EU Commission Issues Report on Implementing Certain GDPR Provisions, Including Obtaining Children’s Consent and Processing Special Categories of Personal Data
On January 6, 2021, the European Union (EU) Commission’s Directorate-General for Justice and Consumers published its Report on the implementation of specific provisions of Regulation (EU) 2016/679 (the Report). The Report addresses the implementation of EU Member States General Data Protection Regulation (GDPR) Articles governing, which includes obtaining children’s consent, processing special categories of personal data, restrictions to the exercise of data subjects’ rights, tensions between rights to personal data protection and the right to freedom of expression, and national derogations for scientific or historical research, statistical, or public interest purposes. Given the United Kingdom’s departure from the EU, the Report does not cover implementations of the provisions by the UK.
Two observations given some emphasis by the Report are:
- While the overwhelming majority of the Members States have implemented various restrictions to data subjects’ rights under Article 23 for purposes of public security, public administration, public health, taxation and migration, they have not implemented the conditions under Article 23(1) (including the necessity and proportionality test) or the safeguards under Article 23(2) (purpose of processing, categories of personal data, scope of the restrictions introduced, etc.).
- While “a sizeable number of Members States” have adopted various exemptions/derogations in relation to data processing in connection with journalism, and for the purposes of academic, artistic or literary expression, only “several Member States” provide for a case-by-case assessment for such exemptions/derogations. Also, “more often than not, no specific balancing or reconciliation test is identified in the national legislation.”
Other observations made by the Report include:
- A majority of the Member States have set an age limit lower than 16 years for the validity of the consent of a minor in relation to information society services.
- Most Member States provide for conditions/limitations with regard to the processing of genetic data, biometric data or data concerning health, which typically consist in listing the categories of persons who have access to such data, ensuring that they are subject to confidentiality obligations, or making processing subject to prior authorization.
- For Article 23 restrictions based on public security and public interest (including public administration, public health, taxation, and migration), “some Member States” have enacted restrictions in the areas of social security and the “supervision of financial market participants, functioning of the guarantee systems and resolution and macroeconomic analyses.” An “overwhelming majority of Member States do not sufficiently implement” the measures and safeguards specified under Article 23(2).
- A majority of the Member States provide for provisions aiming to reconcile the right to the protection of personal data with the right to freedom of expression and information.
We will continue to monitor. If you have questions on how this may impact your business or would like further information, please contact Joshua A. Mooney (firstname.lastname@example.org; 215.864.6345).