“If you start reading all privacy notices you receive, you will spend too much time reading these notices. On the other hand, if a person [ticks a box] ‘I accept and understand’ but they don’t know what they’re consenting to, that is not acceptable either. A reasonable approach is in-between,” said Giovanni Buttarelli, the European Data Protection Supervisor.

Unambiguous consent, he says, means it must not only be explicit but meaningful, not a case of pre-ticked boxes or a case where you have no alternative but to continue through to a website.

Read the full interview in Digiday.

“Europe has taken the first steps to protect citizens’ privacy and our new regulations have proven to be effective — both for our citizens and our businesses… It’s time for America to join us, Japan and many others in our work, and be part of setting the global standards on privacy.”  — European Commissioner Vera Jourova on why the U.S. needs a strong privacy law.

“If the EU and U.S. can find common ground on how to legislate privacy, the world’s tech giants would really be forced to embrace change. Only by working together can we create an environment where businesses can send data freely and citizens regain trust in the digital world.”

Read the full story in Politico.

“This call may be recorded for training purposes…if you consent say ‘Consent’.”

The Danish Data Protection Authority (Datatilsynet) has ordered a company to cease recording phone calls for training purposes until it implements a technical solution that makes it possible to obtain the caller’s consent for doing so.

In this case the complainant called the company’s customer service and was informed that the call would be recorded for training purposes. He was not asked to consent. After requesting that the recording be stopped, he was informed that this was not possible.

Takeaways:

  • If you intend to record calls for documentation purposes (to show what the representative told the caller) you need to disclose this clearly.
  • As a default position, Datatilsynet holds that the legal basis for recording calls for educational purposes is consent.
  • In exceptional circumstances, there may be a legitimate interest which necessitates recording without consent and where processing may take place on the basis of the interest-weighting rule in Art 6 (3) GDPR .

Read the full decision.

“The crucial, crucial change [GDPR] brought was around accountability. Accountability encapsulates everything the GDPR is about,” says UK Information Commissioner Elizabeth Denham.

Denham said companies must understand the risks that they create for others with their data processing, and mitigate those risks. GDPR also formalizes the move away from box ticking to seeing data protection as something that is part of the cultural and business fabric of an organization and it reflects that people increasingly demand to be shown how their data is being used, and how it is being looked after.

However, she said this change is not yet evident in practice. “I don’t see it in the breaches reported to the ICO. I don’t see it in the cases we investigate, or in the audits we carry out,” she said. According to Denham, the next phase of GDPR requires a refocus on comprehensive data protection – embedding sound data governance in all business processes.

Details from Computer Weekly.

The European Parliament weighs in on data brokers and data processing in the context of elections in a published answer to a parliamentary question.

“Data brokers may act as controllers or processors depending on the degree of control they have over the processing. Under the General Data Protection Regulation (GDPR)”.

When data brokers process data in the electoral context, they often process special categories of data such as data revealing political opinions or religious beliefs. Such processing is prohibited, except where one of the justifications in Article 9(2) GDPR, such as explicit consent, can be relied upon.

Read the full text.

The Canadian Office of the Privacy Commissioner has issued a “consultation on cross border transfers,” detailing its policy and seeking comments from stakeholders.

Key points on which consultation is sought:

  • Individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.
  • Individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders.
  • When disclosing personal information to a third party for processing, a company does not relinquish control of the information.

According to the OPC, the document “aims to explain how the OPC’s approach on cross border data flows, including transborder transfers for processing, has evolved and to solicit feedback from interested parties.”

Read the full text.

How has GDPR enforcement played out in the past year?

The Dutch Data Protection Authority (Autoriteitpersoonsgegevens, or AP) recently published a report on its 2018 activities.

The report highlights the growth of GDPR enforcement actions:

  • 27,000 people contacted the AP by telephone about the Privacy Act (2017: 9,500).
  • AP received more than 11,000 complaints.
  • AP handled 720 complaints and 298 data breach reports through an intervention such as sending a letter with an explanation of standards to an organization or having a discussion about standards.
  • AP completed 16 investigations and started 17 enforcement processes in 2018. These have led to sanctions.
  • AP received 781 international cases, such as complaints, data breaches and ex officio cross-border investigations originating from the Netherlands and other European regulators.

Details from the Dutch Data Protection Authority.

Beware the unsolicited email.

UK ICO fines a pensions company £40,000 for sending nearly two million direct marketing emails without consent.

Points to note:

  • You can’t generally send marketing emails without receiving the consent of the recipient.
  • Even if you use a third party mailer, it is your responsibility to ensure consent has been duly received.
  • Indirect consent, i.e. where an individual tells one company that they will consent to receive emails from another company, will not suffice for texts, emails or automated calls unless it is clear and specific enough.
  • Consent will not be valid if individuals are asked to consent to receive marketing from “similar organizations,” “partners” or “selected third parties” or similar generic descriptions. A long list of categories or organizations will not suffice.
  • The company should have ensured it was specifically named in the websites where the individuals’ consent was acquired.
  • The penalty was limited because the company consulted extensively with a recognized data protection consultant, though such advice was misleading.

Details from the ICO.

Some in Congress are renewing calls for strict federal privacy protections.

“We need a privacy bill of rights, a set of protections that is no less stringent than the people of California enjoy, no less protected than the people of Europe have,” says Sen. Richard Blumenthal (D-Conn.)

Jerry Moran (R-Kan.) also cited both the California law and the GDPR implementation to say it was clear the U.S. needed a federal consumer data privacy law “that provides clarity in an increasingly complex regulatory environment.”

Moran has been working with Blumenthal, full committee chair Roger Wicker (R-Miss.) and others on the Commerce Committee in an effort to identify responsible federal privacy standards that “provide clear and effective protections for consumers while also aiming to provide some regulatory certainty to businesses…”

Details from Multichannel News.

The California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR) apply even to companies with fewer than 250 employees… but they may not know it yet.

A recent study reveals that “Company size definitely influences knowledge and preparedness levels. 51 percent of the companies that had at least 250 employees felt they had a high level of knowledge of data protection and privacy regulations, while only 12 percent of the smallest companies shared that confidence.”

Details from CPO Magazine.