Please stop spreading misinformation. Things are changing with the GDPR.
In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.
Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.
It has only changed for people who were playing stupid games with what consent means, like interpreting scrolling past an already checked checkbox as consent when it was clearly nothing of the sort. If you were being clear and direct with users about what they were signing up for, then you have nothing to fear from GDPR. I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.
I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.
Neither do I. It's the organisations who were complying with the letter of the law, the spirit of the law, and generally accepted good practices at the time and still won't be compliant under GDPR that I'm worried about.
As a concrete example, every single charity that I support regularly has written to me at some point over the past few months, in order to get the kind of explicit consent they apparently believe they need to continue communicating with their supporters exactly as they have been for years before.
Now, there are really only two possibilities here. One is that all of those charities have this wrong, despite their resources and surely having taken professional legal advice on their particular situations. The other is that the usual HN suspects who maintain that the GDPR isn't a big deal and doesn't change much in practice are underestimating the concerns the GDPR raises for these legitimate organisations wanting to send legitimate communications to people who have previously been happy to receive them.
Since those exercises mean my donations are being wasted on red tape instead of their intended purposes like literally helping to cure cancer, I think it's fair that I have a problem with that.
You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally. If they had been following the spirit of the law instead of just what they could get away with, then they would have gotten affirmative consent previously. They are not immune from committing bad marketing behavior just because they are charities.
You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally.
But equally, you're leaving out the possibility that charities really were clear and honest about what they would like to send and really did provide a genuine choice, yet would fall foul of one of the technical requirements under GDPR that wasn't in force at the time. This is probably the case for most if not all of the charities I support myself, so absent evidence to the contrary I have to assume it was widespread practice.
People keep talking about the "spirit of the law", but there's a danger that this becomes a euphemism for "what I wish the law had said, even though it didn't". Usually when people contrast the spirit of the law with the letter of the law, they are making a point about avoiding the obvious purpose of legislation by relying on legal technicalities or subtle implications that most people wouldn't pick up.
In this sort of case, I don't see how it's against even the spirit of previous data protection law if a charity clearly and honestly stated that it would like to send information to donors about how their money was being used, which probably many donors would indeed like to receive, but for example they checked the box by default. There was an explicit provision for businesses to send marketing mail to previous customers or prospects without requiring consent at all, as long as it related to products or services similar to what the recipient had been interested in before and as long as some reasonable requirements about opting out were met, so clearly this isn't some absurd idea just dreamed up by charity fundraisers.
Checking the box by default is a dark pattern designed explicitly to trick people into signing up without realizing it. People who did that knew what they were doing. I don't have any sympathy that they now have to go back and ask for real consent.
It's interesting that you mention charities, because as we know in the UK many of them were breaking the law and there has been considerable regulatory action to bring them back into compliance with the existing PECR and DPA.
The fact that they're all contacting people saying "We need to re-gain permission under GDPR" just means that a bunch of organisations were, and still are, clueless about data protection. This, combined with the lack of fines, should be somewhat reassuring to the GDPR sceptics. The laws are widely broken; the regulator hasn't been seeking fines; this is unlikely to change in future under GDPR.
I had a different impression from the charity contacts I have, but let's assume you're right for this discussion. Doesn't that mean the only practical effect of the GDPR on these organisations is that instead of funding research to help people who had a stroke or providing water to villages in Africa or whatever other desirable work they would normally be supporting, they're spending time and money on legal technicalities that aren't going to make any meaningful difference to anyone? I still don't see how that's a good thing.
As someone supporting these charities and whose personal data is being used to send the updates on what they're doing, I (and others in a similar position) am the person who is supposedly being exploited undesirably and in need of protection here. And yet, as I wrote before, I was quite clear about what I was expecting to happen when I filled in each form, and none of the charities I deal with regularly has ever done anything I would consider abusive or beyond what I knowingly agreed to. I really would prefer it if they didn't have to waste their resources on this and instead spent them on whatever good work they would normally do, but since every single one of them has contacted me anyway, I have to assume that something about the GDPR-related changes is preventing that from happening.
In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.
Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.