24 May 2018
Have I Missed Something?
General Data Protection Regulation 2018
By Lynda Goetz
As our cartoonist has highlighted in today’s issue, the new General Data Protection Regulation (GDPR) comes into force very, very soon, i.e. tomorrow 25th May. Like the rest of the population I am tearing my hair out trying to deal (or perhaps not deal) with all those incoming emails telling me that I need to confirm that I want some commercial organisation or other to ‘keep in touch’. In many cases, of course, I don’t. In fact I am still wondering how or why I get weekly, or even daily, emails from them in the first place; emails that I routinely delete without even reading.
However, one of the things I have found very confusing is that whilst some organisations have sent me urgent emails telling me that unless I confirm my interest they will no longer be able to keep me updated, others seem to have taken the opposite view; namely that they will continue to keep in touch unless I ‘unsubscribe’. Very puzzling, and who is right? Why might there be a difference? I decided that it was about time that I looked at the regulations themselves.
It did not prove difficult to find a website with the official PDF of the GDPR (Regulation (EU) 2016/679). Unfortunately, the regulations run to eleven chapters or 99 Articles (with 173 Recitals), so somewhat more difficult was to find the information I wanted without wading through endless legal and EU jargon. Clearly, without sitting down with a wet towel for several days I was not going to master in a few hours the content of these regulations drawn up over the last two years by numbers of EU lawyers. I was therefore thrilled to discover a heading entitled ‘Key Issues’. Perhaps this could lead me to an understanding of what these regulations really mean for the ordinary members of the public and why different organisations had taken different approaches to dealing with their obligations under these regulations?
Why for example had my gym not emailed me about this, whereas my yoga teacher had? Is everybody panicking unnecessarily? Why do Groupon feel they only need to tell me that they are ‘deeply committed to maintaining the trust and confidence’ of their customers and where to find their privacy policy, but that Waitrose and John Lewis consider that they can no longer contact me unless I ‘act now’ and ‘click above’ to continue hearing from them? Heathrow however considers that as long as they have sent me details of their new privacy notice and I am still happy to hear from them with ‘news, promotions, special offers and events’ then I ‘don’t need to do anything’. All very puzzling.
Under ‘Key Issues’, ‘Consent’ seemed a good place to start, so I clicked on the relevant heading. Valid legal consent is apparently defined in Article 7 and specified further in Recital 32. Recital 32 requires that consent may only be granted ‘through a clear negotiation… which includes the requirement for an opt-in’. It clearly states that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’. Ah ha! So is Waitrose right and Heathrow wrong? Of course, it’s not that simple.
I clicked on to ‘Email Marketing’, where it was confirmed that as newsletter mailing and email marketing are part of the modern world, ‘prohibition with opt-in permission applies here for the processing of personal data’. But wait… it would seem that there needs to be consent or a ‘statutory justification’. What on earth does that mean? Consent is not actually needed? Well, perhaps not if the person receiving the direct marketing is an existing customer of the person, company or business sending it out. Apparently, ‘much indicates that email marketing is allowed without consent, at least for existing customers’.
The conclusion seems to be that whether or not ‘a company supports the marketing measures afterwards on grounds of justified interest or on consent’, they do need to adhere to ‘comprehensive information obligations’. In other words, whether you are invited to opt in or opt out, the company needed to send you all that bumph (which I’m pretty dammed certain you didn’t read anyway), just so that they can avoid some sort of fine or penalty – the details of which you will be unsurprised to hear I have not looked into in detail! Oh, well, I’m sure ‘Data Protection’ will still be used as the excuse every time any employee doesn’t know whether or not he/she is allowed to impart information. Problem is of course that none of us will know either.
