欧州データ保護委員会はGDPRに基づく「同意」に関するガイドラインを公表していますね
こんにちは、丸山満彦です。
欧州データ保護委員会はGDPRに基づく同意に関するガイドラインを公表していますね。。。
● EDPB (European Data Protection Board)
・2020.05.04 Guidelines 05/2020 on consent under Regulation 2016/679
・2020.05.04 [PDF] Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0
訳はこなれていない。。。
0 Preface | 0 序文 |
1 Introduction | 1 はじめに |
2 Consent in Article 4(11) of the GDPR | 2 GDPR第4条(11)の同意 |
3 Elements of valid consent | 3 有効な同意の要素 |
3.1 Free / freely given | 3.1 自由/自由に与えられる |
3.1.1 Imbalance of power 3.1.2 Conditionality 3.1.3 Granularity 3.1.4 Detriment |
3.1.1 パワーの不均衡 3.1.2 条件付き 3.1.3 粒度 3.1.4 デメリット |
3.2 Specific | 3.2 特定 |
3.3 Informed | 3.3 通知 |
3.3.1 Minimum content requirements for consent to be ‘informed’ 3.3.2 How to provide information |
3.3.1 「通知」を受けるための同意の最低限の要件 3.3.2 情報の提供方法 |
3.4 Unambiguous indication of wishes | 3.4 明確な意思の表示 |
4 Obtaining explicit consent | 4 明示的な同意の取得 |
5 Additional conditions for obtaining valid consent | 5 有効な同意を得るための追加条件 |
5.1 Demonstrate consent | 5.1 同意を示す |
5.2 Withdrawal of consent | 5.2 同意の撤回 |
6 Interaction between consent and other lawful grounds in Article 6 GDPR | 6 GDPR第6条における同意とその他の合法的根拠の相互作用 |
7 Specific areas of concern in the GDPR | 7 GDPRにおける具体的な懸念事項 |
7.1 Children (Article 8) | 7.1 児童 (第8条 |
7.1.1 Information society service 7.1.2 Offered directly to a child 7.1.3 Age 7.1.4 Children’s consent and parental responsibility |
7.1.1 情報社会サービス 7.1.2 子供に直接提供される 7.1.3 年齢 7.1.4 子どもの同意と親の責任 |
7.2 Scientific research | 7.2 科学研究 |
7.3 Data subject’s rights | 7.3 データ主体の権利 |
8 Consent obtained under Directive 95/46/EC | 8 指令 95/46/EC に基づいて取得された同意 |
・[PDF] 個人情報保護委員会による日本語訳
0 PREFACE
On 10 April 2018 the Article 29 Working Party adopted its Guidelines on consent under Regulation 2016/679 (WP259.01), which were endorsed by the European Data Protection Board (hereinafter “EDPB”) at its first Plenary meeting. This document is a slightly updated version of those Guidelines. Any reference to the WP29 Guidelines on consent (WP259 rev.01) should from now on be interpreted as a reference to these guidelines. The EDPB has noticed that there was a need for further clarifications, specifically regarding two questions:
- The validity of consent provided by the data subject when interacting with so-called “cookie walls”;
- The example 16 on scrolling and consent.
The paragraphs concerning these two issues have been revised and updated, while the rest of the document was left unchanged, except for editorial changes. The revision concerns, more specifically:
- Section on Conditionality (paragraphs 38 - 41).
- Section on Unambiguous indication of wishes (paragraph 86)
1 INTRODUCTION
- These Guidelines provide a thorough analysis of the notion of consent in Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). The concept of consent as used in the Data Protection Directive (hereafter: Directive 95/46/EC) and in the e-Privacy Directive to date, has evolved. The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon the Article 29 Working Party Opinion 15/2011 on consent. The obligation is on controllers to innovate to find new solutions that operate within the parameters of the law and better support the protection of personal data and the interests of data subjects.
- Consent remains one of six lawful bases to process personal data, as listed in Article 6 of the GDPR.2 When initiating activities that involve processing of personal data, a controller must always take time to consider what would be the appropriate lawful ground for the envisaged processing.
- Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful.3
- The existing Article 29 Working Party (WP29) Opinions on consent4 remain relevant, where consistent with the new legal framework, as the GDPR codifies existing WP29 guidance and general good practice and most of the key elements of consent remain the same under the GDPR. Therefore, in this document, the EDPB expands upon and completes earlier Article 29 Working Party Opinions on specific topics that include reference to consent under Directive 95/46/EC, rather than replacing them.
- As the WP29 stated in its Opinion 15/2011 on the definition on consent, inviting people to accept a data processing operation should be subject to rigorous requirements, since it concerns the fundamental rights of data subjects and the controller wishes to engage in a processing operation that would be unlawful without the data subject’s consent.5 The crucial role of consent is underlined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. Even if the processing of personal data is based on consent of the data subject, this would not legitimise collection of data, which is not necessary in relation to a specified purpose of processing and be fundamentally unfair.6
- Meanwhile, the EDPB is aware of the review of the ePrivacy Directive (2002/58/EC). The notion of consent in the draft ePrivacy Regulation remains linked to the notion of consent in the GDPR.7 Organisations are likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including by the use of cookies or apps or other software. The EDPB has already provided recommendations and guidance to the European legislator on the Proposal for a Regulation on ePrivacy.8
- With regard to the existing e-Privacy Directive, the EDPB notes that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.9 This also applies to references to consent in the current Directive 2002/58/EC, as the ePrivacy Regulation will not (yet) be in force from 25 May 2018. According to Article 95 GDPR, additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communication networks shall not be imposed insofar the e-Privacy Directive imposes specific obligations with the same objective. The EDPB notes that the requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive.
2 CONSENT IN ARTICLE 4(11) OF THE GDPR
- Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
- The basic concept of consent remains similar to that under the Directive 95/46/EC and consent is one of the lawful grounds on which personal data processing has to be based, pursuant to Article 6 of the GDPR.10 Besides the amended definition in Article 4(11), the GDPR provides additional guidance in Article 7 and in recitals 32, 33, 42, and 43 as to how the controller must act to comply with the main elements of the consent requirement. 10. Finally, the inclusion of specific provisions and recitals on the withdrawal of consent confirms that consent should be a reversible decision and that there remains a degree of control on the side of the data subject.
-----
2 Article 9 GDPR provides a list of possible exemptions to the ban on processing special categories of data. One of the exemptions listed is the situation where the data subject provides explicit consent to the use of this data.
3 See also Article 29 Working Party Opinion 15/2011 on the definition of consent (WP 187), pp. 6-8, and/or Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (WP 217), pp. 9, 10, 13 and 14.
4 Most notably, Opinion 15/2011 on the definition of consent (WP 187).
5 Opinion 15/2011, page on the definition of consent (WP 187), p. 8.
6 See also Opinion 15/2011 on the definition of consent (WP 187), and Article 5 GDPR.
7 According to Article 9 of the proposed ePrivacy Regulation, the definition of and the conditions for consent provided for in Articles 4(11) and Article 7 of the GDPR apply.
8 See EDPB statement on ePrivacy - 25/05/2018 and EDPB Statement 3/2019 on an ePrivacy regulation.
9 See Article 94 GDPR.
10 Consent was defined in Directive 95/46/EC as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” which must be ‘unambiguously given’ in order to make the processing of personal data legitimate (Article 7(a) of Directive 95/46/EC)). See WP29 Opinion 15/2011 on the definition of consent (WP 187) for examples on the appropriateness of consent as lawful basis. In this Opinion, WP29 has provided guidance to distinguish where consent is an appropriate lawful basis from those where relying on the legitimate interest ground (perhaps with an opportunity to opt out) is sufficient or a contractual relation would be recommended. See also WP29 Opinion 06/2014, paragraph III.1.2, p. 14 and further. Explicit consent is also one of the exemptions to the prohibition on the processing of special categories of data: See Article 9 GDPR.
« 韓国:公共データ戦略委員会がデータ活用戦略を発表してますね。。。 | Main | GoogleとAppleのCOVID-19 "Exposure Notifications" APIの提携の話・・・ »
Comments