Consent is no longer the 'catch all' it once was to legitimise processing of personal data.
What's the issue?
With the GDPR coming into effect on 25 May, guidance is coming thick and fast. One of the most difficult concepts for organisations to deal with is the enhanced version of consent. Under existing EU data protection law, consent is often used as a 'catch all' for data controllers. The new improved GDPR definition of consent makes it much harder to achieve so it is no longer an easy default lawful basis for processing personal data. This is made all the more complicated by the fact that you have to pick one lawful basis for a processing operation before the processing begins and if you pick consent, you cannot change to another lawful basis if consent is subsequently withdrawn.
As if that weren't enough, in addition to the significant amounts of information you have to give individuals to achieve valid consent, you also have to do it in such a way that they can easily understand it and this can conflict with the transparency principle if you get the balance wrong (see more about guidance on the transparency principle).
How GDPR consent fits in with ePrivacy requirements (both current and proposed), is another issue that businesses are grappling with as they get ready for 25 May and beyond.
What's the development?
Following on from the Article 29 Working Party's (WP29) final guidance on consent, the UK's ICO has also finalised its own guidance on the use of consent under the GDPR and updated its GDPR guide to incorporate it (pp25-60). Both sets of guidance are broadly unchanged since the drafts but there are a few areas of addition and clarification.
What does this mean for me?
Organisations which have historically relied on consent need to assess whether that consent is still valid for GDPR purposes. If it is not, there is a one-off opportunity to change the lawful basis for the processing. The ICO guidance, together with the WP29 guidance, should help clarify whether consent is the best lawful basis going forward, and when to use it for a new processing operation.
Changes to the final versions deal mainly with clarifications. You can see more on the ICO guidance and the WP29 guidance as originally published in draft.
The most notable changes to the ICO guidance cover:
What happens when consent is withdrawn?
If consent is withdrawn, data processing for the purpose for which consent was obtained must stop. The relevant data may be processed for a different purpose where a different lawful basis was relied upon (and the individual should have been informed of that at the time consent was obtained). The data controller cannot, however, change the lawful basis of the processing for that purpose (for example to legitimate interests). When consent is used as a lawful basis for processing, this gives the individual a sense of control over the use of their data. To continue to process the data for the same purpose after consent is withdrawn would make that sense illusory and this would be unfair.
Third party consent
If you rely on consent obtained by a third party, you must be specifically named in the consent request. Categories of third-party organisations in a consent request will not be enough to obtain valid consent under the GDPR.
Processors do not need to be named in consent requests but there are separate requirements under the transparency principle around disclosing details of processors.
Conversely, a third party can consent on behalf of an individual in theory, but it will be hard to demonstrate that the individual was fully informed and their consent was freely given.
What if my DPA consent is no longer valid under GDPR?
This has been fleshed out in the final version of the guidance to make it clear that even where you decide to rely on a lawful basis other than consent from 25 May 2018 (which is permitted as a one-off according to Article 29 Working Party guidance), you should remember that processing must still be fair and transparent. This means that you should take all reasonable steps to tell individuals you are relying on a new lawful basis and explain what that basis is. Where possible, individuals should be given the chance to opt out to minimise their loss of control.
The ePrivacy Regulation has not been finalised. PECR will continue to apply in the interim but from 25 May 2018, PECR consent will be the same as GDPR consent. The ICO's consent guidance says that where consent is needed under ePrivacy laws, in practice, consent is also the appropriate lawful basis under the GDPR. This makes sense given PECR consent and GDPR consent are the same. If, however, ePrivacy laws don't require consent, another lawful basis may be used, such as legitimate interests. Similarly, for cookies, consent will need to be GDPR consent but an alternative lawful basis may be available for any associated processing of personal data.
Consent to processing for special category data
This section has been expanded. The ICO clarifies that to process special (sensitive) data, a lawful basis must be identified under Article 6 together with a separate condition for processing special category data under Article 9 (as supplemented by Schedule 1 of the Data Protection Bill). Where explicit consent is relied on, it must still be freely given and the processing must be necessary for the service being provided. Where the processing of special category data is genuinely necessary to provide a service to the individual, you may still be able to rely on consent as the condition for processing that special data where no other Article 9 condition applies.
