The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency in November. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP29 will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP259, which is the guideline on consent. We have also written a companion blog on WP260, the guideline on transparency.
Guideline on Consent
The guideline provides a thorough analysis of the notion of consent, which is one of the six lawful bases to process personal data under the GDPR. Article 4(11) stipulates that consent of the data subject must be:
- Freely given.
- Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The guideline lists four considerations that the WP29 believes affect whether consent is freely given: power imbalance, conditionality, lack of granularity, and potential for detriment. Specifically, it is noted that often there is an imbalance of power when the controller is, for example, either a public authority or an employer. For the consent to be valid when there is an imbalance of power, the data subject must be able to exercise a real choice with no risk of deception, intimidation, coercion or significant negative consequences if consent is not provided.
The guideline also notes that consent, bundled with acceptance of terms and conditions or “tying” to the provision of a contract or service, is not freely given. Further, the guideline states that consent cannot be merged or blurred and that there must be a “direct and objective link between the processing of the data and the purpose of the execution of the contract.”
What has been viewed as one of the more controversial aspects of the guideline relates to the granularity of the consent. The WP29’s view is that consent can only address a single, specific purpose of processing. Specifically, the guideline states that if a company offers services “involving multiple processing operations for more than one purpose,” then the company must obtain a separate consent for each individual purpose of processing.
The draft guideline addresses three criteria to satisfy the specificity requirement. First, the purpose must be specific so that there is not functional creep. The WP29 expressed concern about the risk for data subjects that results with the unanticipated use of personal data. Second, the guideline requires that the consent be granular and notes that if the controller seeks consent for various purposes, there must be a separate opt-in for each.
The second criteria is granularity in consent requests and notes that a controller that seeks consent for various different purposes must provide a separate opt-in for each purpose. Lastly, controllers must provide clear separation of information related to consent for data processing activities from other information about other matters.
WP259lists six minimum requirements that must be included in consent language in order for the consent to be informed:
- Identity of the controller.
- Purpose of each of the processing operations for which consent is sought.
- Type of data that will be collected and used.
- Existence of the right to withdraw consent.
- Information about the use of the data for decisions based solely on automated processing, including profiling.
- If the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
The GDPR does not prescribe the form or shape in which information must be provided in order to fulfill the informed consent requirement. The guideline notes that information may be presented in a variety of ways, including written or oral statements, or audio or video messages. The guideline encourages that controllers ensure that clear and plain language be used and that the language is easily understandable for the average person and not only for lawyers. Further, the guideline cautions against burying important information relevant for making informed decisions in general terms and conditions. More guidance on this topic is addressed in the separate Guideline on Transparency, WP260.
To satisfy the requirement that the consent be unambiguous, the guideline notes that the consent must always be given through an active motion or declaration so that it is obvious that the data subject has consented to the particular processing. The guideline notes that while written consent is the most literal way to satisfy this requirement, that unambiguous consent can take many shapes and sizes to be compliant with GDPR.
In the digital context, the guideline specifically addresses the potential of “click fatigue” where the actual warning effect of consent is diminished, but notes that the GDPR places upon controllers the obligation to develop ways to tackle this issue. The guideline entertains the possibility that in the online context consent could occur via their browser settings.
Withdrawal of Consent
The guideline emphasizes that consent is only valid if it is able to be withdrawn as easily as it is granted. For example, if consent is obtained via electronic means through a mouse-click, swipe or keystroke, the data subject must be able to withdraw consent equally as easily.
Interaction between consent and other legal basis
WP259notes that in general, a processing activity for one specific purpose cannot be based on multiple lawful bases, although it is possible to rely on more than one lawful basis to legitimize processing if the data is used for several purposes. The practical effect of such guidance, if adopted, is that a controller’s flexibility in designing consents, will be severely limited.
In the U.S., with exception of certain federal statutes such as the Telephone Consumer Protection Act and the Health Insurance Portability and Accountability Act, when collecting and using certain consumer data, U.S. companies generally operate in an “opt-out consent world.”
The GDPR’s opt-in consent requirement is a paradigm shift. The guideline provides some important insight into the WP29’s thinking. Much of the guidance, however, should not be surprising as it follows many of the best practices set forth in Federal Trade Commission business education relating to the provision of effective consents.