Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations on the key concepts of transparency, consent and legitimate interest under the EU General Data Protection Regulation (“GDPR”).
One of the main objectives of the GDPR is the empowerment of individuals and transparency is a prerequisite to meet this objective. However, there is a growing gap between legal transparency through traditional and lengthy privacy policies and notices and user-centric transparency. CIPL recommends that transparency under the GDPR be user-centric. Therefore, when implementing transparency, the focus should be on informing users through providing meaningful information in concise and intelligible formats.
Additional recommendations in the White Paper include:
- The GDPR links transparency to fair processing and therefore ensuring effective transparency is critical for establishing and maintaining trust and digital confidence among data subjects.
- The concept of transparency under the GDPR is broader than privacy notices and should include all mechanisms used to communicate data uses to an individual.
- Transparency has a role in setting the reasonable expectations of individuals regarding the use of their data and should be an intrinsic part of any consent.
- Transparency is an essential element of organizational accountability and data protection authorities should incentivize diverse user-centric transparency and showcase best practices.
- Transparency must be embedded as much as possible within the relevant product, service, process or technology to avoid creating unnecessary burdens on individuals.
- Algorithmic transparency should be focused on the broad logic involved rather than attempting full transparency to the individual through explaining the intricacies of the algorithm itself.
- Transparency cannot be absolute and may be limited by trade secrets, commercial and competition considerations as well as by rights of others and the public interest.
Consent is on equal footing with other processing grounds under the GDPR and should not be overused inappropriately. Different implementations around the age of consent for children are causing concern as this could undermine the harmonization objective of the GDPR.
Additional recommendations include:
- Consent should be used as a legal ground for processing in situations where it is possible to provide clear and understandable information at the right time and individuals have a genuine choice concerning the use of their personal data.
- Overreliance on consent creates consent fatigue for individuals. Use of consent as a grounds for processing must be in line with the requirements of the GDPR and adapted to the modern information age.
- Explicit consent is only required for certain processing.
- Pre-GDPR consents should continue to be valid if obtained in compliance with the EU Directive and national law, subject to certain exceptions addressed in the White Paper. Organizations should not have to re-paper existing consent until there is a material change in processing and its purposes.
- EU Member States should take a harmonized approach regarding the age of consent for children. The age should be 13.
- There are concerns about the predominance of consent in the ePrivacy Rules. The EU legislator should introduce the concept of legitimate interest into the ePrivacy Regulation.
In situations where consent is deemed impractical or ineffective, other grounds for processing may be used in its place, including the concept of legitimate interest. Legitimate interest may be the most accountable basis for data processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organizations, individuals and society. It also requires the implementation of appropriate mitigations to reduce or eliminate any unreasonable risks.
Additional recommendations include:
- Legitimate interest is an essential basis for data processing and ensures the GDPR remains future-proof and technology neutral.
- Legitimate interest places the burden of protecting individuals on the organization, which is in the best position to undertake a risk/benefits analysis and to devise appropriate mitigations.
- A general non-exhaustive “database” of legitimate interest processing cases may facilitate proper implementation of this requirement in the future.
- Legitimate interest facilitates low-impact data processing.
- Legitimate interest does not provide a carte blanche for processing.
- The reasonable expectations of the individual are a relevant factor in the legitimate interest balancing test. However, even if proposed processing is not within the reasonable expectations of the individual, the balancing test may still validate the processing, such as where the public interest or other factors may support an unexpected use. Further, reasonable expectations may change over time and the balancing test must take these changes into account.
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 80 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.