On 28 November 2017, the Article 29 Working Party (the “WP29”) published detailed draft guidelines on consent under the EU General Data Protection Regulation (the “GDPR”), which is to come into effect on 25 May 2018. The draft guidance has been submitted for public consultation for a six week period before being adopted.
The WP29 guidance on consent (“Consent Guidelines”) provides an analysis of the notion of consent under the GDPR as well as practical guidance for organisations on the requirements to obtain and demonstrate valid consent under the GDPR.
The Notion of Consent under the GDPR
Under the GDPR, consent is one of six legal bases to process personal data. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The Requirements for Valid Consent
According to the Consent Guidelines, the key elements for valid consent are as follows:
- Unambiguous: consent requires a statement from the individual or a clear affirmative act (i.e. it must always be given through an active motion or declaration). Silence, inactivity and the use of pre-ticked opt-in boxes are invalid. Consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service (e.g. scrolling down or swiping through terms and conditions which include declarations of consent). Importantly, the Consent Guidelines state that an organisation cannot swap between lawful bases (e.g. an organisation cannot retrospectively rely on the legitimate interests’ ground where it encounters issues obtaining valid consent).
- Imbalance of power: Consent will not usually be appropriate where there is an imbalance of power between the individual and the organisation relying on consent (e.g. as between an employer and an employee), as in such circumstances, consent may not be considered freely given. The Consent Guidelines acknowledge that there may be instances where an employer can rely on consent as a lawful basis for processing employee personal data (e.g. consent from an employee to be filmed in the office as part of a marketing initiative assuming where consent is not given the employee is not penalised in any way).
- Conditionality: Requests for consent to the processing of personal data should not be “bundled up” with the acceptance of terms or conditions or tied to the provision of a contract or service, unless necessary for the performance of that contract or service (e.g. processing credit card details in order to facilitate payment). What is considered “necessary” must be interpreted strictly.
- Specific and Granular: Companies need to obtain separate consents from individuals for each specific purpose for which that company intends to process their personal data (e.g. one consent for direct marketing and a separate consent for sharing their personal data with other group companies).
- Withdrawal of Consent: Individuals must be able to withdraw their consent at any time and without suffering any detriment (e.g. without incurring any cost and/or a downgrade in service).
- Clear and Distinguishable: When seeking consent, clear and plain language should be used which is appropriate to the audience. Where consent is being requested as part of a contract the request for consent should be clearly distinguishable from the other matters (i.e. it cannot simply be a paragraph in the middle of some terms and conditions).
Where organisations are required to obtain ”explicit” consent (e.g. for processing sensitive personal data such as, health data), the individual must give an express statement of consent (e.g. in a written statement, by sending an email or via a two-stage verification process). The Consent Guidelines acknowledge that in theory, the use of oral statements can also be sufficient although, it may be difficult to prove all elements of valid explicit consent have been met.
Under Article 7(1) of the GDPR, companies are obliged to demonstrate and prove that valid consent was obtained from individuals. The Consent Guidelines recommend that companies keep records of how and when consent was given and the specific information given to them at the time of obtaining consent in order to demonstrate compliance.
There is no specific time limit in the GDPR for the validity of a consent and according to the Consent Guidelines, it will depend on the context, the scope of the original consent and the expectations of the individual who gave consent.
Organisations must ensure that consent can be withdrawn as easily as it was given and at any time. The Consent Guidelines provide an example of where the withdrawal mechanism offered is not sufficient where consent is given online by clicking yes or no but to withdraw consent the individual must call a customer helpline. However, the Consent Guidelines acknowledge that the GDPR does not say that giving and withdrawing consent must always be done through the same action.
All data processing operations that were based on consent and took place before the withdrawal of consent remain lawful. According to the Consent Guidelines, if there is no other lawful basis for justifying the processing (e.g. further storage) of the data, the data should be deleted or anonymised. In cases where consent is withdrawn and the organisation wants to continue to process the personal data on another lawful basis, the organisation “cannot silently migrate from consent to this other lawful basis”.