On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and demonstrating valid consent under the GDPR.
The concept of consent
Under GDPR, a data controller can only process personal data on the basis of one of six legal grounds. An individual’s consent to processing is one of these lawful grounds. The GDPR defines consent as a “freely given, specific, informed and unambiguous” indication of an individual’s wishes to signify agreement to the processing of their personal data.
Elements of valid consent
The guidelines analyse four areas relevant to free consent under GDPR:
- Imbalance of power: an imbalance exists wherever it is unlikely that an individual will be able to deny his/her consent to data processing without fear of detriment. For example, an imbalance of power is likely to exist in an employment context between employers and employees.
- Conditionality: requests for consent to the processing of personal data should not be “bundled up” with acceptance of other terms or conditions, unless necessary for the performance of a contract.
- Granular and specific: data controllers need to obtain separate consents from individuals for each specific purpose they intend to process individuals’ personal data. For example, separate consents should be obtained for direct marketing activities and sharing personal data with third parties.
- Detriment: individuals must be able to withdraw or refuse to grant consent to data processing without detriment. For example, such withdrawal or refusal should not lead to the individual incurring costs.
The guidelines reinforce the fact that consent must be informed. As a minimum, the following information must be presented to individuals to obtain valid consent: (1) the controller’s identity; (2) the purpose of each of the processing operations; (3) the type of data which will be collected; (4) the right to withdraw consent; (5) details of any proposed automated processing, including profiling; and (6) the possible risks of data transfers to non-EU countries in the absence of an adequacy decision from the European Commission and appropriate safeguards, where applicable.
Consent will always require a statement from an individual or a clear affirmative act. According to the guidelines, it must be ‘obvious’ that individuals have consented to processing. The guidelines note that the following will not be acceptable: (1) pre-ticked tick boxes; (2) silence or inactivity of the individual; (3) including consent as part of general terms and conditions; and (4) the use of opt-out boxes.
Explicit consent is required in a number of circumstances, such as: (1) when processing special categories of data; (2) for data transfers to non-EU countries; and (3) for automated decision-making, including profiling. As a “clear affirmative act” is required for “regular” consent, a higher standard is required for obtaining explicit consent. This can include the express provision of consent in a written statement signed by the individual. It may also include filling in an electronic form, sending an email, uploading a signed scanned document or using an electronic signature.
Under the GDPR, data controllers must show that they have obtained valid consent. They must also ensure that they maintain such valid consent. The burden of proof is on the data controller. For example, where consent is given online, a company can retain information on the session in which consent was expressed. It could also retain the consent workflow at the time of the session and a copy of the information that was presented to the individual at that time. It is not sufficient to merely refer to a correct configuration of the website to show that the individual gave sufficient consent for the processing of his/her personal data. The GDPR does not set a specific time limit for how long consent will last. This depends on the context, scope of the original consent and expectations of the individual.
Withdrawal of consent
The data controller must ensure that consent can be withdrawn as easily as it was given at any time. However, the guidelines acknowledge that the GDPR does not state that providing and withdrawing consent must always be done through the same method. Where consent has been withdrawn, all data processing operations that were based on that consent and took place before the withdrawal remain lawful. However, if there is no other lawful GDPR basis for continued processing, the data should be deleted or anonymised.
These guidelines have been eagerly awaited by data controllers seeking clarification on the necessary requirements to rely on consent as a basis for lawful processing under the GDPR. The sections of the guidance dealing with the elements of valid consent are detailed. Additionally, the worked examples may be a useful tool for controllers. The guidelines clearly show that the WP29 has adopted a very strict approach. It will be interesting to see what changes, if any, are made to the final version of the guidelines.