There may be situations where it will be possible for a public authority to obtain freely given consent despite the fact that it is in a position of power so there is a risk of imbalance. Public authorities are, however, restricted in their ability to use legitimate interests as a lawful basis for processing. The 'public task' basis is likely to be the most suitable where the processing is to perform the authority's official functions as set out in UK law.
Transparency v sufficiently detailed consent requests
Rules about consent requests are separate from transparency obligations which apply regardless of which lawful basis is being relied upon for processing. These two requirements are not always complementary as those grappling with drafting privacy policies will know. The ICO says that although Recital 32 suggests that electronic consents should not be unduly disruptive to users, this does not override the need for consent requests to be clear and specific.
More on the mechanics of explicit consent
Explicit consent must be confirmed in words. Individuals do not have to use their own words but they must indicate their clear agreement. Explicit consent can be obtained orally but a record must be kept of the script.
In a change from the draft, the final guidance says that parental consent will not automatically expire when the child reaches the age at which they consent. Consents naturally degrade with time but in the instance of parental consent, the consent should be refreshed more regularly.
This section has been extended to bring it in line with Article 29 Working Party guidance. The ICO reminds controllers that GDPR consent should not be confused with any other legal or ethical obligation to get consent from people participating in research.
Article 29 Working Party guidance - main changes from draft
- When assessing whether consent is freely given in relation to a contract or provision of services (Article 7(4)), the specific situation of tying consent into a contract of the provision of services must be considered. In general terms, any element of inappropriate pressure or influence on the data subject which prevents them from exercising their free will, renders the consent invalid. As Article 7(4) states, this consideration is relevant to when consent is sought as a condition of the contract or the supply of services, but where it is not essential to process the relevant data in order to comply with the contract or supply the services.
- The WP29 says that consent cannot be considered as freely given if a controller argues that a choice exists between its services that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller where no such consent is required on the other. Genuine freedom of choice will depend on whether the services are truly equivalent. Relying on this argument would also entail the first controller having to monitor market developments to ensure that consent remained valid on an ongoing basis. As a result, this type of consent would fail.
- If consent is sought for a particular purpose and the controller wishes to process the data for another purpose, the controller needs to seek additional consent for the new purpose unless the data can be processed for the new purpose relying on a different lawful basis.
- When the identity of the controller or the purpose of the processing is not apparent from the first information layer of a layered privacy notice, it will be difficult for the data controller to demonstrate that the data subject has given informed consent unless the data controller can show that the data subject in question accessed the relevant layer of information prior to giving consent.
- Pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement, cannot be used to obtain consent.
- Controllers must distinguish the action required from the data subject to give consent from other actions. Merely continuing to use a website will not be sufficiently specific.
- A reminder that "necessary for the performance of a contract" is not one of the exceptions to the general prohibition on processing sensitive data. If none of the exceptions in Article 9(2)(b-j) are met, explicit consent must be obtained.
- Sending out a message that data will be processed on the basis of consent while actually relying on another lawful basis would be "fundamentally unfair".
- There was originally some ambiguity around changing the lawful basis for processing either where consent is withdrawn or where consent under the Data Protection Directive is no longer valid under the GDPR. The guidance is now clear that:
- withdrawal of consent will not delegitimise the processing which relied on the consent while it was valid. If the controller wants to continue to process the personal data for the same purpose then it must obtain fresh consent. It cannot move from consent to another lawful basis to justify processing retrospectively.
- Any consent obtained under the Directive which is not valid under GDPR, must be refreshed in such a way as to make it valid. If this is not possible, there is a one-off opportunity to swap to another lawful basis provided principles of fairness and transparency are adhered to.
- Once a child reaches the age of digital consent, it may withdraw consent given by its parents but the consent will remain valid if the child takes no action.