Last year, I had the privilege of chairing and moderating a panel of data protection/privacy lawyers speaking on European General Data Protection Regulation (GDPR) developments at the Ontario Bar Association’s (OBA) “Privacy Law Summit”. The Privacy Law Summit is a Continuing Professional Development (CPD) conference organized annually by the Privacy and Access to Information Law Section Executive at the OBA – an executive committee that provides specialized privacy subject matter expertise to public bodies, legal practitioners, and corporate in-house counsel. OBA CPD conferences generally are delivered to the OBA’s 16,000 person-strong membership to ensure that they, and their clients or employers stay ‘ahead of the curve’ – meeting regulatory compliance challenges head-on with confidence. Last year’s Privacy Law Summit attracted an interesting and diverse crowd of over 100+ regulators, in-house counsel, data scientists, and lawyers. Our panel was one of many held over the course of the conference, and we discussed some of the GDPR hot topics including lessons learned from how European data protection regulators are enforcing the regulations (i.e. fines for non-compliance).
Unfortunately owing to COVID-19 pandemic considerations, the 2020 Privacy Law Summit has been postponed. Regulators are active in fulfilling their public mandate, health pandemic or not, and updates remain important to keep abreast of, as new scenarios arise that challenge what it means to ‘comply’ with the GDPR. As many have commented, when it comes to the GDPR, compliance is a journey, not an overnight destination. This update is intended to ensure the trip is a smooth one.
The European Data Protection Board (EDPB) has the mandate of issuing regulatory guidance and promotes cooperation between the EU’s data protection authorities which have the power to issue fines and penalties. Last week, the EDPB issued updated guidance on the permissible way to provide consent to process a user’s personal information when it comes to Cookies. There was also an update on the conditions under which physical motions to indicate consent are allowed (‘physical motions’ refer to popular smartphone app user interfaces where the user can control app functions with simple physical touch movements such as ‘swipe right/left’ to indicate acceptance of a command, or express a desire to move to another distinct web page).
The verdict? For Cookies, the EDPB has stated that in order for a website user’s consent to be freely given, access to services and functionality on a given website cannot be conditional on consent of the user having Cookies accessed or stored on their computer (so called ‘Cookie Walls’). This guidance has remained consistent with the EDPB’s previous guidance on ‘bundling’ consents – that is a scenario where in order to obtain the service, a user must provide consent to process their personal information for a purpose that is not necessary for the performance of the contract, ‘bundled’ with that which is necessary. In other words, the user is not actively using their free will as they are ‘forced’ to provide information to the organization(s) collecting their personal information for the non-necessary service, in order to get what they actually desire. Even though in the case of Cookies, the website user isn’t ‘losing out’ on the necessary service (i.e. basic use of the website) by not consenting to a ‘bundled consent’ for all types of cookies placed on their computer, they are suffering a detriment because of reduced website functionality, services, and content if they don’t consent.
As for physical motions…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…