Tag Archives: consent

The GDPR Era – First impression and observations

The European Union’s General Data Protection Regulation (the “GDPR”) that came into effect on 25 May 2018, is touted as the most widespread and robust change to data privacy and protection law in the world. Many entities around the world have been engaged for many months trying to put in place processes and mechanisms to ensure their compliance with the GDPR. Now that the regulation is effective, it will be interesting to evaluate whether on the basis of purposive interpretation, the letter and spirit of the GDPR has in fact been followed by those under its jurisdiction. In the course of this article, we will take a look at some of the most common changes and announcements made by companies around the world in order to be compliant with the GDPR and compare these changes with the corresponding GDPR principles/requirements that they have been made in response to.

GDPR

Obtaining Explicit Consent

One of the core requirements of the GDPR is to ensure that companies and entities take the explicit and active consent of all data subjects prior to collecting, storing and/or using any of their personally identifiable information (“PII”). This is in line with the GDPR’s underlying principle of ensuring that the data subjects always take priority and are the most important stakeholders. Additionally, prior to introduction of the GDPR, many experts in the field of data privacy and protection who reviewed the regulation contended that in order to take a data subject’s explicit consent, it seemed like the regulation specifically required some action or activity on the part of the data subject, such as clicking a button or an option. This is believed to be necessary to clearly and unambiguously show their agreement to a company’s usage of their PII. Consequently, if this requirement is indeed mandatory, the established practice of implying a data subjects acceptance of terms through their continued usage of a website/service, would not be sufficient any more.

However, over the last two months, as many users around the world have received communications regarding service providers’ updates to their Terms of Service and Privacy Policy, we have noticed that very few service providers have actually followed the above method of taking consent. Instead, the previous practice of implying consent has continued to be followed. The majority of the emails and the communications have contained information regarding how a company/entity has altered its Terms and/or Privacy Policy, and how it is ensuring compliance with the GDPR, but without actually asking the data subjects for their explicit consent to the changes. This may not be in conformity with the GDPR, which mandates that every data subject, whether existing (that is, before the regulation came into effect) or new, is required to provide their explicit consent before a company/entity can collect or use their PII. Only a minority of companies have been asking their data subjects to re-confirm their acceptance of the revised terms/privacy policy before continuing to use the services.

Full Disclosure

Another important requirement of the GDPR is ensuring that all companies and entities disclose all information to their data subjects, specifically with respect to any of their PII. This includes, but is not limited to, what data is being collected, how it is being stored, how it is being used, how long it is required for, whether it is/will be shared with any third-party, why such sharing is necessary etc. This requirement is important to ensure that data subjects are at all times aware of exactly how their PII is being treated, and so that they can take an informed decision regarding accepting or rejecting a company’s terms and/or privacy policy.

On a plain reading of the regulation, it would seem like all of the above-mentioned information will need to be specifically be provided by the companies/entities to the data subjects. However, most companies/entities have only been making the above disclosures in vague language. For example, instead of specifying which/what kinds of third-parties the PII is or may be shared with, many companies have simply included a blanket statement stating that the PII will be shared with third-parties/service providers ‘as may be necessary to provide the services’. Such statements provide no information as to who the PII is being shared with, what functions the third-parties are performing on the PII etc., things that the GDPR seems to hold as critical. Further, companies have used such vague language in other disclosures as well. It is possible that this may defeat the very purpose of the disclosures, as the data subjects are not truly aware of how and where their PII is being used, preventing them from being able to take informed decisions regarding the same.

Providing Data Subjects with Options

The GDPR recognises that many companies need to use and rely on multiple third-party service providers in order to provide their own end-service to the customers. Further, in the course of using such third-party service providers, many companies start adding and offering fringe/additional features and services to their customers. However, a lot of these features are often not connected or related to the core service being provided by the company – for example, Facebook may provide its users with targeted advertising on its platform, which is not connected to the main function of social networking. Yet, as the number of features available grew, in an effort to generate greater revenues companies started to club and offer all features together to their customers. This effectively meant that customers had no options with respect to which features they felt were useful and which ones weren’t – they could either subscriber to and use all features or use none.

Many data privacy experts around the world found the above situation to be unfair, as it may force users to either have their PII used for additional unnecessary purposes, or to pay for additional features that are not required by them. The GDPR sought to address this problem by stipulating that companies should stop bundling products and features together, instead specifying which features and services are necessary or critical to the core service. Any add-on features or services should explicitly be communicated to the users, and the users should have the option of deciding whether they want to subscribe to these or not, and whether their PII should be used for the same or not.

