Is asking users to waive GDPR compliance a legal way of escaping GDPR data handling requirements?

Question

I have recently come across this part of an app from a well-known US company:

Is this a legal way of handling some of the technical obstacles GDPR introduced? Is this a "flexible" interpretation of the law or is it straight up illegal?

To give the whole picture - I was asked where I live and based on that I was presented with this consent sheet. If I don't check the box, I cannot move any further - I have to give consent if I want to use the app.

I was OK with giving that consent, but does that mean I also lose my rights that come with GDPR? The right to download my data, the right to be forgotten etc?

I'm not interested in shaming the company, but I am interested in knowing if the approach - "I'll ask if they are OK with losing those rights so that I can do whatever I want" - is a correct way of handling the law. I didn't assume GDPR is "optional". Kind of defeats the purpose of having it if companies can put this in the fine print or worse - disallow anybody to use their software unless they give their private data to them with no strings attached.

I saw and read a connected question here, but in my situation, I am actually unable to do anything unless I accept the terms.

Answer 1

GDPR does not cease to apply because of the location of data storage. It applies based on the location of the data processor, data controller, and data subject. If you are in the EU, you are a data subject covered by GDPR. It does not matter where the data are stored.

Note that you are asked to confirm that you're aware that US laws may be less protective, but you're not asked to acknowledge that anything about the arrangement causes the "laws of your country/region" not to apply. The company also does not seem to be claiming that they don't apply, although it seems that they want you to think so, and it's not clear whether they think so.

You are correct that GDPR doesn't allow its protections to be waived. A data subject may always consent to certain processing, and some processing may be performed without consent, but it's not possible to waive the right to withhold consent for processing that does require it.

Answer 2

GDPR consent must be freely given

The GDPR conditions for consent define it as (article 4.11) "‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". It's worth noting that all the criteria are mandatory - if one of them is missing (e.g. it's not specific or not freely given) then it's not consent according to GDPR.

GDPR article 7.4 states "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." To clarify this, GDPR recital 43 states "Consent is presumed not to be freely given if [...] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." which is explicitly about cases like this - if providing the service is conditional on "consenting", then that consent shall be presumed to not be freely given, and thus it is not valid consent.

Thus, a record that this checkbox was checked does not give the company a legal basis to use your data. In particular, GDPR 7.1 states "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." , so it's their duty to show that you actually consented and your consent fulfills all the criteria, and it appears that they can not. One way to proceed would be to 'agree' to the checkbox, immediately follow up with a GDPR data request (asking them to affirm what legal basis allows them to process the data), and if they list "consent" as the legal basis (they might not, there are other possible ways) then dispute that with your local data protection authority.

Answer 3

GDPR puts several requirements on a company to be compliant.

Among these is the requirement to seek informed consent from the data subject, ie. you, to store and use data.

As such the waiver you are asked to agree does not seem to be an attempt to bypass GDPR, but rather explicitly following the letter of the law.

Please note the following;

• You are not being asked to waive any rights regarding a data breach.
• The company is not asking to be allowed to use the data for purposes other than to provide wellness and fitness services.
• The company is not asking to be allowed to store data not needed for it to provide wellness and fitness services
• The company is not asking you to indemnify them if a data processor uses the data for purposes not required to provide you with wellness and fitness services.
• The company explicitly notes that you are free to withdraw consent at a later time.
• You where not asked to give up your right to receive the data.
• You where not asked to give up any rights to have your data be deleted.

Considering that health information is considered sensitive it seems difficult to see how a company could offer "welness and fitness services" in a GDPR compliant manner without a waiver similar to the one you were presented with.

GDPR does put the requirement that the consent be freely given, but "If I do not give the consent I would be unable to use the service" is not usually considered coercion.

In conclusion, there are parts of the GDPR that applies even if the subject has agreed to a waiver (processes surrounding data breaches, not using data for purposes other than what it was provided for, etc.), but nothing in the agreement you are being asked for seems to touch this.

Answer 4

Consent is a lawfuls basis for processing both sensitive data and for transferring data overseas. Providing consent does not give the data controller the ability to ignore your rights under GDPR, nor is this organisation implying this, so I expect you would have some assurance.

The issue with the solution provided here is that to be lawful under GDPR consent must be 'feeely given'. If you cannot have the service without consent, then it is not being given freely. Therefore the organisation is still not undertaking this processing legally.

Answer 5

Respectfully: some other answers impliedly assume the question engages GDPR issues. It doesn't!!!

The correct answer is: "not a snowball's chance in hell". Why? Because the question actually confronts the rule of law which as meta-law, surprise surprise, aborts any other legal issue.

Any agreement between data subjects and controllers is private law. The GDPR is statutory. The proposed waiver falls into a certain category expressed roughly as follows: "Any private law agreement to usurp the jurisdiction of the Court is void for illegality".

For the same reason it's unenforceable. So the data subjects can reverse their decision to waive at any time without breaching any "agreement". Because the "agreement" was void ab initio.

For the same reason, of course, any T&C that imports any Privacy Notice [edit: in a way that would conflict with any statute] is likewise void for illegality (or at least the clause is severed if a valid severability clause exists compliant with local contract law severability doctrine).

Here's an illustration. A few months ago some judge, in the backwoods of some unenlightened hick jurisdiction, invented this crazy rule that forming a contract with a hit man to waive the compliance rules on murder and assassinate the [ boss / spouse / driver annoying you at the traffic lights] might risk a polite invitation to Court and another polite invitation to jail, expressed as an offer too good to refuse. Especially if the judge’s football team lost the previous day. So be careful where you strike such deals. And make sure your favourite assassins (and data subject users) don’t snitch on you. Just say please!

Even lawyers fall into this trap, on a metalevel. I've seen too many tech company contracts that include wording such as "the parties agree to waive the Court's domestic rules of private international law". When judges sees such words, they respond in some of three non-exclusive ways: rip into the drafters if they're stupid enough to be present in Court; limit themselves to a shark-like smile while laughing like a drain inside; or maintaining a polite poker face while wondering "how will I resist the temptation of screwing you over for this disrespectful and arrogant attempt to create a potential international incident?".