Focus on "forced consent"
The first major legal challenge under GDPR has already been launched. Whilst it is aimed at the expected targets - Facebook and Google, the focus of the complaint surrounds how permission is gained to process a user's data.
A common complaint about GDPR has been that the requirements are rather vaguely worded and so it is only legal challenges like these that will start to establish detail on what is now permissable. Any organisation processing personal data needs to follow cases like these carefully to ensure they remain compliant as the rules tighten.
In this case the complaint is that when individuals sign up to these services they are not given the choice on what personal data they need to provide, and how it is used, and that the potential uses go far beyond what the person is signing up for in the first place.
In the words of Max Schrems, who is bringing the case;
“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’”
Facebook, in particular, has been criticised for using and opaque and confusing process that effectively hides options to opt out of data sharing. The legal challenges will show whether this sort of approach is acceptable any more.
From a recruitment perspective this has implications for what applicants can be asked to sign up for when applying for a job. As we have previously argued, there needs to be a clear separation of the requirements for processing an application from other activities like sharing a person's data for other roles or using it for marketing purposes. If the challenge is upheld it will no longer be acceptable to force candidates, at the point of application, to agree to anything not precisely necessary for processing them for the role.