The General Data Protection Regulation (Regulation n°2016/679, GDPR) will come into effect on May 25th, 2018. This leaves little time for Member States, data controllers and data processors to ensure compliance with the GDPR.
Initiatives have been taken regarding compliance. For example, the French government published a Bill modifying and adapting the current Data Protection Act for in light of the GDPR. However, several notions have yet to be clearly interpreted.
A critical concern has been the notion of consent. Although the latter is present in current legislation, namely Directive 95/46/EC, it has greatly evolved. It must be underlined that this article will not consider specific areas of consent such as for children or the processing for scientific research.
In order to guide the different actors under the GDPR to understand the notion of consent and and its requirements, the Article 29 Working Party (WP29) published guidelines on Consent on November 28th, 2017.
Mathias Avocats explains certain key points of the guidelines.
What is consent?
Article 4, 11° of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. It clearly sets out the requirements for valid consent.
Nonetheless, these requirements must be explained. What is a “clear affirmative action”? How can the data controller ensure that consent is freely given? If the data is being processed for several purposes, how can the consent be specific? The WP29 answers these questions and many more.
Before examining the requirements for a valid consent, certain key points must be explained. It is important to keep in mind that consent must be given before the processing activity is undertaken and is linked to a specific purpose. If the purposes of the processing activity change after consent was obtained or if an additional purpose is envisaged, new and specific consent is required.
Furethremore, if a data processing activity has multiple purposes, not all of them must be based on consent. Some purposes may be based on consent and others on a different lawful basis. Indeed, consent is only one of the lawful bases set out in Article 6 of the GDPR.
It must also be underlined that for processing activities based on consent “pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation” (Recital 171 of the GDPR).
Finally, the data controller is under a duty to assess whether consent will meet all the requirements. The data controller has the burden of proof regarding the validity of the consent. Thus, data controllers should pay attention when the legal basis for the data processing is consent.
How to obtain a valid consent?
Consent must be freely given.
The WP29 states that “as a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent or withdraw their consent, then consent will not be valid”. Therefore, the data subject must have control over his or her personal data and must not be coerced into consenting.
If consent is bundled up as a non-negotiable part of terms and conditions of a contract or a service, it is presumed to not have been freely given. For example, if a mobile app for photo editing requires users to have their GPS location activated for the use of its services, consent cannot be considered as freely given for the processing of the GPS data. Indeed, the users cannot refuse to not activate their GPS location (or they won’t be able to use the app) and the latter is not necessary for photo editing.
The notion of imbalance between the data controller and the data subject must also be taken into account (Recital 43 and Article 7, 4°of the GDPR). In most cases, data processing should not be based on consent when the data processor is a public authority or an employer because the data subject will most likely not have any alternatives than to accept the processing. The data subject must be able to exercise free will when consenting.
Consent must be specific.
As previously stated, the data subject must consent to a specific purpose. Pursuant to Article 5 of the GDPR, obtaining valid consent can only be done after the data controller has determined a specific, explicit and legitimate purpose for the intended processing activity.
Hence, if a controller seeks consent for various different purposes, he or she should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. He or she should also provide specific information.
When the processing has multiple purposes, consent must only be given for the purposes based on consent. The other purposes having another lawful basis are not subject to the same requirements.
Consent must be informed.
The information must be accessible, clear and provided prior to obtaining the data subject’s consent. The data controller must ensure that clear and plain language is used, and the message should be easily understandable for the average person. Furthermore, consent must be clear and distinguishable from other matters (it must not be hidden in general terms and conditions). The WP29 namely published guidelines on Transparency on November 28th, 2017.
The WP29 has identified several pieces of information which are required for obtaining valid consent namely the controller’s identity, the existence of a right to withdraw consent and what data will be collected and used. It further recommends that, in the case where consent is to be relied on by multiple (joint) controller, they should all be named. It seems the WP29 goes a step further than the GDPR by stating that the type of data collected and used should be part of the information given to the data subject. Articles 13 and 14 of the GDPR do not require this information.
Unambiguous statement or clear affirmative action
Consent must always be given through a deliberate active motion or declaration. For example, a clear affirmative act to consent to the processing can be done by ticking an optional box stating, “I consent”. However, pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement are not valid means of consent according to the WP29.
It must be underlined that under French law, when data was collected in compliance with the French Data Protection Act when selling or providing services to a data subject subsequent direct marketing for similar goods and services is allowed without the person’s consent. In this case, data controllers are only required to offer an opt-out to the data subject.
The Bill modifying and adapting the current Data Protection Act does not modify this rule. However, this rule could change with the Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications (e-Privacy Regulation).
When the consent is to be given following a request by electronic means, the request for consent can take many forms (ex: swiping on a screen, waiving in front of a camera, turning a smartphone clockwise…). However, it must not be unnecessarily disruptive to the use of the service for which the consent is provided, and clear information must be given regarding the fact that the motion in question signifies consent.
Mathias Avocats hopes that this article helps better understand the notion of consent. We can advice you on your conformity process.