Is the EU Restriction on Use of Consent for Employment Purposes New to GDPR?

Lately, I have seen several background screening companies publish blog posts on the upcoming GDPR. As a refresher, the GDPR (General Data Protection Regulation¹) will come into effect May 25, 2018. It has a major impact in the European Union (“EU”) and beyond. Screeners will come under the Regulation if they screen individuals who reside in the EU or if they are located in the EU². I applaud these screeners for their work in understanding the GDPR and the impact to their company, clients, and data subjects.

However, one thing concerns me about some of the communications I’ve seen and discussions I’ve had—the conversation about the newness of the restriction on the use of consent as a means of legitimatizing the processing of personal data. Yes, you read that right. There is a restriction on the use of consent that can impact background screening. In the EU, the concern is about the use of consent as a lawful condition of processing when there is an imbalance of power. Article 6 of the GDPR lists the conditions for processing regular personal data and Article 9 addresses the conditions for processing special categories of data³. (For those of you in the U.S., remember that “special” data in the EU and other countries is not defined the same as it is in the U.S. In the U.S., we focus on information that has a high risk of identify fraud. Outside of the U.S., the focus is more on discrimination. Criminal record history is often thought of as being a “special” category of data and in some countries, is listed as a special category of information. In GDPR, it is separated out.) The requirement in the EU for consent to be valid is that it is freely given and unambiguous. This has been the requirement under the EU Data Protection Directive will remain so under the GDPR. EU authorities do not believe the employment relationship allows for true, freely-given consent, since there is an imbalance of power between the employer and the subject.

EU authorities have opined on this topic for years and have cited the employment relationship specifically as an example of an imbalance of power. In 2011, the Working Party drafted an entire opinion on Consent, Opinion 15/2011 on the definition of consent, and you can find the reference to the employment relationship issue on page 13: http://collections.internetmemory.org/haeu/20171122154227/http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf.

It is true, there has been more attention devoted to this restriction on consent under the GDPR. Two recent documents continue the discussion: (1) the Article 29 Working Party, Opinion 2/2017 on data processing at work (http://ec.europa.eu/newsroom/document.cfm?doc_id=45631), and (2) the draft (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=615239). I hear screeners talking about how to address processing without consent, now; something I rarely heard before GDPR. But this is not a new concept.

Another concern I have on the whole topic of GDPR consent is the lack of information about the additional obligations that GDPR brings on if consent is used as a basis for legitimizing the processing. For example:

• The GDPR is prescriptive about the content of a consent. Conditions for consent are laid out in Article 7.
• The subject must have the right to withdraw consent {Article 7(3)}.
• Consent for processing special categories of data must be explicit {Article 9(2)}.
• Article 88 allows for Member States to create additional rules for consents in the employment context.
• The use of consent as a legitimate basis for processing will trigger additional rights of the subject. For example, they will have the Right to Erasure (Article 17) and the Right to Data Portability (Article 20).

Consent is not the only means a Controller has in establishing a legitimate basis for processing personal information under the GDPR. Screeners may still need to obtain some type of acknowledgement or statement from the subject that allows a third party, such as an employer or school, to release information to the screener. We even see EU government authorities, such as criminal justice entities, requiring consent for processing criminal records information. Hopefully that government agency has examined the need for this permission from the subject via the consent process. But those items do not speak to the employer’s basis for processing the screening information.

Clearly, consent should be used carefully as a condition of processing in the EU. And it would not surprise me if other countries start to adopt this same position. I am hoping, as screeners, we start having conversations with our employer clients about the basis of processing. Or at the very least, help by pointing them to some resources. An excellent resource, especially for UK-based entities, is the Information Commissioner’s document on GDPR Consent Guidance: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/gdpr-consent-guidance/.

¹  http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN

²  Article 3: Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

³  Article 9: Processing of special categories of personal data. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

_____________________________________________________________________________________________________________

Kerstin Bagus – Director, Global Initiatives Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S. Kerstin is a passionate participant in the Professional Background Screening Association (PBSA, formerly NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.

At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.