Actually, I can. If you’ve given me your email for some business reason, and for me to conduct that business I need to email you, I can email you. Even if you didn’t explicitly give consent.
What I can’t do is email you marketing newsletters the times a week for the next decade, or sell your email address to ‘specially selected trusted partners’.
Do you know which parts of GDPR specify the concrete limits on things like this? Or is it more a “I’ll know it when I see it” kind of fuzzy boundary for what’s allowed? Would be helpful to know!
The GDPR isn't about concrete limits, but concrete permissions. A lot of people have been struggling to make sense of this, because it totally inverts how we currently think about personal data.
The collection, storage and processing of personal data is presumed to be unlawful by default, unless it is for a specific, explicit and legitimate purpose. These core principles are set out in Article 5 and they are well worth reading and reflecting on.
Did the user give you explicit and informed consent for a specific use a specific piece of data? Is your use of data absolutely essential to fulfil your contractual obligations to that user? Are you required by law to collect and store that data? Is your use of data essential to preserve human life? If you can't confidently say yes to at least one of those questions, then you're probably in breach.
"You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests."
My, perhaps unfair, impression of GDPR is that it has very little concrete and specific rules, and a whole lot of "you'll know when the court delivers the verdict".
My impression is that GDPR is actually pretty clear, but people involved in PI processing business have a strong cognitive dissonance about it. It's GDPR telling them "don't do that", vs. them thinking "I must do that, so GDPR is unclear on how can I do that".
GDPR is very specific. You must have written policies describing what you do with data, what you do if there’s a breach, how people can find out what data you hold, how people can have their data deleted. And you must have consent to contact someone unsolicited. If you don’t have consent you must have legitimate interest. Legitimate interest includes the words “reasonably expect” but that’s pretty standard for laws.
As you say, the boundaries are fuzzy. The more data (especially sensitive data) that you collect and process, the tighter you need to make your boundaries.
Most of the advice I've received is to focus on documenting what data you hold, and what you're doing with it. Just by doing that, you'll probably improve your processes. If you did have any problems with the ICO, those documents will go a long way to showing that you took GDPR seriously.
To be even more precise, you can refer to Article 6, section f) about Legitimate interests.
If you conduct business with an individual, most of time, your legal basis will be the Legitimate interests of both parties, you should only rely on consent for non-necessary part/service (like subscribing to a newsletter, or sharing information for improving the service).
What I can’t do is email you marketing newsletters the times a week for the next decade, or sell your email address to ‘specially selected trusted partners’.