Privacy | Information Security | GDPR
Now that the EU General Data Protection Regulation (GDPR) is in force, organizations are ramping up their efforts to re-fresh data subject consent obtained prior to GDPR and under the EU Data Protection Directive 95/46/EC by virtue of which opt-out or implied consent was permissible.
There seem to be divergent opinions relating to the requirement to undertake re-permissioning of data subject consent under GDPR. Article 4(6) of GDPR makes it clear that if the basis for the collection of personally identifiable information is consent, as required under Article 6, then such consent must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes…by a clear affirmative action…”Accordingly, obtaining positive and affirmative consent is mandatory; otherwise, data controllers and processors may be infringing upon data subject rights and may be subject to legal remedies, liabilities, and penalties.
However, Recital 171 of the GDPR appears to obviate the need to obtain positive data subject consent by affirming that “ Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation…” This provision may give comfort to organizations that have made significant investments in building out their contact databases based on implied or opt-out consent as the basis for their collection.
But Recital 171 must be construed in the context of its qualifying part, which requires that consent must be in line with the conditions of GDPR. In other words, if opt-out consent was the basis for the prior collection, then re-permissioning under GDPR is required.
Consent, however, is not the only basis for lawful processing under GDPR. Legitimate business interest is one of the six permissible bases for lawful processing. And, by virtue of Recital 47 of GDPR direct marketing may meet the legitimate business interest grounds for collecting and processing personal information subject to the following conditions:
- The pre-existing business relationship between data subject and controller and/or processor;
- Data subjects have a reasonable expectation of such a relationship with data controllers and/or processors; and
- The fundamental rights of the data subjects do not in “override the interest of the data controller…”
Furthermore, the EU Privacy and Electronic Communications Directive, which is in the process of being harmonized with GDPR, seems to preserve pre-existing e-marketing rules, which stipulate that if personal information was collected at the time of a sale with an opt-out provision, then such collection is deemed to be lawful.
So, what are the practical implications of these divergent interpretations relating to re-permissioning?
Well, the answer seems to be the proverbial “it depends."
If consent was not the original basis for collecting personal information, then re-permissioning is not required under GDPR. For example, if the collection and processing of personal information were necessary for the performance of a contract or on the basis of legitimate business interest, then there is no need to seek consent under GDPR. Keep in mind, however, that if further processing is contemplated, which is not limited to the original collection purpose, it is prudent to seek affirmative consent.
If, on the other hand, consent was the initial basis for collecting personally identifiable information pre-GDPR, then a determination ought to be made as to:
- The method of consent originally obtained. If such consent was obtained on an opt-out basis, then re-permissioning is required in order to comply with GDPR;
- The current status of the contact. For example, was the contact turned into a customer following initial opt-out consent? If in the affirmative, then legitimate business interest may be a basis for the continued processing of personal information without the need for re-permissioning, so long as such processing is limited to the purposes for which initial consent was obtained.
It is imperative that organizations undertake a careful review of their existing contact databases and keep a record of processing activities as required by Art 30 of GDPR. It is also important to note that once re-permissioning was undertaken, then all processing must stop, and such records must be deleted for those data subjects who have not affirmatively responded.
It goes without saying that it's incumbent on organizations to make a careful determination of the need for re-permissioning given the trade-off between losing the ability to leverage investments in acquiring and nurturing contact databases or risking potential penalties and fines in the event of non-compliance with a more rigorous GDPR consent provisions.
