In the more general case, I was under the impression that informed consent was sufficient to authorize a data controller to collect/process private information and so the ruling didn't make sense to me. I'm using "informed consent" here as a short hand for all the applicable GDPR requirements on consent (reasonable language, etc).
It isn't clear to me from this language in Recital 43 though how a data controller with an "imbalance" relative to the data subject could easily get clarity on any particular use case. It also seems strange that in this case there was deemed an imbalance between the schools and the parents (I'm assuming here that parents are indeed authorized to give consent in their role as parent/guardian). If parents are in an imbalanced situation regarding school attendance, then pretty much all government relationships are imbalanced.
If the school/parent relationship is considered imbalanced and the imbalance language isn't specific to a government data controller, then it would appear that every data controller (government entity or not) is in danger of having their relationship deemed "imbalanced" and the data collection subject to analysis by the data authority at any time.
It seems like this ruling destroys the clarity of "consent" and replaces it with "(consent AND balanced relationship) OR (imbalanced relationship AND legally adequate reason AND prior approval from regulator AND consent)"
>It seems like this ruling destroys the clarity of "consent" and replaces it with "(consent AND balanced relationship) OR (imbalanced relationship AND legally adequate reason AND prior approval from regulator AND consent)"
Consent is not always necessary, nor is it always sufficient. If you rely on consent as a lawful basis for data processing, the burden of proof lies with you to demonstrate that such consent was informed and freely given. The authors of the GDPR were fully aware of the fact that coerced consent was rampant, with stuff like shrinkwrap agreements, incomprehensible terms and conditions and "by entering these premises, you consent to give us your first-born son"; as a result, consent is very tightly regulated under GDPR. As a rule of thumb, ask whether a data subject could a) refuse consent without any repercussions and b) would not be surprised by any aspect of your processing; if you aren't certain that both a & b are true, you probably can't rely on consent.
The school already had a means of collecting attendance data that didn't involve constant video surveillance and had a far lower risk of misuse and security breaches. They didn't need consent to take the register, because it was justified under Art. 6 (1c, d and e). They relied on consent as a lawful basis for the facial recognition scheme, even in a situation where it would be difficult for the data subjects to refuse consent and where the data subjects would be unlikely to understand the full extent of the data processing and the risks that they would be exposed to as a result. Using consent in that way is very much contrary to the spirit of the regulations.
>If parents are in an imbalanced situation regarding school attendance, then pretty much all government relationships are imbalanced.
Why were they in an imbalanced situation? In this particular case, I believe it was a trial. So parents could have withheld consent with no negative consequences as far as I can tell.
I realize that this particular situation is about facial recognition, but I was trying to point out that this ruling changes the game for everything, basically creating a situation where the only way for a data controller to minimize legal risk would be to get prior authorization from the data authority. That is a problematic.
In the more general case, I was under the impression that informed consent was sufficient to authorize a data controller to collect/process private information and so the ruling didn't make sense to me. I'm using "informed consent" here as a short hand for all the applicable GDPR requirements on consent (reasonable language, etc).
It isn't clear to me from this language in Recital 43 though how a data controller with an "imbalance" relative to the data subject could easily get clarity on any particular use case. It also seems strange that in this case there was deemed an imbalance between the schools and the parents (I'm assuming here that parents are indeed authorized to give consent in their role as parent/guardian). If parents are in an imbalanced situation regarding school attendance, then pretty much all government relationships are imbalanced.
If the school/parent relationship is considered imbalanced and the imbalance language isn't specific to a government data controller, then it would appear that every data controller (government entity or not) is in danger of having their relationship deemed "imbalanced" and the data collection subject to analysis by the data authority at any time.
It seems like this ruling destroys the clarity of "consent" and replaces it with "(consent AND balanced relationship) OR (imbalanced relationship AND legally adequate reason AND prior approval from regulator AND consent)"