On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.
Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.
Conditions for valid consent – freely given
Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.
WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.
WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.
Unambiguous indication of wishes
This is another condition for valid consent under GDPR. WP29 specifies that controllers should avoid ambiguity and ensure that the action for which online consent is given can be distinguished from other actions: “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation”. This addition appears to challenge the notion of continued use of a website amounting to consent.
Explicit consent is required for the processing of special categories of data, data transfers in the absence of adequate GDPR safeguards, and automated decision-making with legal or some other significant effects for affected individuals. Explicit consent may be in writing, but other options and examples are also given, including uploading scanned wet-ink signatures or a telephone conversation (providing the information provided is fair, intelligible and clear and that the controller asks for specific confirmation from the data subject).
The draft guidelines stated that consent expires when a child reached the age of digital consent (16 years under the GDPR, or younger depending on national implementing legislation). The final guidelines state that consent can be confirmed, modified and withdrawn by children once they reach the age of consent. Practically, this means that parental consent for the processing of personal data given prior to the age of digital consent will remain a valid ground for processing, providing that the child takes no action upon reaching the age of consent.
Interaction between consent and other lawful grounds for processing
Controllers can only rely on one lawful basis to justify processing for a particular purpose. If a data controller processes data for multiple purposes, each purpose may have a separate lawful GDPR basis. Once consent is nominated as the specific legal basis for processing, the controller cannot swap between other bases as a back-up if an individual withdraws consent. Controllers have to respect the individual’s choice and halt the relevant processing activity.
WP29 states at the end of the guidance that “if a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR-compliant way”.