The Article 29 Working Party (WP29) has published its long-awaited guidelines on consent for consultation. The consultation is open until 26 January 2018.
Elements of consent under Article 4(11) GDPR
The guidelines analyse what is needed to meet the elements of consent i.e. that it is freely given, specific, informed and an unambiguous indication of the data subject's wishes. They also discuss issues which may prevent a valid consent.
Before consent is sought, the purpose for which it is being sought must be identified. Under principle of purpose limitation, the consent will only be valid in relation to the purpose for which it was originally obtained. Granularity is also important in the context of consent being specific in as much as separate consent must be sought for each purpose. In addition, specific information must be provided to the data subject with each consent request to explain the impact of the different choices the data subject has.
Note that while there is no need to provide information about data processors in order to obtain valid consent, that and other information may be required under Articles 13 and 14 GDPR.
When seeking consent, clear and plain language which is easily understandable by the target audience must be used. Legal jargon should be avoided. Provisions around consent must be clearly separated from other terms and conditions. Where consent is to be given by electronic means, the request must be clear and concise. Layered and granular information may be appropriate.
Crucially, the WP29 confirms that consent must be obtained before the controller begins processing the personal data. While consent need only be obtained once in principle (although the guidelines later say that it should be refreshed "as appropriate"), controllers need to obtain new consent if the purpose then changes, or an additional purpose is undertaken.
- Freely given – for consent to be freely given, there must be real choice and control for data subjects. This means consent cannot be bundled up as part of non-negotiable terms and conditions, nor will it be valid unless the data subject can withdraw consent without detriment.
- Imbalance of power – an imbalance of power between controller and data subject will mean that consent is unlikely to be freely given as the data subject will not have a genuine choice. The examples discussed in the guidelines are the use of consent by public authorities and employee data. In both these situations, the WP29 confirms consent should not be used as the lawful basis for processing in the majority of situations. There are exceptional situations in which consent may be valid, for example, where consent is sought for a genuinely non-compulsory purpose, such as opting in to updates on road repairs by a public authority, or consenting to be filmed in the background as part of a group of employees where consent is not required and employees who do not consent can be located out of range of the filming for its duration. The WP29 stresses these are not the only relationships where an imbalance of power might affect consent. Consent will not be free where "there is any element of compulsion, pressure or inability to exercise free will".
- Conditionality – consent which is bundled into other terms and conditions or tied to the provision of a contract or service, is presumed not to be freely given. The use of consent cannot be merged or blurred with a reliance on the grounds that the processing is necessary for the performance of a contract. Where reliance is placed on the latter, what is "necessary" must be strictly interpreted. There needs to be a "direct and objective link" between the processing of the data and the performance of the contract. Where this is established, there is no need to use another lawful basis such as consent. The burden of proof is on the controller to demonstrate that there is no 'bundling' or 'tying' of consent to the performance of a contract. If, for example, the controller can demonstrate that the data subject had the choice of obtaining the same goods or services without giving consent to the processing of their personal data under the same terms and conditions as they would have had with consent, the burden of proof will be met.
- Granularity – the importance of granularity in obtaining consent has been stressed by regulators for some time. The WP29 says that in the context of the GDPR, where consent is being relied on, a separate consent must be obtained for each purpose for which data is being processed. Any conflation will result in a lack of freedom. The concept of granularity is closely linked to the requirement that consent be specific (more below).
- Detriment – the controller must be able to demonstrate that it is possible to refuse or withdraw consent without detriment to the data subject. Being able to do this may help show consent was freely given.
- Specific – to comply with the requirement that consent is specific (similar to the concept of it being "informed" under the Directive), the WP29 says the controller must apply:
- purpose specification as a safeguard against function creep;
- granularity in consent requests; and
- clear separation of information related to obtaining consent for data processing activities from information about other matters.
- Informed – Consent must be informed. This requirement ties in with the Article 5 requirement for transparency which is, in turn, connected to establishing fair and lawful processing. Sufficient information must be supplied to allow data subjects to make informed decisions about what they are consenting to and about their right to withdraw consent. Without this information, user control is illusory and consent will not be valid. The WP29 sets out a list of essential information which must be provided to the data subject:
- the identity of the controller and any joint controllers;
- the purpose of each processing operation for which consent is sought;
- the existence of the right to withdraw consent;
- information about the use of data for automated processing including profiling; and
- possible risks of data transfers to third countries without adequacy decisions or appropriate safeguards (where applicable).
- Unambiguous indication of wishes – consent must always be given through an active motion or declaration but it can be collected through a variety of means, both written and by recorded oral indication. While pre-ticked boxes, silence or inactivity, proceeding with a service, or the use of opt-out requiring an intervention by the data subject to prevent agreement, will not be an active indication of choice, a single motion such as swiping, can be. Where consent is given through electronic means, while the request should not be unnecessarily disruptive, it may be necessary for it to interrupt the user experience to a degree. The WP29 recognises that the granularity requirement may lead to "click fatigue" in an electronic context. It does not have much in the way of practical suggestions to combat this, beyond GDPR-compliant browser settings, but suggests it is up to controllers to develop ways of dealing with it.
