This week, few lawyers have the luxury of not having to be data protection experts, which is why the subject is intruding into my IP blog. Thank goodness it will all be over on Friday and we can settle down to working with the General Data Protection Regulation, until data protection law is repatriated and instead we have the Data Protection Act 2018 and "the Applied GDPR".
We are all acutely aware that many data controllers are taking the opportunity to refresh consents from the people whose data they publish. It's a great opportunity to do some housekeeping, of course, but not all the consents are necessary, nor do they need to be refreshed. First of all, consent should rarely be the lawful basis of choice for data processors: the legislation offers several other possibilities, of which "legitimate interests" is probably the most useful. The data processor's legitimate interests in processing personal data must, it is true, be balanced against the interests and fundamental rights and freedoms of the data subject, which may override them - thus removing the lawful basis: so legitimate interests per se are not a lawful basis. But when will the data subject's interests (etcetera) override them? How long is a piece of string? It's questions like this that make advising on data protection like nailing jelly to a wall.
For data controllers who still feel the need for consent, it's not always necessary to get it afresh at this point, as this article from The Guardian reports. Consent obtained under the old law, provided it meets the conditions of the GDPR, still works. How do we know? Because (apart from common sense) Recital 171 to the Regulation tells us so. And that, I think, tells us a great deal about this almost impenetrable piece of legislation ... (What do you mean, you gave up before you got to Recital 171?)
We are all acutely aware that many data controllers are taking the opportunity to refresh consents from the people whose data they publish. It's a great opportunity to do some housekeeping, of course, but not all the consents are necessary, nor do they need to be refreshed. First of all, consent should rarely be the lawful basis of choice for data processors: the legislation offers several other possibilities, of which "legitimate interests" is probably the most useful. The data processor's legitimate interests in processing personal data must, it is true, be balanced against the interests and fundamental rights and freedoms of the data subject, which may override them - thus removing the lawful basis: so legitimate interests per se are not a lawful basis. But when will the data subject's interests (etcetera) override them? How long is a piece of string? It's questions like this that make advising on data protection like nailing jelly to a wall.
For data controllers who still feel the need for consent, it's not always necessary to get it afresh at this point, as this article from The Guardian reports. Consent obtained under the old law, provided it meets the conditions of the GDPR, still works. How do we know? Because (apart from common sense) Recital 171 to the Regulation tells us so. And that, I think, tells us a great deal about this almost impenetrable piece of legislation ... (What do you mean, you gave up before you got to Recital 171?)