The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing UK’s Data Protection Act 1998 (DPA). It is yet unclear how Brexit will play out, yet in the meantime the United Kingdom is moving to adopt the GDPR principles so that it adequately protects the personal data transferred within the EU. The GDPR sets a high standard for consent and compliance, which means that companies must start preparing for this transition.
The Information Commissioner’s Office (ICO) issued a guidance on GDPR consent on 2 March, explaining its recommended approach to compliance and what is the definition of a valid consent. ICO also provides examples and practical advice that assist companies decide when a consent is unbiased, and when other alternatives must be sought.
The guidance’s main points on consent are:
- Individuals should be in genuine control of consent;
- Companies should check their existing consent practices and revise them if they do not meet the GDPR standard. Evidence of consent must be kept and reviewed regularly;
- The only way to adequately capture consent is through an opt-in;
- Explicit consent requires a very clear and granular statement;
- Consent requests should be separated from other terms and conditions. It should be avoided to make consent a precondition of a service;
- Every third party who will rely on the consent must be named;
- Individuals should be able to easily withdraw their consent;
- Public authorities and employers may find using consent difficult. In cases where consent is too difficult, other lawful basis might be more appropriate.
ICO is running a public consultation on the draft guidance until 31 March 2017 to attract views of relevant stakeholders and the public. The feedback received will then be taken into account in the published version of the guidance, which is provisionally aimed for May 2017. The GDPR consent guidance can be found here, and the public consultation form here.
Other European countries have already launched relevant public consultation events:
- In June 2016, the French data protection authority (“CNIL”) launched a public consultation on the GDPR. 225 organizations participated in the public consultation and the outcome was integrated into recent guidance from the Consortium of European Data Protection Authorities. The CNIL’s report on the French public consultation is available (in French) here. The CNIL launched the second round of the public consultation last week, closing on March 24, 2017.
- In Germany, the Interior Ministry has been drafting a proposed Data Protection Amendments and Implementation Law (Datenschutz-Anpassungs- und Umsetzungsgesetz – or “DSAnpUG”) approximately since the GDPR was passed. The DSAnpUG implements the GDPR as well as the EU Law Enforcement Information Sharing Directive 2016/860. At present, several committees of the Upper House of Parliament (Bundesrat) are debating the draft, and a full vote of the Upper House is scheduled for March 8, 2017. the draft of the German DSAnpG, as introduced to the legislature by the German Federal Cabinet, is available (in German) here.
- In February 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the General Data Protection Regulation (“GDPR”). The press release on the Spanish consultation is available (in Spanish) here.
Alston & Bird is closely monitoring the implementation of the GDPR in various EU countries and is advising companies with operations in the above countries on how to comply with the GDPR requirements. For more information, contact Jan Dhont, Jim Harvey, or David Keating.