Consent: How to get it right under GDPR? June 26, 2018 – Posted in: EU GDPR – Tags: Data Protection, GDPR
With the GDPR already applicable for the past month, some organisations might still be reviewing their consent handling practices trying to figure out how to ensure a valid consent under the new framework. This is not an easy task, as the GDPR lays down more prescriptive and demanding rules when compared to the previous Data Protection Directive 95/46EC.
Certainly, the conditions for a valid consent have been upgraded, thus strengthening the position of data subjects as opposed to that of the organisations relying on consent. While the notion of a freely given, specific and informed consent was already included in the previous directive, the prescriptive nature of consent makes it far more onerous on controllers to ensure that such consent is valid and can effectively be used as a legal basis for processing.
While there has been a lot of emphasis on obtaining a valid consent, or even revalidating it under the GDPR, it needs to be clarified that consent is only one of the possible legal options. Other legal grounds for processing which are provided under Article 6 of the GDPR, are also equally valid. Organisations should first pose an important question. Is consent the most suitable option to rely on?
Depending on the nature of the processing operation envisaged, organisations should carefully consider whether consent is the most appropriate legal ground. If they are likely to fail the requisites of a valid consent prescribed by law, including its withdrawal, then most probably, consent would not be a suitable option and other legal grounds should be considered.
What constitutes a valid consent?
Consent is defined under Article 4 of the GDPR as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
When compared to the definition contained in the Directive 95/46EC, the new definition of consent includes the terms ‘by a statement or by a clear affirmative action’. This is quite a significant insertion given that it means that a tacit or implied consent is not acceptable. On the contrary, and as further elaborated in the explanatory recitals contained in the GDPR, such consent should be given by means of a written statement, including by electronic means, or an oral statement. This includes ticking a box when visiting a website. Silence or pre-ticked boxes do not constitute a valid consent.
The GDPR does not stop at the definition. Article 7 also prescribes the conditions for a valid consent, by laying down obligations on controllers to:
- Demonstrate such consent;
- Distinguish such consent from other matters, when obtaining it as part of a written declaration;
- Present such consent using clear and plain language;
- Ensure that such consent can be withdrawn and inform data subjects about this possibility.
The recitals further specify that where processing has multiple purposes, consent should be given for all of them. Therefore, a data subject should have a granular choice in these cases. In addition, information accompanying a consent should be clear, fair, and not disruptive. For consent to be deemed as an informed one, the data subject should be given with information at least of the identity of the controller and the purposes of the processing for which the personal data are intended.
The individual should be given a genuine or free choice and should have an option. Where a consent does not provide the possibility for a data subject to refuse or withdraw consent without any detriment, this is not considered a valid consent. The same applies in situations where there is a clear imbalance between the data subject and the controller. By way of example, obtaining consent in an employment or pre-employment context, where the employer and employee would not have the same bargaining power, is likely to result in imbalance and depending on the circumstances, may be challenged.
Other specific conditions
The law is more stringent when consent is obtained for special categories of personal data, such as for example, health data. In these cases, consent shall be explicit and clearly obtained in a separate fashion.
Additional considerations are made in relation to minors. While the general principle is that in the case of minors, parental consent would be necessary, Article 8 of the GDPR lays down special conditions, for the child’s consent in relation to information society services (e.g. social media accounts). In such cases, the general provision requires a child to be at least 16 years of age in order to be able to independently grant consent, however, it then allows Member States by virtue of national law to lower such age down to 13 years.
Data controllers should carefully consider the processing operations involved and only rely on consent, when they can ensure that it meets the criteria of a freely given, specific, informed and withdrawable consent. They should be clear, fair and offer a genuine choice.
Where a valid consent is not possible, controllers should reconsider their consent gathering practices to assess whether they are in line with the criteria established in the GDPR, or where possible, consider an alternative legal basis in terms of Article 6 of the GDPR.
If you want to know more about consent and other GDPR topics, read David Cauchi’s book A Practical Guide to GDPR.