Credit: Ivan Marc/Shutterstock.com

Representatives from some of the world's most powerful tech companies, Facebook Inc., Uber Technologies Inc., Dropbox Inc. and Salesforce.org, spoke on a panel this week that addressed the challenges potentially posed by General Data Protection Regulation compliance.

The discussion, hosted by the High Tech Law Journal at Santa Clara University School of Law on Wednesday night, brought leaders from all four companies together to discuss how they're preparing for the impending GDPR implementation date. On May 25, the new regulation on data protection and privacy will kick in for all companies collecting and processing European Union citizens' data.

One topic—consent under the GDPR—resurfaced throughout the evening. Under the new rules, companies must have “freely given, specific, informed and unambiguous” consent before collecting an individual's data. There are exceptions under the regulation though, including when companies have and can prove “legitimate interest” in the data (though there are varying interpretations of legitimate interest), or if data collection is required to carry out a contract the company has with a customer or user.

Amanda Katzenstein, product and privacy counsel for Salesforce.org, focused on the issue of getting consent in an employee-employer relationship, where there's often an imbalance of power large enough that she says it's tricky to get genuine consent from a legal standpoint.

“One of the major shifts that has occurred under GDPR is that you actually need to remove [requests for] consent when discussing the basis to process employee data, because of the huge discrepancy of power between the employer and the employee. The employee doesn't always really get a benefit and it's not going to be true consent,” Katzenstein said.

She added employers may have to prove they have a legitimate interest in the data they're collecting on employees and hires—like arguing background checks are necessary for security. If employers have legitimate interest in the data, according to the GDPR, they don't need consent to collect it.

Facebook lead product counsel Andrew Rausa discussed external issues with obtaining and maintaining consent. He said companies should be careful, as they don't necessarily have to make every aspect of a product consent-focused. If a business can't function without collecting certain data from users, Rausa says, the processing could be considered a contractual necessity under the GDPR, and wouldn't require consent.

“Consent is great, the unambiguous expression that somebody wants you to do that data processing. But think about that—think about if you actually need to do this processing in order to enable your business,” he said. Rausa noted that giving somebody the ability to consent also gives them the ability to withdraw consent.

“And think about it, if you're not able to process that data, are you able to run your business? And that is when, if you ask yourself that question, and you go, 'No, actually the agreement I had with the user requires me to do this data processing,' well, we now may be in the world of contractual necessity.”

In cases where a company does need to get consent from users to comply with new EU regulations, Rausa said they should start to get it now, if they haven't already.

Stu Eaton, Uber's director of product and privacy also addressed companies' potential overuse of consent post-GDPR, and said he hopes that companies are thinking about moving off of consent as their primary basis for processing.

“This concept that consent is not good enough anymore, I don't think people have fully processed that yet,” Eaton said. “Because consent is one of the last things that you want to rely on necessarily, because it can be withdrawn, and withdrawing consent has actual consequences.” 

The panelists discussed some of these consequences, and the difficulties of data erasure. Rausa said it's extremely important to sit down with engineers and find out what they're collecting, where it's stored, for how long and who has access to it, and to ensure that engineers aren't accidentally using data that an individual requested to have destroyed.

Dropbox head of risk and compliance Tolga Erbay had some advice of his own for those confused by the new EU regulation—just sit down and take a look at the whole thing.

“Read the GDPR,” Erbay said. “It's actually not as bad as you think it is.”