Out-Law / Your Daily Need-To-Know

Privacy watchdog: businesses that demand personal data in return for services run foul of new EU data protection laws

Out-Law News | 26 Apr 2017 | 9:52 am | 2 min. read

Businesses that require consumers to provide data about themselves in return for access to their services they offer will not have valid consent to process that information under new EU data protection laws, according to an EU privacy watchdog.

Some businesses in digital markets, including mobile app developers, offer access to their services or content to consumers for no financial payment. Instead, they require users to give up access to their personal data in return for gaining such access.

European Data Protection Supervisor Giovanni Buttarelli raised concern about this concept of personal data as 'counter-performance' for access to a website or mobile app in a new opinion (40-page / 1.79MB PDF) issued on new EU e-Privacy laws that the European Commission has proposed. He said businesses that adopt that business model will be in breach of the General Data Protection Regulation (GDPR) which will apply from 25 May 2018.

"Consent is valid only if freely given and withdrawn without detriment to the individual concerned," Buttarelli said. "The notion of ‘counter-performance’ creates additional obligations for the individual and is not consistent and compatible with the notion of consent under the GDPR."

"The notions of ‘paying with personal data’ and offering personal data as ‘counter-performance’ would indeed therefore undermine the current legal grounds for lawful processing as set out in article 6 of the GDPR," he said.

Buttarelli's comments reflect concerns also expressed by the UK's Information Commissioner's Office (ICO) in its draft guidance on consent under the GDPR, which it consulted on earlier this year. The finalised guidance has still to be published.

The ICO said organisations should avoid making consent to such processing "a precondition of signing up to a service unless necessary for that service", as consent in those circumstances would not be considered to be 'freely given', as is required under the GDPR. However, it said it could be open to some businesses to "incentivise consent to some extent" as long as they are "careful not to cross the line and unfairly penalise those who refuse consent".

"For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing," the ICO said. "The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal."

In his new opinion, Buttarelli said the Commission's proposed new e-Privacy Regulation should be amended to strengthen provisions around end-user consent to data processing in the context of electronic communication services.

"Consent must be requested from the individuals who are using the services, whether or not they have subscribed for them and from all parties to a communication," Buttarelli said. "In addition, data subjects who are not parties to the communications must also be protected."

Buttarelli also said steps should be taken to ensure that there are no "loopholes for the protection of personal data" as a result of the relationship between the GDPR and the e-Privacy Regulation.

"Personal data collected based on end-user consent or another legal ground under the e-Privacy Regulation must not be subsequently further processed outside the scope of such consent or exception on a legal ground which might otherwise be available under the GDPR, but not under the ePrivacy Regulation," Buttarelli said.

In addition, Buttarelli said businesses should not be allowed to make access to their websites "conditional upon the individual being forced to ‘consent’ to being tracked across websites" under the new e-Privacy Regulation.

His published opinion said: "In other words, the EDPS calls on the legislators to ensure that consent will be genuinely freely given."