EU-US Privacy Shield framework and processing for incompatible purposes
Question for written answer E-002302-16
to the Commission
Sophia in 't Veld (ALDE)
The current Data Protection Directive (95/46/EC) lists unambiguous consent as one of the legal bases for processing personal data for a specific purpose. Further processing for incompatible purposes would require a new legal basis. The EU-US Privacy Shield Principles offer (in 2a on Choice) the possibility of further incompatible processing on the basis of an opt-out. Under the future General Data Protection Regulation (GDPR), unambiguous consent can no longer be fulfilled by an opt-out, owing to the requirement of ‘affirmative action’.
Does the Commission agree that an opt-out will not suffice to establish consent under the future GDPR? If not, why not?
Does it consider the Privacy Shield Principles on Choice allowing for an opt-out for further incompatible processing to be a lower threshold compared with the GDPR requirements for further incompatible processing for non-Privacy Shield companies?
Does it consider that this situation creates a loophole for Privacy Shield companies to avoid the stricter rules under the GDPR? If not, why not? If so, why would that be justified?