You are using an older browser version. Please use a supported version for the best MSN experience.

Most GDPR emails unnecessary and some illegal, say experts

The Guardian logo The Guardian 21/05/2018 Alex Hern

Person sending email © Catalyst Images Person sending email The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week.

Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.

But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

Christopher Wylie, former Cambridge Analytica research director, testifies before a Senate Judiciary Committee hearing titled, "Cambridge Analytica and the Future of Data Privacy" on Capitol Hill in Washington, U.S., May 16, 2018. REUTERS/Al Drago © Catalyst Images Christopher Wylie, former Cambridge Analytica research director, testifies before a Senate Judiciary Committee hearing titled, "Cambridge Analytica and the Future of Data Privacy" on Capitol Hill in Washington, U.S., May 16, 2018. REUTERS/Al Drago

“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”

FILE- In this March 29, 2018, file photo the logo for Facebook appears on screens at the Nasdaq MarketSite in New York's Times Square. Many companies large and small are updating their privacy policies and service terms to comply with upcoming European Union rules governing data and privacy. In preparation for GDPR, Facebook in March updated its privacy controls in hopes of making them easier to find and understand. (AP Photo/Richard Drew, File) © Catalyst Images FILE- In this March 29, 2018, file photo the logo for Facebook appears on screens at the Nasdaq MarketSite in New York's Times Square. Many companies large and small are updating their privacy policies and service terms to comply with upcoming European Union rules governing data and privacy. In preparation for GDPR, Facebook in March updated its privacy controls in hopes of making them easier to find and understand. (AP Photo/Richard Drew, File)

In other words, if the business had consent to communicate with you before GDPR, that consent probably carries over, and even if it doesn’t carry over, there are five other reasons a company can cite for continuing to process data.

What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

Email symbol © Catalyst Images Email symbol

The lack of understanding around when and why consent is needed under GDPR has prompted the Information Commissioner’s Office to try to resolve some of the “myths” of GDPR.

“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.

Person sending email © Catalyst Images Person sending email

Lukasz Olejnik, a privacy researcher and consultant, said part of the problem was that many businesses were not in the habit of recording when and how they received the initial consent to contact customers, instead just storing vast databases of email addresses. “Some companies may simply be unable to demonstrate that they have consents, either because they don’t or they do not have a trace of it.

“This fact – that some companies simply never had consents or are unable to demonstrate having consents – is sometimes discussed among both policymakers and consultants. There are also discussions over companies not respecting even the existing data privacy regulations.”

Paul Jordan, the Europe managing director of the International Association of Privacy Professionals, offered one silver lining. “I think it’s quite clear that a number of companies won’t be ready [for GDPR], but if they can demonstrate they have been planning appropriately [then regulators will give them] a certain leeway.”

If not, those fines – of €20m or 4% of annual turnover – could be waiting.

Related: How the internet changed our lives [StarsInsider]

AdChoices
AdChoices

More from The Guardian

image beaconimage beaconimage beacon