欧洲数据保护委员会(The European Data Protection Board, EDPB)于2020年5月4日通过了其最新的指南05/2020(《更新指南》),主要是就欧盟一般数据保护条例(“GDPR”)下的“明确同意”做了两方面的澄清。
在GDPR的规定下,数据控制者只能在符合某些条件的情况下处理数据主体的数据,其中一项条件是数据主体已经表示“明确同意”。
关于“明确同意”的概念非常重要,因为只有给予数据主体对其数据的控制权,并且无论数据主体是接受还是拒绝所提供的条款,都不影响其自身利益的情况下,这样的“同意”才是有法律依据的。
根据GDPR第4(11)条的规定,GDPR将“同意”定义为“自愿地、具体地、知情地和明确地表明数据主体的意愿,而数据主体通过声明或明确的同意行动表示同意处理与他或她有关的个人数据。”
在最新的《更新指南》中,主要是澄清了两方面的问题,即通过Cookies Walls的“同意”以及滚动网页的行为是否属于GDPR规定下的“明确同意”。
一、Cookies Walls
一般来说,Cookies Walls是一个弹窗,可以阻断数据主体对网页的使用直到数据主体同意使用Cookies来追踪数据主体的上网活动。
根据GDPR的规定,将同意与接受条款或条件捆绑在一起,或将合约或服务的提供与同意处理个人数据的要求捆绑在一起,而该等个人数据并非合约或服务的履行所必需,是极不可取的。如果同意是在这样的情况下做出的,便会被推定为并非自愿做出的同意,因此数据控制者处理个人数据便是不合法的。
那么,在这种情况下就产生了一个问题。数据控制者能否能通Cookies Walls来限制数据主体对其网站的访问?例如,除非数据主体按下“接受Cookies”的按钮,否则数据控制者会封锁其网站的内容。
对于上述问题,目前《更新指南》指出,对服务和功能的访问不能以数据主体同意在其终端设备(所谓的Cookie Walls)中存储信息或获得对已存储信息的访问为条件。
二、滚动网页
根据GDPR的规定,“同意”需要来自数据主体的声明或明确的同意行为。《更新指南》指出,最好的“明确的同意行为”是由数据主体提出的书面声明,但是《更新指南》也承认,这种正式的表示同意的方式通常是不现实的。
《更新指南》确认,在通过“我同意”的可选(非预先勾选的)选项输入框内的勾选行为可以被视为 “明确的同意行为”。
在实践中,数据控制者通常会要求数据主体通过一些特殊的行为方式来尽可能满足GDPR规定下“明确同意”的标准。比如:在屏幕上滚动工具条、在智能摄像机前摆动身体、顺时针或以8字形旋转智能手机等等。
《更新指南》认为,数据控制者有权制定符合他们规章制度的数据主体的“同意行为”,但该行为未必符合GDPR规定下的“明确同意”。比如,《更新指南》特别指出,滚动、滑动网页或类似的行为在任何情况下都不会满足“明确的同意行为”的要求,因为该行为很难与数据主体的其他行为进行区分。此外,数据主体继续使用网站的一般功能,同样不被认为是“明确的同意行为”,因为该行为同样很难与其他行为进行区分。
The
European Data Protection Board (“EDPB”) has adopted on 4 May 2020 their
latest Guidelines 05/2020 (the “Updated Guidelines”) on consent under
the EU Regulation 2016/679 (“GDPR”).As
a reminder, under GDPR, a data controller is only allowed to process
the data of a data subject if certain conditions are met, one of them
being when the data subject has given his/her explicit consent.However,
there have been discussions as to the very notion of “explicit
consent”. The question is of importance, since consent can only be an
appropriate lawful basis if a data subject is offered control and is
offered a genuine choice with regard to accepting or declining the terms
offered or declining them without detriment.GDPR defines consent as “freely
given, specific, informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal
data relating to him or her” (Article 4(11) GDPR).The
Updated Guidelines are an updated version of the previous Guidelines
adopted by the Article 29 Working Party on 10 April 2018 which were
later endorsed by the EDPB.The
main clarifications in the Updated Guidelines were brought regarding
the questions related to cookie walls” and the issue regarding scrolling
and consent.GDPR
indicates that, among others, bundling consent with acceptance of terms
or conditions or tying the provision of a contract or a service to a
request to consent to process personal data that are not necessary for
the performance of that contract or service is considered highly
undesirable. If consent is given is such way, it will be presumed as not
having been given freely and it will therefore not be a lawful basis
for a data controller to process data of a data subject.The
question was therefore raised whether a data controller was allowed to
restrict access to their website subject to the acceptance of cookies.
Such cases arises for example, if a data controller blocks content of
his website, unless the data subject clicks of the “Accept cookies”
button.The
Updated Guidelines confirm that access to services and functionalities
must not be made conditional on the consent of a user to the storing of
information, or gaining of access to information already stored, in the
terminal equipment of a user (so called cookie walls).The
Updated Guidelines remind that the GDPR is clear that consent requires a
statement from the date subject or a clear affirmative act, which means
that it must always be given through an active motion or declaration.
While the Updated Guidelines mention that the best “clear affirmative
act” would be a written statement given by the data subject(e.g. letter
or e-mail), it also admits that such formal way of giving consent might
often not be realistic.The
Updated Guideline confirms that the active ticking of an optional (non
pre-ticked) opt-in box mentioning “I consent” can be considered as a
“clear affirmative act” to consent to the processing (Updated Guideline
Example 14 paragraph 80).Nevertheless,
the Updated Guidelines indicate that data controllers have the liberty
to develop a consent flow that suits their organization and physical
motions may qualify as a clear affirmative action under GDPR.Continuing
the ordinary use of a website, is not considered as a clear affirmative
act, as it cannot be distinguished from other actions.Physical motions that may qualify as such may include (Updated Guidelines Example 16):· swiping a bar on a screen,· waiving in front of a smart camera,· turning a smartphone around clockwise or in a figure eight motionHowever,
the Updated Guidelines consider that scrolling or swiping through a
webpage or similar user activity will not under any circumstances
satisfy the requirement of “clear and affirmative action” as they may be
difficult to distinguish from other activities or interaction by a
user.