New requirements for consent and information obligations for data collection under the GDPR

Consent is often the only means by which newsletters can be sent, subcontractors integrated, cloud services used or customer databases built up. Consent is simply a key element in overcoming any data protection hurdle. As is well known, the EU General Data Protection Regulation (GDPR) will replace the German Federal Data Protection Act (BDSG) from 25.05.2018, bringing with it a number of key changes with regard to consent.

Why consent?

Just like the BDSG to date, the GDPR also regulates a ban on any handling of personal data. There are only a few exceptions to this prohibition - including consent. Without such an exception, common data processing activities such as the collection of data, the storage of data and the transfer of data to third parties would be prohibited. The collection and storage of data already includes the recording of information from a conversation with the data subject in a computer system. Data is also transferred more quickly than is often thought. If you save a new contact in your smartphone and the address book is synchronized with the smartphone manufacturer's cloud system - which is currently the default setting - this is already a transfer for which a permission standard must be found under data protection law. Purely private use for personal and family purposes is not subject to the GDPR - but business or professional processing is.

What is personal data?

When people talk about personal data, they often only think of a person's name and perhaps their address, medical records or, for some, their telephone number. Unfortunately, from a business perspective, the concept of personal data goes much further. Ultimately, any information that can be assigned to a natural person is personal data. The person does not have to be known by name. Rather, it is sufficient to be identifiable via a third party. For example, the ECJ recently ruled on the previously highly controversial question of whether dynamic IP addresses on the internet are personal data. According to a general understanding of the decision and with regard to Germany, the ECJ has generally affirmed this (ECJ, judgment of 19.10.2016, Case C-582/14). This was already the view of the data protection authorities in previous years.

This is also the reason why every visit to a website on the internet is relevant under data protection law. This is because the IP address is technically transmitted with every visit. Therefore, in the opinion of some, it is illegal to operate a website via an internet server rented from a third party. In this case, the IP address is immediately transmitted to a third party. Under data protection law, this can also be solved in a legally compliant manner. However, consent cannot be considered here, as consent cannot be obtained before the website is visited. Under data protection law, a so-called order processing agreement must therefore be concluded with the server operator. Order processing is a separate agreement, which also represents a permission standard that releases from the basic prohibition of handling personal data. As an alternative to order processing, consideration can be given to whether the controller has a legitimate interest.

It should be emphasized that only data of natural persons is covered by the GDPR, not data of legal persons. The processing of the email address "info@unternehmen-xy.de" is therefore unproblematic - unlike the address "max.mustermann@unternehmen-xy.de". This is not self-evident, as data protection law in Austria and Switzerland, for example, also protects the data of legal entities.

In what form must consent be given?

According to the BDSG, consent must always be given in writing (i.e. on paper). There is only an exception for the online sector. Under the GDPR, there is no longer a uniform formal requirement. However, the controller must be able to prove that consent has been given. If consent is granted in writing in a document, the declaration of consent must be clearly distinguishable from the other components.

In the area of employment law, a deviating, special national regulation applies, according to which the written form must be observed.

Information, purpose limitation and revocation

The consenting party must be informed in an extremely clear manner and in simple language before giving consent. The information must enable the person giving consent to recognize the full implications of their decision. In practice, there are considerable difficulties here. In some cases, complex organizational and technical processes have to be described in very simple language. In addition, it is often the case that the facts are not yet precisely known at the time consent is given. For example, it may be clear that a subcontractor will be involved, but it is not yet clear exactly which one. A subsequent change of subcontractor may also need to be considered. It is therefore not possible to name the subcontractor without further ado.

The presentation of everyday technical processes can also cause considerable problems. If, for example, consent is to be given to the processing for the receipt of a newsletter, it should be noted that third-party providers, sometimes based outside the EU, are often involved for this purpose. Information must therefore be provided about both the involvement of the third-party provider and the transfer of data abroad, as well as any other special features that usually arise, e.g. with regard to the implementation of the right of withdrawal.

