The WP29’s draft guidelines on consent begin with some good advice. “[A] controller must always take time to consider whether consent is the appropriate lawful ground for the… processing or whether another ground should be chosen instead”.
The decision whether or not to seek and rely on consent has heightened importance under the GDPR, given that it imposes what are acknowledged to be rigorous requirements. The GDPR raises the bar, requiring controllers to alter consent mechanisms (including for withdrawal of consent) rather than simply to tweak the language used in privacy notices.
As organisations move towards compliance with the GDPR by May, this issue must be considered in relation to each existing processing activity, particularly those based on consent, and controllers must look to implement appropriate mechanisms to obtain and maintain consents in future.
Elements of valid consent
So what do the guidelines add to the relevant articles and recitals of the GDPR? The answer: not a great deal, but the key points can be summarised as follows.
- Freely given:
- No imbalance of power – Public authorities will rarely be able to rely on consent. Similarly, in an employment context, the inherent risk of detriment means reliance on consent is problematic other than in exceptional circumstances where it is demonstrable that there is no risk of adverse consequences if consent is refused. Imbalances of power can also occur in other situations.
- Conditionality – generally, consent must not be bundled up as a non-negotiable part of terms and conditions. Very occasionally it will be acceptable to make the provision of a service or performance of a contract conditional on consent (e.g. where equivalent services are available that do not involve giving consent to processing personal data). The burden is on the controller to rebut the presumption that any consent which is bundled in this way is invalid. Importantly, the guidelines clarify that the restriction on conditionality extends beyond tying consent to contracts or the provision of services – any element of inappropriate pressure or influence upon a data subject which prevents a data subject from exercising their free will shall render consent invalid.
- Granularity – The guidelines don’t go as far as they could to clarify the statement in recital 43 that “When the processing has multiple purposes, consent should be given for all of them”, which on a strict interpretation could mean that if consent provides a legal basis for one processing purpose then it must be obtained for all. They do indicate that what is intended here is to require that where processing is carried on for more than one purpose, for which the legal basis is consent, data subjects should be given choice whether or not to accept each purpose individually. Just how granular purposes need to be defined remains open to considerable interpretation, which is perhaps more helpful than the alternative.
- No detriment – the guidelines are arguably inconsistent as to where the line is to be drawn. At one end of the spectrum, it notes that “significant negative consequences (e.g. substantial extra costs)” may indicate an imbalance of power, but on the other it notes that “any costs” and “any negative consequences” would indicate a detriment and may render a consent invalid.
- Specific: the processing purpose for which a data subject gives consent must be specific, to avoid function creep or blurring of the processing purpose over time. It must also be granular. Importantly, the guidelines clarify that if a controller processes data based on consent and wishes to process the data for a new purpose, the controller needs to seek a new consent. There is no scope for processing for further “compatible” purposes to inherit the original consent as a basis for processing.
- Informed: the guidelines clarify that only the following information must be provided to a data subject for a consent to be valid – the controller’s identity, the processing purposes, the type of data which will be processed, the existence of the right to withdraw consent, information about automated processing, and if the consent relates to international transfers, about the possible risks of transfers to third countries (i.e. not all the information required under articles 13 and 14). This is somewhat helpful, as it means existing consents obtained by data controllers may be more likely to survive under GDPR, notwithstanding they were not obtained alongside a GDPR-standard privacy notice. In common with the guidelines on transparency, the guidelines highlight that requests for consent should use clear and plain language, be clear and distinguishable from other matters, and relevant information must not be hidden.
- Unambiguous indication of wishes: Consent must be given by a clear affirmative act or declaration, which might take the form of a written or (recorded) oral statement. The use of pre-ticked boxes and other opt-out constructions is invalid. In an online context, there is some scope to adopt minimally disruptive methods in some cases, to avoid click fatigue (which could diminish the effect of rigorous consent mechanisms).
Under the GDPR, “explicit” consent is required where relied on as a basis for processing special categories of data, for international transfers to third countries, and for automated decision-making involving processing personal data. Not much guidance is offered, but the guidelines clarify that the term “explicit” refers to the expression of consent by the data subject, rather than the way a request for consent is presented. It may be achieved by the use of a written statement, which may (but does not have to be) signed, an electronic form, an email, or by an electronic signature. It could also be given orally, although the guidelines indicate this may be difficult. Two-stage verification may also be used, for example in an online setting.
A data controller must be able to demonstrate a data subject’s consent, with the burden of proof on the controller. The guidelines note that this should not lead to excessive further data processing, simply to meet this requirement. Further, after the processing activity ends proof of consent should only be kept for so long as strictly necessary for compliance with a legal obligation or the establishment, exercise or defence of claims.
The guidelines note that the GDPR does not set a time limit for how long consent will remain valid. It depends on context, the scope of the original consent and the expectations of the data subject. The guidelines recommend as a best practice to refresh consent at appropriate intervals.
Withdrawal of consent
One of the potentially more difficult requirements of the GDPR is that requirement that consent must be as easily capable of being withdrawn as given. This is challenging, particularly in an online context, where consent may have been given by a single click, swipe or keystroke. The guidelines state that, as a minimum, where consent is given via an electronic interface, that same interface must be available to be used to withdraw consent.
If consent is withdrawn, all data processing that took place on the basis of that consent must stop. Data must be deleted or anonymised at that point if there is no other lawful basis for processing. If data is to be processed on another legal basis, it must have been clearly explained to the data subject in advance. It is not acceptable to migrate silently from consent (which is withdrawn) to another lawful basis (e.g. legitimate interest).
The guidelines do advocate a temporary loosening of the requirement that a data controller cannot swap between one lawful basis and another. That is to allow data controllers to switch from consent to another lawful basis, where a consent previously obtained under the Directive would not meet the new GDPR standard and another lawful basis is available.
In relation to the special rules on obtaining consent from children in relation to the offering of information society (i.e. online) services, the guidelines note that controllers should make reasonable efforts to verify that the user is over the age of digital consent (as prescribed by national law), and to verify parental responsibility (where applicable), which in each case should be proportionate to the nature and risks of the processing activities. As with demonstrating consent, age verification should not lead to excessive data processing.
The GDPR allows additional flexibility in relation to the processing of personal data for scientific research, particularly in relation to processing of special categories of data (e.g. health data). The guidelines clarify that, notwithstanding that the GDPR states that the term “scientific research” should be interpreted in a broad manner, it should not be stretched beyond its normal meaning. The WP29 regard that as meaning a research project set up in accordance with relevant sector-related methodological and ethical standards.
If processing data for further purposes which are not known at the start of a research study, data controllers may sometimes have difficulty to pursue that further research in compliance with GDPR. It is important to try to define as well as possible any further, secondary research purposes when collecting consent at the outset. As time progresses, it may be appropriate to “top up” fair processing information to provide greater granularity. Further, appropriate safeguards such as data minimisation, anonymisation and data security should be deployed, with anonymisation a preferred solution.
Remember that the WP29 guidelines on transparency and consent remain in draft form. Comments will be welcomed until 23 January 2018.