Vacations are over, everybody’s realizing May 25th 2018 is closer, so we should get this GDPR show back on track. This time, we have a little help from our friends at ePrivacy. Why did we do that? Because we are getting into complex matters, so we thought GDPR professionals should weigh in.
Let us start by introducing our guest: Prof. Dr. Christoph Bauer is the CEO of ePrivacy. ePrivacy advises and supports companies in the digital economy with all aspects and challenges of data protection. They are based in Hamburg, Germany, where data protection laws have been famously stricter than almost anywhere else. They think of data protection as a competitive advantage, and their independent consulting and certification offers have helped the likes of Criteo, Acxiom, Krux or Huawei.
Hence we immediately thought of them to get into the muddy waters of article 6(1)(f) and the to-be-approved ePrivacy regulation. For now, let us focus on the first conundrum: article 6(1)(f).
Opt-in, cookies and article 6(1)(f): A State of the Art
Let’s begin at the crux of the matter, the GDPR article listing criteria must be met to lawfully process data:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (…)
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This particular moment of the GDPR brings two alternatives to the table: for marketing purposes, you either create an opt-in to be able to collect data or your marketing initiatives clearly fulfil the legitimate interests clause.
So, how far can the legitimate interests of a company take you?
The legitimate interests’ path
This is exactly the type of question ePrivacy’s experts can answer swiftly. When we reached out to Prof. Dr. Bauer with this question, his clear answer was rather reassuring:
This clause grants legal permission, not only for classical direct marketing methods, but may also be applicable for online behavioral marketing measures, given that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” (Recital 47 of the final Regulation). As a consequence, it will be possible to use personal data with the interest of direct marketing, as long as the interests of the data subject concerned are not overriding the marketing interests. (…)
Furthermore, he believes that this particular stance of Recital 47
The legitimate interests of a controller, including of a controller to which the data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on the relationship with the controller.
shows a “notable shift towards the US approach to data protection, given that the ‘reasonable expectations of users’ are evidently set to become the central point of departure for any consideration of this issue in the future: data, which users can reasonably expect to be processed, can be processed without the user’s consent – even by a third party”.
The reasonable expectations’ difficult interpretation
Despite the optimistic feeling to all of this, Prof. Dr. Bauer does have a few caveats:
In the future, most business models in the online industry will not require data subjects to give their consent to the use of their data, provided they stay within the bounds of their users’ ‘reasonable expectations’. The true scope of the ‘reasonable expectations’ criterion remains to be seen.
He does, however, have a few suggestions to make on this regard:
It may well make sense for companies to refer to such ‘reasonable expectations’ in their individual data protection declarations or privacy statements and, thereby, to include them into the scope of this criterion. (…) As the legitimate interest is quite new, it is even more difficult to draw a line, so probably both parties – authorities and the industry – will be quite careful to conduct an aggressive approach.
The ePrivacy legislation conundrum
The next questions we posed to ePrivacy dealt with the EU’s proposal for a Regulation on Privacy and Electronic Communications. This proposal, ironically nicknamed “ePrivacy” even if our kind guests had nothing to do with it, is still to be approved but expected to be enforced at the same time the GDPR itself.
It aims, in their own words, at “reinforcing trust and security (…) by updating the legal framework on ePrivacy“.
This particular regulation proposal will be the subject of our next post, but we leave you with the triggering question:
ShiftForward: Can you think of a situation that would clearly fulfil the legitimate interests paragraph?
Prof. Dr. Bauer: As of current interpretation this would be setting a third party cookie, building a profile and delivering advertising based on that profile. However, the ePrivacy regulation may contradict that approach.
Make sure to check our next blog post for this game changer legislation that is still under debate.