The Data Protection Commissioner (DPC) has initiated a consultation seeking submissions in regard to how some key concepts in the GDPR should be interpreted and applied, including:

  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification

The Article 29 Working Party (WP29) (consisting of representatives of the EU data protection authorities) is currently preparing guidance on these concepts, and EU data protection authorities are undertaking consultation processes with the purpose of ensuring that the views of stakeholders are heard. The questions asked in the consultation demonstrate the lack of detail in the GDPR in regard to these key concepts.

For example, the GDPR introduces a higher bar for relying on consent, defining “consent” as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. However the GDPR fails to specify what action constitutes “explicit consent” to the processing of special categories of data (i.e. sensitive data). Consequently the difference between the “consent” and “explicit consent” is not clear.

In addition, the GDPR provides individuals with a right not to be subject to profiling which produces “legal effects” or “similarly significantly affects” an individual. There are some exemptions to this right, including where the processing is authorised by law; necessary for the performance of a contract, or where the explicit consent of the individual has been obtained. In respect of the latter two exemptions the individual has the right to give their point of view and to contest the decision. However, once again, there is a lack of clarity as to the precise scope of this right and how it can be exercised. Furthermore, the GDPR requires data controllers to notify data protection authorities of data breaches within 72 hours where feasible, unless the breach is unlikely to result in a “risk” to individuals. Individuals are also required to be notified unless the breach is unlikely to result in a “high risk” to them. However, the GDPR does not specify the difference between “risk” and “high risk“.

The DPC is seeking stakeholders’ views on a number of questions, including:

  • Consent – What actions/activities on the part of an individual should be considered a statement or a clear affirmative action signifying agreement to processing of personal data? How can organisations demonstrate that consent has been obtained to the standard required by the GDPR? In respect of minors how should parental consent be collected in an online environment? In respect of special categories of personal data how should “explicit” consent be interpreted?
  • Profiling – How should the distinction between” legal effects” and “significant effects” be interpreted? How should the individual’s right to give their point of view and contest a decision as regards profiling be given effect by a data controller? Are there limits to profiling? Should certain activities and/or information be excluded from profiling?
  • Personal data breach notifications – How should “risk” to the rights and freedoms of natural persons be interpreted? How should “high risk” to the rights and freedoms of natural persons be interpreted? In what circumstances would it not be feasible for a data controller to report a data breach to a data protection authority within 72 hours? In cases where notifying the individuals concerned would involve a “disproportionate effort“, what form of public communication or other similar measure to inform individuals would constitute an equally effective manner? How should “disproportionate effort” in notifying individuals be interpreted?
  • Certification – What are the practical implications for organisations in seeking certification under the GDPR for:
    • Controller responsibilities?
    • Data protection by design?
    • Security requirements?
    • Processor guarantees?
    • International transfers?

The consultation period runs until 28 March 2017. The submissions received will be supplied to the WP29 for consideration in the preparation of guidance on these concepts. The DPC will not be summarising or preparing a report of the submissions.