"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data."
Recital 43:
"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation."
A school cannot rely on consent as a lawful basis for processing the personal data of pupils.
There were fined so it is established that they broke the law.
I am commenting on the spirit of the law itself. You're quoting it back to me but that's not the point. The point is to discuss what we think of those legal restrictions and whether there are restrictive. In fact, what you quoted reinforces my opinion that the GDPR are over-restrictive.
Does Google's et all EULA cater for this as fairly sure many childrens phones track them and fall foul of this.
Oyster cards in London, your journeys are tracked, consent not asked for. Let alone giving special privilege for children.
Then the whole aspect of under-age (children) commiting crime and evidence. A smart lawyer could abuse the whole aspect to squash any evidence that placed them at a scene of a crime as they never gave consent and if they did - they didn't know what they were doing.
Basically - if a school can't rely upon consent from children - nobody can.
>Does Google's et all EULA cater for this as fairly sure many childrens phones track them and fall foul of this.
Google are subject to multiple GDPR investigations as we speak. They have already received a number of large fines.
>Oyster cards in London, your journeys are tracked, consent not asked for. Let alone giving special privilege for children.
TFL have a legitimate need to know where you tapped in and out in order to calculate fares. As long as they aren't using that data in an identifiable form for other purposes and they delete it as soon as practicable, they're compliant. A facial recognition system collects far more data than is minimally necessary to track school attendance, which is contrary to the principles set out in Art. 5.
>Then the whole aspect of under-age (children) commiting crime and evidence. A smart lawyer could abuse the whole aspect to squash any evidence that placed them at a scene of a crime as they never gave consent and if they did - they didn't know what they were doing.
That evidence is necessary for the purposes of mounting a prosecution so processing it (in accordance with the rest of the GDPR) is lawful under Art. 6. Consent is only one lawful basis for processing personal data; it is not always necessary, nor is it always sufficient. Consent does not give anyone carte blanche to do as they please under GDPR, particularly where that consent might not be fully informed or freely given.
Basically - if a school can't rely upon consent from children - nobody can.
I think that is a fairly well established legal principle. In many places, a contract cannot be enforced against a minor no matter whether it was freely entered. Statutory rape laws say it doesn't matter if the minor consented. And so on . . .
"Statutory rape laws say it doesn't matter if the minor consented" that is probably an extreme example that some might find unpalatable, but it does support the point.
In the more general case, I was under the impression that informed consent was sufficient to authorize a data controller to collect/process private information and so the ruling didn't make sense to me. I'm using "informed consent" here as a short hand for all the applicable GDPR requirements on consent (reasonable language, etc).
It isn't clear to me from this language in Recital 43 though how a data controller with an "imbalance" relative to the data subject could easily get clarity on any particular use case. It also seems strange that in this case there was deemed an imbalance between the schools and the parents (I'm assuming here that parents are indeed authorized to give consent in their role as parent/guardian). If parents are in an imbalanced situation regarding school attendance, then pretty much all government relationships are imbalanced.
If the school/parent relationship is considered imbalanced and the imbalance language isn't specific to a government data controller, then it would appear that every data controller (government entity or not) is in danger of having their relationship deemed "imbalanced" and the data collection subject to analysis by the data authority at any time.
It seems like this ruling destroys the clarity of "consent" and replaces it with "(consent AND balanced relationship) OR (imbalanced relationship AND legally adequate reason AND prior approval from regulator AND consent)"
>It seems like this ruling destroys the clarity of "consent" and replaces it with "(consent AND balanced relationship) OR (imbalanced relationship AND legally adequate reason AND prior approval from regulator AND consent)"
Consent is not always necessary, nor is it always sufficient. If you rely on consent as a lawful basis for data processing, the burden of proof lies with you to demonstrate that such consent was informed and freely given. The authors of the GDPR were fully aware of the fact that coerced consent was rampant, with stuff like shrinkwrap agreements, incomprehensible terms and conditions and "by entering these premises, you consent to give us your first-born son"; as a result, consent is very tightly regulated under GDPR. As a rule of thumb, ask whether a data subject could a) refuse consent without any repercussions and b) would not be surprised by any aspect of your processing; if you aren't certain that both a & b are true, you probably can't rely on consent.
The school already had a means of collecting attendance data that didn't involve constant video surveillance and had a far lower risk of misuse and security breaches. They didn't need consent to take the register, because it was justified under Art. 6 (1c, d and e). They relied on consent as a lawful basis for the facial recognition scheme, even in a situation where it would be difficult for the data subjects to refuse consent and where the data subjects would be unlikely to understand the full extent of the data processing and the risks that they would be exposed to as a result. Using consent in that way is very much contrary to the spirit of the regulations.
>If parents are in an imbalanced situation regarding school attendance, then pretty much all government relationships are imbalanced.
Why were they in an imbalanced situation? In this particular case, I believe it was a trial. So parents could have withheld consent with no negative consequences as far as I can tell.
I realize that this particular situation is about facial recognition, but I was trying to point out that this ruling changes the game for everything, basically creating a situation where the only way for a data controller to minimize legal risk would be to get prior authorization from the data authority. That is a problematic.
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data."
Recital 43:
"In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation."
A school cannot rely on consent as a lawful basis for processing the personal data of pupils.
https://gdpr-info.eu/recitals/no-38/
https://gdpr-info.eu/recitals/no-43/