Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began to re-examine their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.
To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.
In this issue, we will examine the requirement of consent under the GDPR and provide guidance regarding its collect and validity.
GDPR consent requirement
Data subjects’ consent has always been a key notion in data protection and a basis for certain types of processing but, until now, the ways to collect such consent and the conditions that had to be fulfilled by companies for consent to be valid were not 100% clear.
While Plato’s quotation “your silence gives consent” was applicable for certain processing under the current legislative framework of Directive 95/46/EC, this will no longer be the case under the GDPR.
The GDPR retains the concept of consent as a processing condition, and the related requirements will largely remain unchanged. However, under the new regulation, consent needs to be well designed, and certain new conditions will apply.
Definition of consent
The GDPR defines “consent” of the data subjects as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The new definition of consent extends the requirements for consent set out under the current data protection directive and further clarified in the Article 29 working party opinion 15/2011 on the definition of consent of 13 July 2011 (WP187).
Unambiguous. The way the consent is collected should leave no room for doubt about data subjects' intentions in providing their agreement to their personal data being processed. The GDPR now contains an express clarification that consent requires either a statement or clear affirmative action by data subjects. Consequently, silence, inaction or pre-ticked boxes would no longer suffice to constitute valid consent.
Recital 32 of the GDPR suggests that consent may be signified by (i) ticking a box when visiting a website, (ii) choosing technical settings for information society services, or (iii) any other statement or conduct which clearly indicate the data subjects’ acceptance of the proposed processing of their personal data.
Freely given. Although the current directive already establishes that consent must be freely given it does not clarify the meaning of this phrase. The GDPR brings clarification by stating that consent must reflect the data subjects' genuine and free choice. If there is any element of compulsion, or undue pressure put upon the data subjects (e.g. when the data subject is unable to refuse or withdraw consent without detriment), consent will not be valid. The Luxembourg Data Protection Authority already considers that consent given in an employment context is void.
Additionally, consent would very likely not be considered as freely given if the performance of a contract (including the provision of a service) is made conditional on the data subject’s consent to certain data processing activities which are not necessary for the performance of the contract.
Specific. Consent should be specific to the actual purposes for which the data will be used. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, it should be given for all of them.
Blanket consent that does not specify the exact purpose of the processing therefore does not constitute valid consent. This supports the notion of purpose limitation and data minimisation.
Informed. For consent to be informed, data subjects must be provided with sufficient information to enable them to understand what they are consenting to. Data subjects should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended (Recital 42).
Conditions for a valid consent
When processing is based on consent, the consent of the data subjects must meet certain requirements laid down in Article 7 of the GDPR in order to be deemed sufficient for the purposes of EU data protection law.
Consent recording. Article 7(1) requires that where consent is relied on as a ground for lawful processing, controllers should be able to demonstrate that it was given by the data subject to the processing.
This is a new requirement as the current directive does not directly address the obligation of controllers to maintain evidence of consent obtained from data subjects.
This requirements clearly aims at reducing potential disagreements as to whether or not a data subject actually consented to the processing of his or her personal data.
Distinguishable. Consent must be distinguishable from other matters, meaning that where consent is included in written declarations which also concern other matters (e.g., terms and conditions), consent must be presented in a manner that is clearly distinguishable from the other content of the document.
This will most likely require businesses to review and amend their existing legal documents to ensure requests for consent are separated from the rest of the document.
Clear and simple. As an additional safeguard, requests for consent must be presented in an intelligible manner and easily accessible form, using clear and plain language. The type of data collected and purpose(s) of the processing should be clear to users. Also, the written declaration should be concise. It is unlikely that consent will meet these requirements if the consent is in a foreign language incomprehensible to the individual.
Right to withdraw consent. Data subjects must be able to withdraw their consent at any time and be informed of their withdrawal right at the time of consenting. Subsequently after withdrawing consent, and provided there is no other basis to continue, processing should stop as soon as practically possible.
It shall be noted that the risk that consent may be withdrawn at any time no longer makes it a safe option as a legitimate legal basis for processing personal data.
Consent and children
Article 8 of the GDPR enforces stricter consent requirements for children.
Where information society services (e.g. eCommerce) are offered directly to a child below the age of 16 (Member States law may provide for a younger age of consent which must not be below 13), the processing of the child’s data requires parental consent.
Such a requirement asserts that children deserve specific protection of their personal data.
Consent is not the only ground for lawfulness
Consent is related to the concept of informational self-determination. It is traditionally linked with the idea that the data subject should be in control of the use that is being made of his or her personal data. Although consent plays a role in giving control to data subjects, it is not the only way to do this nor the easiest legal ground for personal data processing.
Article 6 lists consent as the first of six different bases to legitimise the processing of personal data. These additional grounds broadly replicate those set out under the current legislation:
- processing is necessary for compliance with a legal obligation;
- processing is necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of legitimate interests.
Consent is not always needed! It should not be asked for if data is to be processed anyway based on other lawful basis.
In the absence of adequacy or other conditions, consent has to be "explicit" (the notion of explicit consent is equivalent to the notion of "express” consent according to the aforementioned opinion of A29WP) where it is relied upon to legitimise the following types of data processing activities:
- the processing of sensitive data (Art. 9(2)(a));
- profiling activities (or automated decision-taking) (Art. 22(2)(c)); or
- cross-border data transfers (Art. 49(1)(a)).
As we have outlined throughout this Newsflash, the GDPR retains consent as a processing condition. Indeed, consent favours the trust factor by giving data subjects more insight into and control of their personal data.
However, given that controllers will have to demonstrate the validity of consent, and that such consent may be withdrawn at any time, it might not be the easiest option.
The new requirements in relation to consent will have an impact on existing consents, as any pre-GDPR consents that are valid under the current directive, but do not satisfy the requirements of the GDPR, will have to be re-obtained.
- Identify processing activities relying on consent
- Evaluate whether it still makes sense to rely on consent as a legitimate ground for processing
- If your organisation relies on consent, make sure that:
-- the GDPR requirements for consent are met
-- separate consent is given for distinct processing operations
-- consent is distinguishable (i.e. not bundled with other written agreements)
- provide data subjects with a right to withdraw their consent
- Establish records of consents which will enable to demonstrate compliance with consent requirements.