The General Data Protection Regulation (GDPR), which enters into force on 25 May 2018, requires data controllers to justify the collection and processing of personal data on one of six lawful bases. Controllers can obtain the consent of data subjects to justify this collection of data, but a number of criteria must be fulfilled before the consent can be valid.
Non-binding guidelines issued by the Article 29 Working Party (WP29), the representative group of each of the data protection authorities from across the EU, break down the concept of consent under the GDPR. The guidelines focus on the changes and provide practical guidance to ensure compliance with the GDPR.
The fundamental elements of valid consent are that the consent of the data subject must be (i) freely given, (ii) specific, (iii) informed and (iv) it must constitute an unambiguous indication of the data subject’s wishes.
The GDPR requires that data subjects be given real choice and control over their ability to consent. If the data subject has no real choice, feels compelled, or will experience negative consequences if they do not consent, the consent will not be valid. If consent is included as part of a set of non-negotiable terms, it will not have been freely given. Neither will it be freely given if consent for many processing operations is “bundled”. Separate consent must be given for each processing operation.
The specific purpose or purposes for processing the data must be determined and made clear to the data subject before valid consent can be obtained. Valid consent cannot be obtained otherwise. New, “fresh” consent must be obtained where a controller wishes to use previously collected personal data for an additional purpose.
With each separate consent request, controllers should provide specific information about the purpose for processing the data.
The GDPR requires that consent be informed, and that subjects understand, prior to giving their consent, what they are agreeing to.
The WP29 has indicated that, at least, the necessary details required for consent to be informed are: the controller’s identity, the purpose of each of the processing operations for which consent is sought, the type of data collected and used, the existence of a right to withdraw consent, information relating to the automated processing of data, and, where necessary, information regarding the possible risks of data transfers to third countries.
Unambiguous indication of wishes
The requirement of an unambiguous indication of the data subject’s wishes means that a deliberate action must be taken by the data subject to consent to a particular processing. This can be obtained through written or (recorded) oral means, or electronically, through an active affirmative motion such as clicking a button on a website’s privacy statement.
A notable change under the GDPR is that controllers will no longer be allowed to offer pre-ticked boxes, or ‘opt-out’ constructions.
Additional conditions for valid consent
Under the GDPR, the data controller must be able to prove that the data subject gave valid consent. Controllers must also make sure that consent can be withdrawn by the data subjects at any time, and, in as easy a manner as they gave it.
After consent has been withdrawn, the controller must stop processing the data. If there are no other lawful bases to justify processing the data, controllers should delete or anonymise the data.
Consent does not expire under the GDPR, but the WP29 has recommended that consent should be refreshed regularly.
The WP29 has noted that asking people to consent to data processing should be subject to “rigorous requirements” as it concerns the fundamental rights of data subjects. Data controllers, therefore, must ensure that the operations they use to obtain consent are GDPR-compliant by 25 May 2018.
If, after reviewing previously obtained consent, controllers find that the consent obtained under the old legislation will not meet the standard of GDPR consent, they must assess whether the processing may be based on a different lawful basis. However, this is one off situation as the transition to GDPR is made, and controllers will not be able to swap between lawful bases under the GDPR.