Unfortunately, it seems like this is another requirement of the GDPR that has not been followed. Companies are either continuing to club features and services or are devising ways to skirt the stipulations by arguing that even certain add-on features are critical to the core service. One of the prime examples of this is Facebook, which continues to make the usage of PII for the purposes of displaying personalised advertisements, games, application suggestions etc., mandatory for all users. In effect, one cannot use Facebook’s social networking platform unless they agree to their PII being used for all of the above purposes as well. This matter has already been acted on by Max Schrems, a prominent Austrian data privacy campaigner. He has filed a case worth USD 3.9 billion before the European regulator, contending that Facebook continues to use coercive tactics to collect unnecessary PII regarding its users, which it then uses to conduct automated profiling (an activity which requires the specific, separate, explicit consent of data subjects under the GDPR).

Way Forward

In principle, it seems as though the GDPR contains some extremely strict and robust stipulations. Yet, as has been shown above, there are many interpretations of this regulation, and companies around the world are already starting to find ways to read and implement the law in different ways. While it remains to be seen if these practices are in fact in contravention of the GDPR or not, if these practices continue the GDPR could be rendered no more effective than existing data protection laws, potentially failing to protect data subjects in the way that was initially expected. Thus, the way the above cases are handled, specifically the lawsuit filed against Facebook, could set the tone for how seriously companies take the need to adhere to the GDPR’s requirements. In our opinion, it will be more beneficial for the European regulator to take a strict view of the stipulations under the GDPR and set a precedent that pushes other companies to ramp up their compliance activities as well.

“By Default” –  Consent By Default and Business Models

In 2003, Eric Johnson and Don Goldstein conducted a survey where the people were given two default choices, (i) people were informed that default was; not to be an organ donor (Opt-in) and (ii) other set of people were told that the default was; to be an organ donor (Opt-out). The results of this survey were surprising, in the first default choice where people had to opt-in to be an organ donor, only 42% of people opted-in or choose to become an organ donor. Whereas when people had to opt-out and make a decision that they do not want to be an organ donor, only 12% of people opted-out, 82 % of people choose to remain as organ donors.

All the major countries in European Union have laws and regulation relating to organ donation and it is exciting to see that countries with default opt-out option have an average of 97.55 % of organ donors. Below is a chart which clearly shows the difference between the numbers of organ donors in countries where default is opt-out and the numbers of organ donors in countries where default is opt-in.

Explicit Consent (opt-in, gold) and presumed consent (opt-out, blue)[1]

This study demonstrates one fact that presumed consent accompanied with an option of opting out works far more efficiently and sticks to people and develops adherent behaviour in people.

But the primary question that has to be answered here is that “why do default rules stick?”

Before moving ahead and answering this question let’s take another example to understand the realms applicability of default rules in modern day businesses.

Default rule setting has aided a company to capitalise subscription-based business model and rule the OTT entertainment segment all across the globe. Netflix in India, provides its services on a subscription-based model where a subscriber gets the first month service free of cost and the subscriber has to pay only from the second month. The FAQ section on the Netflix website says “Try us free for 1 month! If you enjoy your Netflix trial, do nothing and your membership will automatically continue for as long as you choose to remain a member.”

Folks in the industry call it as “Negative option marketing”, where people accept a free product are automatically enrolled as members of the subscription plan which carries a monthly fee.

Recently ‘Paytm’ a mobile pre-paid instrument in India introduced an option where a user can automate the process of respective bill payments. A user may now fix a date for bill payment, the Paytm wallet will by default pay the bill on that particular day until a person opts-out.

The point is default rules or settings make life easier and more efficient. There are so many use cases – Think of SaaS automated renewal, think of moving from free to paid services etc.

Default rule sticks because it is an efficient mechanism of making people do something or not to do something. Default rules tends to stick due to power of inertia, it exploits and thrives on basic human tendencies such as forgetfulness or perhaps procrastination or is it laziness. People generally like things which does not require much of an effort. Or is it perhaps because someone else has to take a decision? “the preferred approach is to select the default rule that reflects what most people would choose if they were adequately informed”.[2]

Default rules have existed even in law. For example, copyright ownership rests with the employer, in the employer-employee relationship, unless otherwise specifically agreed upon. The Hindu Succession Act, 1956 has some default settings unless and until a person executes a Will.

