On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.
Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.
Conditions for valid consent – freely given
Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.
WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.
WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.
Continue Reading Article 29 Working Party issues final guidelines on consent