If I own the data, can I declare, as part of my personal freedom, that I basically agree that my specific data can be stored and processed anywhere by anybody, without asking myself every time?
Asked
Active
Viewed 6,352 times
4 Answers
25
You could, but how should the companies that want to handle your data know this? If they have no affirmation from you that you allow them to process your data in any way, other than those they are already allowed to because of the exceptions, they have to - under GDPR - assume you don't want them to process your data, and thus have to ask you.
Trish
- 50,532
- 3
- 101
- 209
14
2016/679 ("GDPR") defines the responsibilities of data processors and controllers (subject to the scope of the legislation). An individual can declare whatever they like, but those processors and controllers will still be bound by the legislation.
In many cases consent will be irrelevant - it's only one of the lawful bases for processing :
(a)
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b)
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c)
processing is necessary for compliance with a legal obligation to which the controller is subject;
(d)
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e)
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
A natural person could declare that anyone could use their data, or that no one could, and the processors and controllers would still be bound by the legislation. It's possible that they could use that declaration to demonstrate lawful basis (a) but, as Trish mentions, only if they knew that the declaration had been made and only if the process pointing them at the declaration complied with paragraph 32 :
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
It's difficult to see how a generic statement with no other context could meet the "specific" and "informed" part of that paragraph.
If they were relying on one of the other lawful bases for processing, the declaration wouldn't change anything.
To answer the original headline question, 2016/679 doesn't mean anything to a natural person in respect of their own personal data except when exercising their rights under Chapter III. It becomes more relevant when handling data relating to someone else.
[Edit after NotThatGuy's amendment to the headline question, which makes the answer simpler : Not under GDPR, as the data subject wouldn't have been "informed" of the "specific" nature of the "proposed processing" - see paragraph 32.]
ItWasLikeThatWhenIGotHere
- 2,718
- 11
- 14
10
You can't make a binding declaration
If you wish, you can make a public declaration that you grant consent for any and all processing of your data. You would likely have to be more detailed than that (consent needs to be informed and specific) - you'd likely have to exhaustively specify that yes, you know that this includes also this and that specific purpose and particular protected data (e.g. Article 9.1 and 9.2(a) regarding special categories of data), and that declaration of consent would need to demonstrate that it's informed consent e.g. that you're aware of potential consequences and risks; but in general if the controller can demonstrate that you consented to the processing, that should be sufficient according to article 7.1. They would have to identify you somehow, though - if someone posts on the internet "I, John Doe, consent to all processing" then you'd still need some reasonable assurance that it's actually John Doe who published that instead of their prankster buddy.
However, you can't make a binding, irrevocable consent - according to GDPR (Art. 7.3), you have the right to withdraw that consent at any time; and if you'd find a loophole that would result in a situation which effectively allows a data processor to prevent you from withdrawing that consent, then that would generally (subject to interpretation by the local DPA) not count as freely given consent any more - and consent that's not freely given is not lawful basis for processing data.
So companies still have to expect that at any time you have the right to change your mind, withdraw the consent, request all the data they have on you, request deletion where appropriate, etc.
Peteris
- 2,218
- 16
- 17
3
As others have pointed out, the problem is that the information holders need to know that you've given this universal consent.
Theoretically, some organization could manage a central database, where anyone who wants to make such a declaration is recorded, and information holders could check this before asking you for constent explicitly. But this would then require some kind of universal identifier for everyone, or at least those people who would like to take advantage of this service.
Facebook is becoming so popular (about 28% of the world population use it) that it could conceivably provide this kind of service (think of all the sites that let you login by linking with your FB account). But considering all the privacy concerns with Facebook, would you really want them managing the data that other organizations use to manage privacy?
Barmar
- 8,504
- 1
- 27
- 57