As businesses set out to implement operational changes to phase into the new regulatory environment brought about by the GDPR, many are those who are still struggling to understand the parameters in which data controllers are expected to obtain consent from data subjects as a basis for lawful processing.
The text of the GDPR has already shed light on the fact that, in each case, the consent of the data subject must be “freely given, specific, informed and unambiguous”. However, the EU advisory body on Data Protection issues, the Article 29 Working Party, sought to analyze the concept of consent by releasing guidelines (the “Guidelines”) aimed at helping businesses and practitioners demystify the manner in which consent must be obtained.
The notion that consent must be freely given appears to be rooted in civil law jurisprudence, particularly the law of obligations, where a contract can be annulled on the basis that the consent of one of the contracting parties has been procured by violence, error, or fraud and, as a result, would not qualify as freely given. However, the Guidelines go a step further in this regard by making reference to the existence of an imbalance of power between the data controller and the data subject, a consideration extracted from consumer protection law, and to concepts such as conditionality, granularity, and detriment – concepts that although generally incapable of annulling a contract, nevertheless remain sufficient to delegitimize data processing.
Conditionality, for instance, is the act of “bundling up” consent with the acceptance of other terms. In practice, this means that clauses embedded in standard terms and conditions for onboarding clients no longer suffice to process data. Granularity, on the other hand, is a concept that requires controllers to obtain specific consent for each specific purpose they intend to process individuals’ personal data. If, for example, at the outset of onboarding a client, a business has obtained consent to process data to monitor consumer behavior for product improvement purposes and later decides to share the same data with third parties, the concept of granularity requires the data processor to obtain additional consent to cover this particular purpose. Finally, the concept of detriment relates to circumstances where data subjects are impeded from withdrawing their consent to avoid undesired consequences such as incurring costs. In such an instance, the Guidelines establish that consent is not freely given.
GDPR also requires consent to be informed. In this regard, the Guidelines establish that, as a minimum, the information below must be given to data subjects:
i. The controller’s identity;
ii. The purpose of each of the processing operations;
iii. The type of data which will be collected;
iv. The right to withdraw consent;
v. Details of any proposed automated processing; and
vi. Possible risks of data transfers to non-EU countries in the absence of an adequacy decision from the European Commission and appropriate safeguards.
With respect to the unambiguous nature of consent, the GDPR already requires either a clear statement from the data subject or a clear affirmative act. The Guidelines reinforce this principle by invalidating the following methods of obtaining consent:
i. Pre-ticked tick boxes;
ii. Silence or inactivity of the individual;
iii. Consent included as part of general terms and conditions; and
iv. Using of opt-out boxes.
Although a “clear affirmative act” is required in normal circumstances, the GDPR requires a higher standard of consent (“explicit consent”) in certain instances such as processing of special categories of data and data transfers to non-EU countries. In this respect, the Guidelines establish written statements, electronic signatures, emails, or uploading a signed scanned document as being sufficient to satisfy the requirement of explicit consent.
While the Guidelines are open for public consultation until the 23 January 2018, it is clear that the Article 29 Working Party has adopted an approach to consent which is onerous, to say the least, with the scales tipped tremendously in favor of data subjects and consumers. Although it remains to be seen whether any changes to the Guidelines will be forthcoming, data controllers will be well advised to start putting procedures in place in order to obtain consent from data subjects in the correct manner or to otherwise rely on alternative grounds to process data lawfully.