Where explicit consent may be required (for example when processing special data), an express statement of consent is required. Again, the most obvious way of meeting this requirement is to obtain written consent, however, other methods may be used. In the digital or online context, the WP29 suggests filling in an electronic form, uploading a scanned signed document, using an electronic signature, or using two-stage verification. While explicit consent may be given orally, the WP29 counsels against relying on this owing to the difficulty in meeting accountability requirements in such cases.
Additional conditions for obtaining valid consent
There is no time limit in the GDPR for how long consent lasts. The WP29 recommends as best practice that "consent should be refreshed at appropriate intervals" - not a particularly helpful observation.
Once consent is withdrawn, all data processing operations based on it should stop. If there is no other lawful basis for justifying further processing, the data should be anonymised or deleted. The same data may also be needed for another purpose for which a different lawful basis already exists and retained on that basis. It is important to note that the lawful basis for each type of processing must be identified by the data controller before the processing begins. The guidelines appear, in this section, to suggest that if another lawful basis can be identified, the controller can begin to rely on it once it has notified the data subject of the change in accordance with information and transparency requirements: "In cases where the data subject withdraws his/her consent and the controller wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent (which is withdrawn) to this other lawful basis. Furthermore, any change in the lawful basis for processing must be notified to a data subject". This is completely contradicted in the next section of the guidelines and, again towards their conclusion, and we assume this inconsistency will be resolved when the final version of the guidelines is published.
- Demonstrating consent - data controllers must be able to demonstrate valid consent was collected where it is being relied on. The WP29 reminds controllers that this should not lead to an excessive amount of additional data processing. After processing finishes, proof of consent should not be kept longer than strictly necessary.
- Withdrawal of consent – not only does the data subject have to be informed of their right to withdraw consent before giving it, information must also be given about how to withdraw it. While the GDPR does not specify that withdrawal must be available by the same method as consent was obtained, the WP29 says that, where consent is obtained through electronic means, the data subject must, in practice, be able to withdraw the consent as easily as it was given. Where it is obtained through use of a service-specific interface (such as a website), the same interface must be available for withdrawal of that consent. In addition, withdrawal must also be available without detriment (such as increased costs or diminished service).
Consent and other lawful grounds in Article 6 GDPR
Processing for a particular purpose cannot be legitimised by more than one lawful basis. The controller must identify the lawful basis for processing in relation to each purpose and cannot modify this in the course of processing or swap between them. The WP29 says this means under the GDPR "controllers that ask for data subjects' consent to the use of personal data shall in principle not be able to rely on the other lawful bases in Article 6 as a 'back-up', either when they cannot demonstrate that GDPR-compliant consent has been given by a data subject or if valid consent is subsequently withdrawn (our italics). Because of the requirement to disclose the lawful basis which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is". This appears to contradict the statement made in section 6 of the guidance (noted above) which suggests that the controller can identify another lawful process if consent is withdrawn, provided they comply with the information requirements before continuing to process the data.
Under Article 8 GDPR, where consent applies in relation to the offer of information society services directly to a child, the processing shall be lawful where the child is over 16 (this can go down to as low as 13 where Member States choose). Where the child is younger, consent must be given by the holder of parental responsibility over the child. The WP29 reminds controllers to be aware that different Member States may have different ages of digital consent. Controllers are expected to make reasonable efforts to verify the user is over the age of digital consent, using measures which are proportionate to the nature and risks of the processing activities. Appropriate checks are implicitly required under the GDPR according to the WP29, but should not lead to excessive data processing. A proportionate approach should also be applied when gathering parental consent, which should focus on obtaining a limited amount of information (such as contact details) of a parent or guardian. What is reasonable in situations involving children may depend on the risks associated with the processing. If, for example, the processing is high risk, more proof of age/consent may be required, in which case the WP29 suggests it may be appropriate to use a third party verification solution in order to minimise the amount of data the controller has to process.
Parental consent will expire when the data subject reaches the age of digital consent. From that day, the controller must obtain valid consent from the data subject. It will be up to the data controller to put appropriate procedures in place to achieve this.
The WP29 points out that recital 33 appears to allow some flexibility to the degree of specification and granularity of consent in the context of scientific research. The WP29 interprets this to mean that in principle, scientific research projects can only include personal data on the basis of consent if they have a well described purpose. The WP29 suggests consent may not be the best lawful basis on which to rely as the research may be compromised if consent is withdrawn.
