Recently, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Recommendations for Implementing Transparency, Consent and Legitimate Interest under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations on the key concepts of transparency, consent and legitimate interest under the EU General Data Protection Regulation (“GDPR”).
Transparency
One of the main objectives of the GDPR is the empowerment of individuals and transparency is a prerequisite to meet this objective. However, there is a growing gap between legal transparency through traditional and lengthy privacy policies and notices and user-centric transparency. CIPL recommends that transparency under the GDPR be user-centric. Therefore, when implementing transparency, the focus should be on informing users through providing meaningful information in concise and intelligible formats.
Additional recommendations in the White Paper include:
- The GDPR links transparency to fair processing and therefore ensuring effective transparency is critical for establishing and maintaining trust and digital confidence among data subjects.
- The concept of transparency under the GDPR is broader than privacy notices and should include all mechanisms used to communicate data uses to an individual.
- Transparency has a role in setting the reasonable expectations of individuals regarding the use of their data and should be an intrinsic part of any consent.
- Transparency is an essential element of organizational accountability and data protection authorities should incentivize diverse user-centric transparency and showcase best practices.
- Transparency must be embedded as much as possible within the relevant product, service, process or technology to avoid creating unnecessary burdens on individuals.
- Algorithmic transparency should be focused on the broad logic involved rather than attempting full transparency to the individual through explaining the intricacies of the algorithm itself.
- Transparency cannot be absolute and may be limited by trade secrets, commercial and competition considerations as well as by rights of others and the public interest.
Consent
Consent is on equal footing with other processing grounds under the GDPR and should not be overused inappropriately. Different implementations around the age of consent for children are causing concern as this could undermine the harmonization objective of the GDPR.
Additional recommendations include:
- Consent should be used as a legal ground for processing in situations where it is possible to provide clear and understandable information at the right time and individuals have a genuine choice concerning the use of their personal data.
- Overreliance on consent creates consent fatigue for individuals. Use of consent as a grounds for processing must be in line with the requirements of the GDPR and adapted to the modern information age.
- Explicit consent is only required for certain processing.
- Pre-GDPR consents should continue to be valid if obtained in compliance with the EU Directive and national law, subject to certain exceptions addressed in the White Paper. Organizations should not have to re-paper existing consent until there is a material change in processing and its purposes.
- EU Member States should take a harmonized approach regarding the age of consent for children. The age should be 13.
- There are concerns about the predominance of consent in the ePrivacy Rules. The EU legislator should introduce the concept of legitimate interest into the ePrivacy Regulation.
Legitimate Interest
In situations where consent is deemed impractical or ineffective, other grounds for processing may be used in its place, including the concept of legitimate interest. Legitimate interest may be the most accountable basis for data processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organizations, individuals and society. It also requires the implementation of appropriate mitigations to reduce or eliminate any unreasonable risks.
Additional recommendations include:
- Legitimate interest is an essential basis for data processing and ensures the GDPR remains future-proof and technology neutral.
- Legitimate interest places the burden of protecting individuals on the organization, which is in the best position to undertake a risk/benefits analysis and to devise appropriate mitigations.
- A general non-exhaustive “database” of legitimate interest processing cases may facilitate proper implementation of this requirement in the future.
- Legitimate interest facilitates low-impact data processing.
- Legitimate interest does not provide a carte blanche for processing.
- The reasonable expectations of the individual are a relevant factor in the legitimate interest balancing test. However, even if proposed processing is not within the reasonable expectations of the individual, the balancing test may still validate the processing, such as where the public interest or other factors may support an unexpected use. Further, reasonable expectations may change over time and the balancing test must take these changes into account.
The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 80 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.
Search
Recent Posts
- Website Use of Third-Party Tracking Software Not Prohibited Under Massachusetts Wiretap Act
- HHS Announces Additional Settlements Following Ransomware Attacks Including First Enforcement Under Risk Analysis Initiative
- Employee Monitoring: Increased Use Draws Increased Scrutiny from Consumer Financial Protection Bureau
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code