GDPR, Territorial Scope and the Language of Consent.


This caught my eye this morning – CNIL launched today a public consultation on data breaches, profiling and consent under the GDPR. It’s open until 23 March.

Looks interesting so I clicked on the link. I was taken to this page:

You may be thinking so what? But it was something else that really caught my eye. Did you notice the message at the top of the page? The one that mentions ‘cookies’?

I spotted the word ‘cookies’ but have no idea what the message is asking me to do. Other than the fact that there’s an option to click on a radio button at the end of the message.

So how does this relate to GDPR? It goes a lot deeper than you think. Article 3 Clause 2 of the GDPR states the following:

Territorial scope:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    (b) The monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Let’s dig in a little. I checked the settings in my browser and it’s transmitting the following: HTTP_ACCEPT_LANGUAGE=”en-us” — translated this means that my browser sent a message to the website that I would like to receive the page in English. This should be the first clue that I’m located out of the member country. Secondly, the website should have looked at my location (a topic for another day). As far as I know, it did neither.

What it did do immediately is add two cookies to my browser — even before I’ve accepted them! So, I personalized the page by indicating my desire for NO cookies. I then refreshed the page after deleting the cookies. I then checked local storage and guess what? The cookies were reappeared.

So far, if this was about GDPR compliance they would have failed. They have failed to recognize my location, my preferred language, and they did not respect my consent.

GDPR is far stricter than cookie consent. Obtaining meaningful consent is a MUST, not a SHOULD or a MAY. What seems to be missing from the equation at the moment is what LANGUAGE should the consent be in. The clue to that comes from the browser – HTTP_ACCEPT_LANGUAGE=”en-us” — after that, it is the job of the data processor to show me a consent page that is in English if they want to continue offering a service.

Conclusion – GDPR, by virtue of it’s territorial scope, will need to consider language as part of meaningful consent.

Posted in: GDPR, Privacy by Design

Email Subscription