Our Data Protection team respond to the Article 29 Working Party’s draft guidance on consent under the GDPR
The Article 29 Working Party (WP29), the European-wide body made up of one member from the supervisory authority in each EU member state, published its Draft Guidance on consent under the GDPR in December 2017. The consultation period closed on 23 January 2018.
Our Data Protection team produced a detailed critique of the WP29’s Draft Guidance which is available in full here
In summary, it is our view that the Draft Guidance is effective at analysing technical interpretations of the GDPR but it fails to achieve the aim of assisting businesses with complex issues which have been contentious since the GDPR’s adoption. For this reason we think the Draft Guidance contains material errors and omissions which must be resolved before final adoption of the Draft Guidance. Our consultation response sets out detailed explanations regarding each of the points that we have identified, but in short:
- Third Parties: There are numerous inconsistencies regarding naming of third parties to meet the requirements of “informed”. We call on WP29 to scrap this and revert to categorisations only.
- Layering consent: There are inconsistencies regarding the use of layering for consent. It’s our view that only a name and purpose of processing are necessary for the first layer, with other information to be made available through separate layers of a privacy notice. We call on WP29 to clarify its guidance on this point and to support the use of light layering of notices to better engage data subjects and support businesses.
- Delay: For many businesses, the issue of consent is of first importance for GDPR compliance. It ranks above other issues such as appointment of a data protection officer or other topics on which guidance has been finalised. Failing to prioritise this guidance, both at a national and European level, has caused and continues to cause significant issues for businesses. We believe this delay is unacceptable. We call on WP29 to honour a grace period during which enforcement under the new penalty regime is suspended for issues regarding consent.
- Repermissioning: We call on WP29 to provide better clarity regarding repermissioning of consent, particularly oral consent. We also believe that WP29 should assist businesses by explaining to them how soft-opt in interacts with consent in the context of electronic direct marketing, as this is an area often misunderstood by businesses (particularly SMEs).
- Children: The Draft Guidance fails to provide any information about the how consent is to be obtained in the context of the education sector. We also believe that the guidance regarding cross-border consent should state that the controller is to provide consent which works for children who are 13 even where the national supervisory authority in each member state has elected a higher age of consent (or indeed has left consent at 16 years). We also believe WP29 could give better guidance on how to obtain consent from children in the on-line environment, particularly in light of easily abused and overly simplistic technology practices.
If you would more information or guidance on the GDPR, please contact Matthew Holman, or you can give us a call on 0345 070 6000.