In-House Leaders From Facebook, Uber and Others Discuss the Complexity of Consent in GDPR
Are companies seeking too much consent to process data? Too little? It's a situation that poses challenges for in-house lawyers far and wide.
April 20, 2018 at 03:16 PM
4 minute read
Representatives from some of the world's most powerful tech companies, Facebook Inc., Uber Technologies Inc., Dropbox Inc. and Salesforce.org, spoke on a panel this week that addressed the challenges potentially posed by General Data Protection Regulation compliance.
The discussion, hosted by the High Tech Law Journal at Santa Clara University School of Law on Wednesday night, brought leaders from all four companies together to discuss how they're preparing for the impending GDPR implementation date. On May 25, the new regulation on data protection and privacy will kick in for all companies collecting and processing European Union citizens' data.
One topic—consent under the GDPR—resurfaced throughout the evening. Under the new rules, companies must have “freely given, specific, informed and unambiguous” consent before collecting an individual's data. There are exceptions under the regulation though, including when companies have and can prove “legitimate interest” in the data (though there are varying interpretations of legitimate interest), or if data collection is required to carry out a contract the company has with a customer or user.
Amanda Katzenstein, product and privacy counsel for Salesforce.org, focused on the issue of getting consent in an employee-employer relationship, where there's often an imbalance of power large enough that she says it's tricky to get genuine consent from a legal standpoint.
“One of the major shifts that has occurred under GDPR is that you actually need to remove [requests for] consent when discussing the basis to process employee data, because of the huge discrepancy of power between the employer and the employee. The employee doesn't always really get a benefit and it's not going to be true consent,” Katzenstein said.
She added employers may have to prove they have a legitimate interest in the data they're collecting on employees and hires—like arguing background checks are necessary for security. If employers have legitimate interest in the data, according to the GDPR, they don't need consent to collect it.
Facebook lead product counsel Andrew Rausa discussed external issues with obtaining and maintaining consent. He said companies should be careful, as they don't necessarily have to make every aspect of a product consent-focused. If a business can't function without collecting certain data from users, Rausa says, the processing could be considered a contractual necessity under the GDPR, and wouldn't require consent.
“Consent is great, the unambiguous expression that somebody wants you to do that data processing. But think about that—think about if you actually need to do this processing in order to enable your business,” he said. Rausa noted that giving somebody the ability to consent also gives them the ability to withdraw consent.
“And think about it, if you're not able to process that data, are you able to run your business? And that is when, if you ask yourself that question, and you go, 'No, actually the agreement I had with the user requires me to do this data processing,' well, we now may be in the world of contractual necessity.”
In cases where a company does need to get consent from users to comply with new EU regulations, Rausa said they should start to get it now, if they haven't already.
Stu Eaton, Uber's director of product and privacy also addressed companies' potential overuse of consent post-GDPR, and said he hopes that companies are thinking about moving off of consent as their primary basis for processing.
“This concept that consent is not good enough anymore, I don't think people have fully processed that yet,” Eaton said. “Because consent is one of the last things that you want to rely on necessarily, because it can be withdrawn, and withdrawing consent has actual consequences.”
The panelists discussed some of these consequences, and the difficulties of data erasure. Rausa said it's extremely important to sit down with engineers and find out what they're collecting, where it's stored, for how long and who has access to it, and to ensure that engineers aren't accidentally using data that an individual requested to have destroyed.
Dropbox head of risk and compliance Tolga Erbay had some advice of his own for those confused by the new EU regulation—just sit down and take a look at the whole thing.
“Read the GDPR,” Erbay said. “It's actually not as bad as you think it is.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllRecent CEO Shooting Tragedy a Reminder for Corporate Risk Assessment and Incident Response Plans
7 minute readBaker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Judge Sides With McDonald's In Attorney-Client Privilege Dispute With Former Executives
4 minute read'Climate-Smart Beef'?: DC Lawsuit Accuses Tyson Foods of False Advertising
3 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250