The second webinar co-organized by the Cyber Security Coalition Privacy Focus Group and Beltug tackled the issue of “tensions on ‘consent’ under the GDPR”, with some extra attention to cookie-related consent. Prof. Paul De Hert and Mr. Gianclaudio Malgieri (VUB LSTS) provided well-documented insights into the tricky legal areas of ‘consent in the GDPR’, ‘the crisis of consent’ and ‘three tensions on consent’.
Interestingly, consent is straight off stressed to be only as good as the other grounds, and often perhaps not the most appropriate option (e.g., with a view to the data subjects’ rights). And consent cannot be used to ask for personal information that is not strictly necessary for the purpose at hand. Today’s ‘crisis of consent’ impacts both data subjects (fatigue, overload) and controllers/processors (difficult to be compliant, e.g. big data).
The session concluded by discussing three tensions, including some apparent contradictions between GDPR and other directives. The first relates to the demand for unnecessary personal info, between the GDPR (interdiction) and the 2019/770 directive on Digital Content/service. The second puts consent validity in the GDPR versus cookies ‘easy’ consent in e-Privacy. At this point, GDPR stands as the reference law, though more clarification (e.g., by DPA’s) is required. The third ‘tension’ involves consent versus ‘legitimate interest’ in sensitive areas as marketing and research, as well as when vulnerable data subjects are involved.
This is a session that will amply reward an attentive replay, with plenty of food for study.