With the new General Data Protection Regulations (GDPR) which becomes effective end May 2018 in European Union, the active consent, ie. Active opt-in from a data subject is required to use personally identifiable information. This sure has wide repercussions in various business models.

Have you thought of using the power of default setting in your business? Do you see use-cases where you can use the power of default setting in your business? It is also perhaps time to stop and think through the default settings you may have used earlier in your business.

Author: Manas Ingle, is an Associate with NovoJuris Legal.

[1] Eric Johnson and Don Goldstein, Science Mag, VOL 302, November 21, 2003. Available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1324774.

[2] N.Craig Smith . Smart Defaults: From Hidden persuaders to adaptive helpers.

Consent under GDPR

 Data is the new oil and the European Union with the new General Data Protection Regulations (“GDPR”) wants to regulate it, come May 2018.

Given the wide territorial scope of GDPR the Regulation applies to the processing of personal data of a person (data subject) who are in the EU, regardless of where the data is processed, ie. in EU or outside of EU. Hence, if an Indian company has data of any person based in EU, then GDPR compliance become applicable and important.

“Consent” is one of the core principles of GDPR. Consent is defined as “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The conditions for consent are detailed in Article 7.

  1. Freely given: There should a genuine choice on the part of the data subject when providing their data and that they should not have been misled, intimidated or negatively impacted by withholding consent. Further, it is clarified that consent is not freely given if the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment (Recital 42); and/or there is a clear imbalance between the data subject and the controller (Recital 43). (‘Controller’ means a person/ authority which determine the purposes and means of the processing of personal data).
  2. Specific: Consent must relate to specific processing operations. Consequently, a general broad consent to unspecified processing operations as they might arise will be invalid. To the extent data processing has multiple purposes; consent to those processing activities should cover all those purposes (Recital 32). Consents should also cover all processing activities carried out for the same purpose or purposes (Recital 32). It would be quite a challenge to identify all the purposes at the time of collecting data. If in the continuum of providing various services, then obtaining consent for all of those services would be required along with an option to opt-in to those services.

Statements such as ‘By agreeing to subscribe to the services being provided, it is assumed that the data subject is allowing the data controller to use the data in any manner that the controller might deem fit’ does not pass the GDPR test.

  1. Informed: The data subject should be aware at least of the identity of the controller and the intended purposes of the processing, (Recital 42); a right must be provided to withdraw consent, which would be a massive task to work through back-end technology to make this possible. GDPR tries to provide a right to the data subject that withdrawing consent, at any time, should be as easy as giving consent. However, this poses considerable challenge in practice, which means relying on consent is somewhat unreliable. Further information must be given to the data subject to ensure fair and transparent processing.
  2. Unambiguous or Clear Affirmative Action: A statement or clear affirmative action means that the individual data controller or processor has to make sure that the data subject is given the chance and opportunity to give his consent for the purpose and manner in which his information or the data provided by him will be used. A data controller can only use the data or information collected from the data subject when there is an affirmative action associated with part of the data subject.

Statements such as ‘if you do not indicate a choice or do not provide an explicit consent, we will assume that consent has been granted’ or “by browsing our website, you provide us with the consent to collect, gather and use your information or data for any purposes’ are not ok under GDPR.

Silence, pre-opted (pre-ticked) boxes and inactivity will not constitute consent, since there has to be an active consent (active opt-in).

Consent Fatigue: Every new purpose requires new consent. Multiple purpose requires multiple consent. Every action must have affirmative consent. Consent cannot be considered as default option prior to processing. Think of an IOT scenario, where the data subject could be bombarded with consent requests. Faced with such a situation, the data subject could mindlessly accept any consent request that might come, which makes “consent” a meaningless exercise.

The other situation might be that the Business upfront collects exhaustive consent on all the activities, but the data subject may get tired of ticking those boxes. It is scary for business, because of the friction it causes at the time of gaining new customers and if the data subject does not take the time to tick those boxes.

If the consent statement is broad trying to cover all aspects, then there might be a fear of not being ‘specific’ or ‘ambiguous’.

The question we ask is: Perhaps ‘consent’ alone is not the right framework? Should there be more accountability on the data processors to balance the consent fatigue?

In response to the click fatigue issue, the Article 29 Working Party (WP29) has provided guidance on 28 November 2017 and says “An often-mentioned example to do this in the online context is to obtain consent of Internet users via their browser settings. Such settings should be developed in line with the conditions for valid consent in the GDPR, as for instance that the consent shall be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.

For Indian businesses having customers in EU, it is a challenge to be met.