GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
Costs: Structuring and implementing a good consent procedure could be expensive.
Risks: If any single consent is ruled invalid, this would probably apply to all consents under the same procedure and so processing of all the data subjects involved would have to stop immediately.
Rewards: Since the procedure is ‘opt-in’ there will be a much lower take up by data subjects compared to ‘opt-out’.
The costs, risks and rewards equation of using ‘legitimate interests’ looks good, even if the balance of interests calculation is done unfairly biased towards the interests of the organisation:
Costs: These may not be so high, since it is an internal exercise and the level of effort put into the balance of interests calculation can be kept low if there is little risk of having to justify it.
Risks: Falling foul of the law is unlikely, since the methodology of the balance of interests calculation will probably never be tested. In response to any individual complaint, the controller can just accept the objection of that person and stop processing their data, so not having to justify the original logic and continuing to process the data of others without change. If there were so many complaints that it were to come to attention of the supervising authority, the organisation can simply defend itself on the basis of the many ‘judgmental’ calls that had to be made when calculating the balance of interests. If the organisation can show basic diligence by reference to an impact analysis conducted at the start, a significant fine is extremely unlikely.
Rewards: Since this effectively turns ‘legitimate interests’ processing into an opt-out procedure, the organisation will be able to process the data of nearly all the people it wants, just reducing the numbers to the degree that it receives
objections/opt-outs.
This loophole arises from the impossibility of defining precise rules to conduct a balance of interests assessment, combined with a procedure that theoretically puts the burden of proof on the controller but in practice leaves controllers almost
unsupervised. The loophole does not apply in the case of processing sensitive data, since a controller’s legitimate interest is not a lawful basis to do this (excluding the special cases of healthcare and certain non-profit bodies). However, most processing of personal data does not include sensitive data.
One solution will be if there is a shift back towards the use of ‘consent’, but under the GDPR rules. For some businesses, this might occur due to the forthcoming e- Privacy regulation, see Consent: lost and found. Another would be a more generalised use of ‘contract’.
It appears that responsibility for minimising the effect of this loophole will fall to supervisory authorities. However, these authorities will be overwhelmed with more definitive responsibilities once the GDPR is applied and, in absence of public complaints, their duty to act on legitimate interest issues is somewhat nebulous. Probably the best that can be hoped is that opinions from the European Data Protection Board (that replaces the Article 29 Working Party next year), guideline documents from the supervisory authorities and codes of conduct from industry bodies (Article 40) will draw clear lines about how to apply the balance of interest calculations and reduce the margin of tolerance for controllers that rely on dubious legitimate interests claims.
Conclusions
This article has focused on five significant loopholes in the GDPR. Another article will describe weaknesses of the regulation that might undermine its success even without any conscious abuse.
However, this article comes with a health warning: it has not attempted to make a balanced judgment of the GDPR. Despite any imperfections, the GDPR is already having a major effect on all industries that make use of personal data — in nearly all cases giving more protection and more usable rights to individuals. Keeping the loopholes as small as possible will have a big impact on its overall success.
BOARD
Imprint
Publication Date: 07-24-2019
All Rights Reserved
Comments (0)