Ticking time-bomb in the EDPB Guidelines on consent?

An old issue each privacy pro learnt by heart: “risk of negative consequences (e.g. substantial extra costs)” for data subject = no freely-given consent. 

Substantial. But what if extra costs are not substantial? What if, say, 10$ turns into 11$ if you refuse to consent? Is it ok? 

At leats, German watchdog seems to say yes. Some privacy pros agree (see below).

One can say that I am picky, indeed, 1$ or even 10$ surcharge will unlikely lead to bankruptcy. But what will happen if this practice becomes commonplace? Right, data subject will overpay every time he/she is requested to give consent. 1$ per one requested consent will turn into 10$ per ten requests. How long could that ‘receipt’ be a year after? 5 years after?

You got to the crux of the matter. While EDPB considers substantiality in the context of a one-off consent request, it does not address the aftermaths when overcharging becomes a rule.

https://www.bclplaw.com/en-GB/insights/does-the-gdpr-prohibit-charging-more-to-consumers-that-do-not-consent-to-certain-types-of-processing.html

Belgian data protection watchdog sends controversial ‘message’ with regard to non-profit data controllers.

An interesting GDPR enforcement case came from Belgium in late May. Imagine that a data controller is sending unsolicited postal communications and ignoring data subject rights to object (Article 21) and to be forgotten (Article 17). On top of that, it misidentified legal basis and relied on the legitimate interest instead of consent (of course, no balancing exercises have been conducted and no safeguards have been put in place).

What could happen to such a data protection ‘nihilist’? Article 83(5) suggests that its DPO may start looking for another job. However, things may go upside down if the controller is a… non-profit organisation. 

Not to keep an unnecessary suspense, the data controller in the case above was fined mere 1000 EUR (nope, I did not miss additional ‘zeros’). Of course, factoring in that it was the first case against this organisations and that the controller is a non-profit organisation with no regular turnover.

This all may be well true, but it seems that such ‘enforcement’ naturally tears the fabric of the GDPR as it factually gives all non-profit organisations carte blanche to violate ‘tastefully’ for their first time.

More details on this case:

Employer fined for employee fingerprints

Another interesting case. Each new case is helping us to understand better how to implement and be compliant with GDPR in our organisations.

So this is a fine of €725k by the Dutch DPA to an organisation which started using biometrics, i.e. fingerprint authentication. If you’ve checked the link above with an explanation provided by DLA Piper blog, there are 2 factors which really surface.

Firstly, consent cannot be used as a legal basis if there is an imbalance in relationship, and in the case of employer/employee, this is always the case. If fingerprinting is to be used then the employee needs to have a choice to use another method, e.g. access cards. In this example, there was a lack of choice, employees were forced to provide consent. Consent was not freely given.

Secondly, it seems that the Dutch law gives a second alternative on the using of biometrics for authentication and security purposes. However, this is only if it can be proved that it is proportionate to the purpose. For example, to use as a means to access high security facilities is proportionate, not access to office space.

Why I love this case is that it really emphasises on the use of consent in the employer/employee relationship.

Nelsonian blindness and Consent

1130702.largethumbA really great post on Panopticon legal blog (again :-))

Apparently Optical Express (OE) has been sending SMS messages to individuals who had not opted-in to this service. In fact 4,600 registered concern on OEs marketing practices. It’s pretty interesting as OE seems to be blind to the fact that they have not received explicit consent, they claim that it was sufficient that Thomas Cook, who stated that personal data would be shared, with whom, or how much, etc., is not made clear in the statement.

I have to make a quote from the post, as the author seems to be a lawyer with a sense of humour…

“OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.”

Read post on Panopticon blog