some controllers have interpreted Articles 13 and 14 as meaning that, as long as they include the lawful bases of processing, they do not need to say which basis applies to which processing activity.
Worse, the UK's Information Commissioner's Office's own template encourages this approach, since it de-couples the lawful basis from the description of the processing activity. I've honestly no idea how this got signed off, but it does suggest that the ICO is unlikely to be enforcing on this point.
I have never understood the logic of this approach, especially as you should have the breakdown of what basis you are using for what processing in your record of processing, but — perhaps for the reason above — it's relatively common.
The Parliament also says that controllers must:
"avoid taking a legalistic approach when drafting data protection notices".
Again, yes! You may want to get legal advice on how to prepare a compliant privacy notice, but if the result ends up looking like a contract, or is just impenetrable legalese, you've picked the wrong advisor...
If your privacy notice or other transparency information is not up to scratch, take a look at our guidance.
2. "[I]ndividuals are often put under financial pressure to give consent in return for discounts or other commercial offers"
Under the GDPR, consent requires a "freely given, specific, informed and unambiguous indication of the data subject's wishes".
If you say "We'll give you 10% of your next order if you subscribe to our marketing email newsletter", does that vitiate the consent you are trying to obtain? (Sending marketing by email to "individual subscribers" requires consent, unless you fall within the limited "soft opt-in" framework.)
On the one hand, there's an argument that I am exercising my free will, in that I'm making a choice to hand over my details, for which I get the benefit of the discount. I don't have to take that discount.
On the other hand, someone in a more restricted financial situation may have little choice but to take every discount or incentive available, thus pushing them towards letting third parties use their personal data. In other words, if this activity is permitted, the "free will" argument protects only the rich.
Personally, I think we'll need to see how the courts approach this one, but clearer, consistent, guidance may help. (Although guidance is only guidance.)
For now, if you're going to incentivise consent, think it through carefully.
3. "[A]pplication of the GDPR has been particularly challenging, especially for small and medium sized enterprises [and] start-ups"
I may be biased here, as someone who sells data protection advice among other things, but I'm surprised that the GDPR has been perceived as "particularly challenging". The principles are pretty simple and, unless you're doing something unexpected or intrusive, it's mostly a procedural thing.
And there's no shortage of guidance (including official guidance, even if some of it is questionable...) about what organisations need to do.
If you're one of those organisations which has found it challenging, here's our suggested starting point.
There are, I suppose, some particular aspects of the framework which are more challenging than others — including the international transfers regime, following the CJEU's ruling that the standard contract clauses alone are not enough (see below).
4. "Calls on the Commission to evaluate the possibility of obliging large multinational technology companies to pay for their own oversight through the introduction of an EU digital tax"
Perhaps it would be better if data protection regulators didn't spend their time and budget on things outside their remit (like online safety / child protection), or things like "regulatory sandboxes", and perhaps even AI.
(In any case, why would the "data broker" industry not be deserving of the same?)
5. The Parliament "[c]alls on the Commission to publish the set of criteria used in determining whether a third country is deemed to provide an ‘essentially equivalent’ level of protection to that afforded in the EU"
Another sensible point.
Recent case law has held that, even if you put in place the European Commission's standard contract clauses for transfers of personal data to countries outside the EEA which are not deemed "adequate" from a data protection point of view, you probably haven't done enough.
Instead, the outcome of the Court's ruling is that you need to assess the realistic level of protection, and risk to the personal data undergoing transfer, and consider what additional measures you might require.
In one fell swoop, the Court moved international transfers from easy and cheap, if a little bureaucractic, into an exercise which was burdensome and probably out of reach for many would-be transferors.
There is some draft guidance on how to comply with the ruling, but more is needed here.
I've helped a fair few clients get to grips with this, and we've always found a way through, but it's pretty much always a risk-balancing exercise. Do drop us a line if you need a hand.