This paper highlights and explores CIPL’s ten key messages on the principles of transparency, consent and legitimate interest:
- Transparency is intended to be user-centric and should not primarily envisage legal compliance.
- Transparency should be context-specific, benefit from the possibilities of new technologies and avoid information overload.
- Transparency should be provided contextually by different methods and at different appropriate times throughout the lifecycle of processing operations.
- Algorithmic transparency should focus on the broad logic involved instead of attempting full transparency to the individual. Most important may be transparency about the inputs to which algorithms are applied.
- Consent should be used as a legal ground for processing in situations where it is possible to provide clear and understandable information at the right time and individuals have a genuine choice concerning the use of their personal data.
- Member states should take a harmonised approach vis-à-vis the age of consent for children. The age should be 13. The practical difficulties and privacy issues arising from seeking to verify parental/guardian rights over the child must be recognised.
- There are concerns about the predominance of consent in the ePrivacy rules. The EU legislator should introduce legitimate interest into the ePrivacy Regulation.
- Legitimate interest may be the most accountable ground for processing in many contexts, as it requires an assessment and balancing of the risks and benefits of processing for organisations, individuals and society.
- Legitimate interest places the burden of protecting individuals on the organisation, which is in the best position to undertake a risk/benefits analysis and to devise appropriate mitigations.
- The legitimate interests to be considered may include the interests of the controller, other controller(s), groups of individuals and society as a whole.
Download the Paper
Download NowMore like this
April 2025
Key Takeaways: GDPR Procedural Regulation – One Year Later – Where Are We Now?
Find out more
May 2024
The GDPR’s First Six Years: Positive Impacts, Remaining Implementation Challenges, and Recommendations for Improvement
Find out more
December 2021
Bridging the DMA and the GDPR – CIPL Comments on the Data Protection Implications of the Draft Digital Markets Act
Find out more
September 2021
GDPR Enforcement Cooperation and the One-Stop-Shop – Learning from the First Three Years
Find out more
July 2021
How the “Legitimate Interests” Ground for Processing Enables Responsible Data Use and Innovation
Find out more
September 2020
A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision
Find out more
July 2020
Data Subject Rights under the GDPR in a Global Data Driven and Connected World
Find out more
August 2019
