Background

On 12th December 2017, the Article 29 Working Party (“WP29“), published its draft Guidelines on Consent under the General Data Protection Regulation 2016/679 (respectively, “Guidelines” and “GDPR“), inviting comments to be submitted by 23 January 2018.

Consent is one of the six lawful bases on which personal data may be processed (Article 6 of the GDPR) and its crucial role is highlighted by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

The Guidelines are built upon the previous WP29’s Opinion 15/2011 on the definition of consent (“Opinion“) adopted on 13th July 2011. In these new draft Guidelines, WP29 expands the earlier Opinion and provides important clarifications in order to apply the principles of the GDPR to obtain a valid consent.

As noted by the WP29, the concept of consent in the draft e-Privacy Regulation is aligned with that of the GDPR. However, the WP29 underlines that even if the proposed e-Privacy Regulation has not been adopted by 25th May 2018, the GDPR conditions for obtaining valid consent will be applicable in situations falling within the scope of the current e-Privacy Directive 2002/58/EC (including consent to direct marketing communications and online tracking).

Main issues

Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.

As obvious as that may seem, the WP29 clarifies that the requirements for consent under the GDPR are not considered to be an additional obligation but rather preconditions for lawful processing.

The Guidelines are broken down into various sections, which analyse the different parts of the wording of the above-mentioned Article 4(11) of the GDPR.

The WP29 notes that the element freely implies real choice and control for data subjects. There are situations where data subjects will not have real choice because of an imbalance of power in their relationship with the controller (e.g., between employer and employee, or citizen and public authority). As stated in Recital 43 of the GDPR, this means employers and public authorities should avoid reliance on consent as a lawful basis for processing, unless in certain circumstances (in which it is likely that consent is not affected by an imbalance of power, as highlighted in examples 2, 3 and 4 of the Guidelines). Moreover, if consent is bundled up as a non-negotiable part of the terms and conditions, it is presumed not to have been freely given. Article 7(4) of the GDPR considers conditionality as a presumption of a lack of freedom to consent and demonstrates that it must be carefully scrutinized.

In the granularity section, the Guidelines state that when the processing of personal data is carried out for several purposes, each purpose should be separated, and consent should be obtained for each of them. This brings WP29 to another, closely related, point. The consent needs to be specific, as stated in Article 6(1)(a) of the GDPR, which confirms that the consent of the data subject must be given in relation to “one or more specific” purposes.

However, a specific consent can only be obtained when data subjects are specifically informed about the intended purposes of data use concerning them. The GDPR introduces a high standard for clarity and accessibility of the information, which must be provided in a plain language, and requires data controllers to consider their targeted audience to determine both what information to provide as well as how to provide it. To accommodate for small screens or situations with restricted rooms for information, the Guidelines observe that a layered way of presenting information can be considered, where appropriate, to avoid excessive disturbance of user experience or product design.

Another important requirement is that consent must be provided by means of an unambiguous indication, avoiding the use of pre-ticked opt-in box. The data subject must have taken a clear affirmative action to consent to the particular processing, such as through physical motions or a written or recorded oral statement, including by electronic means (e.g. swiping on a screen).

The WP29 warns that, in the digital context, multiple consent requests, that need answers through clicks and swipes every day, may result in a certain degree of click fatigue, which may subsequently lead to the effect of consent mechanisms diminishing as consent questions are no longer read. The GDPR places the obligation to develop ways to tackle this issue, upon data controllers, noting that an oft-mentioned solution is to obtain consent through browser settings.

According to Recital 42 of the GDPR, the data controllers have the burden to demonstrate consent obtained by the data subjects. However, the duty at stake should not in itself lead to excessive amounts of additional data processing.

The WP29 recommends, as a best practice, that consent be refreshed at appropriate intervals.

Article 7(3) of the GDPR requires data controllers to ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time. The WP29 makes clear that any failure to comply with this requirement may invalidate the original consent.

Nevertheless, where a data subject withdraws his/her consent and the data controllers wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent to this other lawful basis.

Lastly, where consent applies in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Practical implications

Prior to 25th May 2018, in order to follow the recommendations provided by the Guidelines, data controllers will have to:

  • review their processes of data collection to make sure that all existing consent received meet the GDPR standard;
  • review the information provided to data subjects in their privacy notices, to ensure that they clearly set out the lawful processing grounds for each of their processing activities, and that they meet the GDPR’s requirements in relation to a transparent processing;
  • develop mechanisms for correctly gaining, recording and managing the withdrawal of consent of the data subjects;
  • review the direct marketing policies and procedures: opt-out consent (except in regard to existing customers who are permitted to object to direct marketing) will no longer be sufficient, as silence and pre-ticked boxes do not constitute consent under the GDPR.