|
Editor’s Note: Recently the European Data Protection Board (EDPB) published revised guidance on the concept of consent under the GDPR. Provided below is a series of extracts as well as a complete copy of the recent guideline update for consideration by data and legal discovery professionals.
Extract from an article by Claude-Etienne Armingaud and Natali Adison (National Law Review)
EU Data Protection: Updated EDPB Guidance on Consent Clarifies the Mechanism for Cookie Consent
Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains, therefore, the cornerstone (albeit not the only one) of the European data protection framework.
In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018, taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).
Read the complete article at EU Data Protection: Updated EDPB Guidance
Extract from an article published on the Privacy & Information Security Law Blog (Hunton Andrews Kurth)
EDPB Publishes Updated Guidelines on Consent under the GDPR
The EDPB aimed to provide further clarity around the validity of consent obtained through cookie walls and on whether scrolling through a webpage could constitute clear and affirmative consent under the GDPR. With respect to cookie walls, the EDPB Guidelines state that these types of mechanisms—which prevent users who do not accept the use of cookies from accessing a site or mobile app—are unlawful, as consent obtained this way cannot be considered freely given. Likewise, the EDPB Guidelines indicate that scrolling or swiping through a webpage, or similar user activity, does not constitute affirmative action that meets the conditions for valid consent under the GDPR. This practice also does not allow for easy consent withdrawal, in the EDPB’s view, and should not be used.
Read the complete article at EDPB Published Updated Guidelines on Consent under the GDPR
Extract from an article published by OneTrust DataGuidance
EU: EDPB Adopts Guidelines on Consent Under the GDPR
Moreover, the Guidelines state that, under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent, and that access to services and functionalities must not be made conditional on the consent of a user to the placement of cookies in his/her terminal equipment. Furthermore, the Guidelines find that scrolling or swiping through a webpage, or similar user activity, will not satisfy the requirement of a clear and affirmative action, since it may be difficult to distinguish such actions from other activity or interaction of the user. Therefore, the Guidelines state that determining that unambiguous consent has been obtained will not be possible, and that it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
Read the complete article at EU: EDPB Adopts Guidelines on Consent under the GDPR
Extract from an article by Natasha Lomas (TechCrunch)
No Cookie Consent Walls – And No, Scrolling Isn’t Consent Says EU Data Protection Body
You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.
That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.
Under pan-EU law, consent is one of six lawful bases that data controllers can use when processing people’s personal data.
But in order for consent to be legally valid under Europe’s General Data Protection Regulation (GDPR) there are specific standards to meet: It must be clear and informed, specific, and freely given.
Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.
Read the complete article at No Cookie Consent Walls – And No, Scrolling Isn’t Consent
Extract from an article by Patrick Van Eecke and Anne-Gabrielle Haie (DLA Piper)
Europe: EDPB Updates Its Guidelines on Concept of “Consent”
What does it mean for business? Businesses must make sure that:
- Access to their service is not conditional to the user’s consent for the processing of his/her personal data;
- Users are provided with a genuine choice to accept or to decline the use of cookies
- Users are not prevented from accessing the website if they decline the use of cookies;
- Cookies are not installed until the users have genuinely provided their consent by accepting the use of cookies.
Read the complete article at EDPB Updates Its Guidelines on Concept of “Consent”
Guidelines 05/2020 On Consent Under Regulation 2016/79
Read the Complete Updated EDPB Guidelines on Consent Under the GDPR (PDF)
Updated EDPB Guidelines on Consent – 4 May 2020Read the Original Guidelines from the European Data Protection Board
Additional Reading
- The European Data Protection Board (EDPB)
- The European Data Protection Supervisor and the 2019 EDPS Annual Report
Source: ComplexDiscovery