Data subject rights
Data processing based on consent attracts a number of data subject rights – portability, the right to withdrawal, erasure, to be forgotten, restriction, rectification and access. There is no right to object when processing is based on consent because the right to withdrawal provides a similar protection.
Consent under the Data Protection Directive
Confirmation is given that consent obtained under the Directive continues to be valid as long as it was obtained in line with GDPR requirements. The WP29 recommends that controllers review current work processes and records in detail to determine compliance before 25 May 2018. In particular, it cautions that an inability to demonstrate valid consent was obtained, or consent based on a more implied form of action (e.g. ignoring a pre-ticked box), will mean the existing consent will not be valid under the GDPR. Other recommendations include ensuring withdrawal mechanisms are in place, and reviewing and updating IT systems and procedures.
Interestingly, the WP29 suggests the transition from the Directive to the GDPR, affords controllers a 'one off' option of assessing whether processing based on consent under the Directive, which will no longer be valid under the GDPR, can be continued on another lawful basis. If the controller is unable to renew consent "in a compliant way and is also unable to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped". The WP29 states that "Under the GDPR, it is not possible to swap between one lawful basis and another". Again, this appears to contradict the assertion in the section on withdrawal of consent which suggests another lawful basis may be available in the event consent is withdrawn.
WP29 draft guidelines on transparency
The Article 29 Working Party has published draft guidelines on transparency for consultation. The guidelines mainly analyse the meaning of the wording used in the GDPR around transparency, including what is meant by "clear and plain language", and by "concise, transparent, intelligible and easily accessible". The guidelines also detail what information should be provided to data subjects and when, and set this out as a table. As the WP29 points out, transparency is an overarching requirement under the GDPR which relates to the provision of information to data subjects, how data subjects communicate with them in relation to their rights, and how data controllers facilitate data subject rights.
WP29 updated draft adequacy referential working document
The Article 29 Working Party has published an updated adequacy referential document for consultation. It is aimed primarily at the European Commission and regulators and updates the first chapter of its working document on transfers of personal data to third countries (WP12). The document covers the concept of adequacy, procedural aspects for adequacy findings under the GDPR, the general data protection principles required to ensure that a country is providing essentially equivalent protection to the EU, and the essential guarantees required around law enforcement and national security access to limit interference to fundamental rights of EU citizens.
ICO cautions against government guidance on data protection
The UK's ICO has raised concerns about proposals to allow the government to issue guidance on data processing by government departments and other public bodies. The ICO is concerned that this would compromise the independence of the ICO, particularly in the exercise of functions under Article 52 of the GDPR. The concerns were raised in the ICO's second annex to its briefing on the House of Lords Report Stage of the Data Protection Bill. This also covered protection of children's data (see below) and the government's decision not to include provision for 'super complaints' in the Bill, as permitted under Article 80(2) GDPR.
EBA guidance on auditing security measures under PSD2
The European Banking Authority has issued guidance to organisations caught by security requirements under the revised Payment Services Directive (PSD2). The guidance deals with the auditing of security measures and actions which are required to address operational and security risks. The guidance consists mainly of a series of best practice recommendations.
ICO draft guidance on children and the GDPR
The ICO has published draft guidance on children and the GDPR for consultation. The ICO stresses that organisations will need to ensure they use plain and clear language suitable for children when offering them online services. They will also have to be able to give effect to the new data protection rights. This means they need to review existing processing, clarify the lawful bases for processing the data in future, and ensure they meet the relevant requirements. Where controllers are relying on consent for the processing, they need to make sure they get valid consent in place before May.
The ICO reminds controllers that children's information rights are also likely to feature in the Data Protection Bill, and that the ICO will be required to publish a code of practice for data controllers on age-appropriate web design.
ICO publishes GDPR resources for SMEs
The ICO has published a number of resources to help SMEs prepare for the GDPR. These complement the advice service launched in November 2017. The resources include a self-assessment checklist which generates a report of recommendations, an FAQ document and a guide to the GDPR.
Government consultation on proposed EU cybersecurity Regulation
The UK government is calling for evidence from stakeholders including telecoms operators, IT service providers, hardware and software manufacturers, on the EC's proposal for a Regulation on the European Union Agency for Network and Information Security, and on cybersecurity certification. It is looking for comments on the proposal, including in light of the planned withdrawal of the UK from the EU.
Risk management guidance form the National Cyber Security Centre
The National Cyber Security Centre has published guidance on risk management. This is the first in a planned series which will offer practical advice on cybersecurity risk management. This phase looks primarily at component-driven risk management and system-driven risk management.
Investigatory Powers (Codes of Practice) Regulations 2018
Five codes of practice under the Investigatory Powers Act came into force on 19 December 2017. These cover:
- Bulk acquisition of communications data;
- Equipment interference;
- Interception of Communications;
- National Security Notices; and
- Intelligence services retention and use of bulk personal datasets/
At the time of writing, the codes had not been published in final form.