EU GDPR: User Consent & Controller Liability by Ryan CooperFor companies doing business in the EU, the new General Data Protection Regulation (GDPR) creates many pitfalls including the risk that a business may over- and under-comply with the GDPR. In our last post we introduced the general parameters of the new GDPR and how it differs from the outgoing Data Protection Directive. In today’s post, we dig a little deeper into the concept of user consent and the liability of the data controller.

One of the significant changes enacted in the GDPR is the higher and more rigorous test for determining user consent to having their data processed. The GDPR lists four key conditions for valid consent. The party ultimately responsible for processing the user’s personal data must be able to demonstrate that the user has consented to having their data processed. If the consent is contained within an agreement addressing other matters beyond just consent to data processing, the consent must be “clearly distinguishable” from those other matters. In addition, users must be allowed to withdraw their consent “at any time.” Finally, the GDPR rejects user agreements that compel a user to consent to any data processing that is not necessary to service the user not necessary to service the user accordingly for what h or she has signed up for.

It is important to also remember that specific categories of information trigger heightened consent requirements. Specifically, the following categories of information cannot be collected and processed without very explicit consent obtained after specifying what categories of information will be processed and why:

  • Ethnic and racial information;
  • Political opinions;
  • Religious and philosophical beliefs;
  • Genetic or health data; and
  • Sexual orientation data.

Liability under the GDPR can extend globally as a result of its concept of data controller. The controller is the party ultimately responsible for the information processing. Specifically, a controller is the party that determines the purpose and means of processing personal data. Any company operating in the EU through a vendor or subcontractor is likely the controller and ultimately responsible for compliance with the GDPR (and liable for violations) despite the actual processing being done by vendors within or without the EU.

The GDPR is a complicated regulation that all businesses should be on the lookout for. In our next post we will examine some exceptions to the GDPR and areas it may not apply. In the meantime, if you do business with the EU it is important to examine the extent to which the GDPR will be applicable to you.

Ryan J. Cooper, Esq., CIPP/US
600 Linden Place
Cranford, NJ 07016