On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on subject’s consent under the GDPR, built on WP29’s ‘Opinion on the definition of consent’, already adopted in 2011. After reminding that consent is one of six lawful bases to process personal data and giving a short definition, these guidelines analyze the specific elements of the valid consent.
According to article 4(11) of the GDPR, the consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
First of all, the element “free” implies real choice and control. On the other hand, if the subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. The notion of imbalance between the controller and the data subject is also taken into consideration, as in the case of process by public authorities and in the employment context. Furthermore, according to article 7(4), the two lawful bases for the processing of personal data, i.e. consent and contract, cannot be merged and blurred unless it is necessary for the contract’s performance. Additionally, granularity is determining for a valid consent, since, in case that processing has multiple purposes, consent must be given for all of them, i.e. the purposes shall be separated and consent shall be obtained for each of them. Recital 42 adds the condition that the controller needs to demonstrate that it is possible for the subject to refuse or withdraw consent without detriment or consequences.
In second place, to comply with the element of “specific” consent, the controller must apply: (i) purpose specification as stated in article 6(1a) (ii) granularity in consent requests and (iii) clear separation of information related to obtaining consent for data processing from information about other matters. Thus, if a controller processes data based on consent and wishes to process the data for a new purpose, the controller needs to seek a new consent.
As for the “informed” consent, WP29 expresses its’ opinion that at least certain information is required for obtaining valid consent, mentioned in detail. As for the form or shape in which information must be provided, it is not precisely prescribed, however several requirements are put in place: clear and plain language, easily understandable for an average person, depending also on the specific kind of audience, clearly distinguishable from other matters.
Concerning the unambiguous indication of wishes, it is clear that consent must be given through an active motion or declaration in an obvious way, while Recital 32 sets out additional guidance. Silence or inactivity of the subject cannot be regarded as an active indication, while accepting general terms of a contract cannot be considered as consent.
Especially through electronic means, controllers have to avoid “click fatigue” of the data subjects caused by the number of clicks and swipes required every day. An often- mentioned method is obtaining consent of Internet users via their browser settings. In any case, consent must be prior to the processing activity.
Consent has to be explicit in certain cases, specifically on the processing of special categories of data, on data transfers to third countries or international organisations in the absence of adequate safeguards and on automated individual decision- making, including profiling. This refers to the way consent is expressed, as for example receiving consent in a written statement or, in the digital/ online context, the upload of a scanned document carrying the signature. Two stage verification of consent can also be a way to make sure explicit consent is valid.
Furthermore, article 7 of the GDPR sets out additional conditions for valid consent, with specific provisions on keeping records of consent and the right to easily withdraw consent. It is very important that consent should be withdrawn as easily as it was given and in any time, free of charge and without lowering service levels. All the operations that have taken place before the withdrawal remain lawful until this point but the controller has to stop the process.
Some specific cases of consent are especially regulated by the GDPR. Article 8 (1) regulates children’s consent: the processing based on consent is lawful where the child is at least 16 years old, otherwise the consent is given or authorised by the holder of parental responsibility, with some flexibility for the member states, which can provide a lower age, not below 13 years old. In any case, a proportionate approach may be data minimization. It is of major importance that, under the GDPR, the requirements for valid consent for the use of children’s data are part of a legal framework that must be regarded as separate from each national contract law. Concerning data process for scientific reasons, GDPR brings some flexibility to the degree of specification of consent in this case, since the purpose may be described in a more general level when not absolutely specified at the outset.
In general, as already mentioned, article 6 sets 6 possible lawful bases of process and particularly:
(a) the data subject’s consent
(b) the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
(c) compliance with a legal obligation to which the controller is subject
(d) protection of the vital interests of the subject or of another natural person
(e) the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(f) purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Each purpose has a single lawful basis, while several purposes may correspond to multiple bases, as a result they shall be identified, in order to conclude to the appropriate basis before the data collection.
The conditions for consent have been undoubtedly strengthened by the GDPR, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached. Various safeguards and methods are being proposed by the Regulation and the guidelines in order to protect the subjects and maintain some serious control over their personal data, even if requests for process are much more frequent nowadays.
Edited by Youli Siamandoura