If the information provided is insufficient, the consent is invalid. In addition, personal data is strictly earmarked for a specific purpose. This means that data collected for one purpose may not subsequently be used for another purpose. For example, if a customer consents to receiving information about a certain series of events, the customer's data may not also be used for the company newsletter.

The GDPR now stipulates that the right of revocation and the consequence that processing up to the time of revocation remains unaffected by the revocation must also be pointed out as part of the information provided. This new information obligation also contains the welcome clarification of a dispute about the scope and temporal "reach" of a withdrawal. Under the BDSG, the view was held that a revocation could also have retroactive effect.

Massive new information obligations

The aforementioned information about the right of withdrawal and the consequences of exercising it is an obligation that must be observed specifically for consent. As a rule, however, data is also collected in connection with consent, e.g. a customer's name and email address. In this case, the information obligations for the collection of data must also be observed. This involves twelve individual points, which are listed in Art. 13 GDPR. Some points are easy to tick off, e.g. the naming of the controller. However, even listing other data subject rights that apply in each case (e.g. right to erasure, restriction and data portability) can cause difficulties. It can also cause considerable difficulties to state the exact legal basis that authorizes the data processing. It will be necessary to specify the relevant legal standard. If all processing operations are covered by consent, naming them does not cause any further effort. However, further processing operations that are not based on consent often need to be considered.

What should apply if two standards can intervene in parallel or what the legal consequence is if the naming of a possible legal standard is forgotten has not yet been clarified.

The duration of storage must also be specified. This will force existing processes to be reconsidered, especially as many companies are unlikely to delete emails from their inboxes within the deadlines stipulated by data protection law. According to the stricter regulation in the GDPR, personal data must be deleted as soon as it is no longer required for the respective business transaction.

Voluntariness

The GDPR tightens the requirement of voluntary consent (so-called prohibition of linking). Whenever consent is mandatory, it may not be voluntary in the future. This applies all the more, the further removed the matter to which consent is to be given is from the actual business transaction. If, for example, consent to receive a newsletter must be given as part of a purchase, the consent is likely to be invalid due to a lack of voluntariness.

Do old consents continue to apply?

As the requirements for consent are changing, the question arises as to whether all existing consent must be renewed. The GDPR explains in a (non-binding) recital that old consents continue to apply if they already meet the requirements of the GDPR. Unfortunately, this says little. This is because it is rather self-evident that consents that meet the requirements of the GDPR remain valid. But what happens if this is not the case, e.g. with regard to the information obligations outlined above?

Fortunately, the Düsseldorfer Kreis, a joint committee of the German data protection authorities, has decided that old consents should also apply if the information obligations under Art. 13 GDPR have not yet been complied with. This brings some clarity. However, two problems arise: Firstly, there is the question of whether the opinion of the German data protection authorities will be confirmed by the courts across Europe. Secondly, the Düsseldorfer Kreis only mentions the information obligations under Art. 13 GDPR. However, information about the right to withdraw consent and its consequences is not regulated in Art. 13 GDPR, but centrally in the standard with the requirements for a declaration of consent. However, very few declarations of consent to date contain such an explanation. There is therefore likely to be uncertainty regarding the validity of old consents.

Even if consent given on the basis of old consent texts can remain effective, these old consent texts may no longer be used from 25.05.2018. This is because the "conditional protection" applies to the consent given, not to the old text formulation. Both paper consent forms and consent texts on websites must therefore be reviewed and - most likely - adapted.

E-Privacy Regulation

The GDPR is to be flanked by an ePrivacy Regulation, which contains numerous regulations on internet and technical matters that take precedence over the GDPR. In particular, it also includes consent with regard to the tracking of website visitors and regulations on cookie banners. The ePrivacy Regulation is currently only in draft form and will presumably enter into force late. This is not surprising, as the ePrivacy Regulation regulates numerous issues in a much stricter manner and has therefore met with resistance. For example, cookies may only be set with consent. However, simplifications are also planned with regard to consent, e.g. via default settings generally stored in the internet browser. It remains to be seen what concrete form the ePrivacy Regulation will take.

Date: 16. Jan 2018