The consent of the individual for use of their information has long been a cornerstone of privacy and data protection law around the world. It is widely seen as one of the simplest and most transparent way to ensure fair and legal processing. Yet in many ways consent has come under increasing attack in terms of its suitability to achieve this in a balanced way. In a digital world, with ever more personal data being collected and analysed, on ever smaller screens, or in the case of many Internet of Things (IoT) devices no screen at all, the utility, validity and viability of consent based data processing is regularly questioned, even if the alternatives seem paternalistic or sneaky.
With this in mind it only seems right to delve into the consent provisions laid out in the General Data Protection Regulation (GDPR) and see what we find. I’m not going to promise a complete analysis here of all the aspects of the regulation that touch on or are touched by the issue of consent, but hopefully will cover the most salient, practical points of concern.
Article 4 of the GDPR provides the core definition of consent as:
any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Although the final text only requires consent to be explicit for certain types of data processing, the definition here sets quite a high bar for all forms of consent.
Notably, we have this idea of “a clear affirmative action”, and in Recital 25 this is spelled out in terms of both what is and isn’t valid so:
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
This last element particularly seems to destroy the notion of ‘implied consent’ where simply using a service, particularly a digital one, can be taken as an indication of agreement.
So the subject must take an action, and that action will have to be a clear indication of consent. This would appear to rule out any other actions a user might make on their device that could easily be misinterpreted, a subject I may return to at a later date.
There is a particularly high bar for determining whether or not consent is freely given and this may create the greatest difficulties for certain types of digital services.
There must be a “genuine and free choice”, which is particularly emphasised in Article 7(4):
When assessing whether consent is freely given, utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.
Many so-called ‘free’ web services rely on monetisation through behavioural advertising, which itself means profiling of visitors. If access to those services is made conditional on allowing profiling – then there can be no valid consent for the profiling activity.
One of the recent trends we have seen is publishers preventing visitors using Ad-Blockers from viewing content. This strategy may have to be re-thought, particularly as Recital 32 makes clear: “consent should not be regarded as freely-given if the data subject… is unable to refused or withdraw consent without detriment.”
Article 7(3) also makes the point that “It shall be as easy to withdraw consent as give it.”
When taken in conjunction with the first point about affirmative action, this suggests that if consent is provided through an action like a click on a button or link, then to be freely given it must also be withdrawn through a similarly simple and easily accessible action.
Specific and Informed
For consent to data processing to be specific, it must be separated from other type of consent and actions. This might mean for example that agreeing to the terms of service for delivery of an item you have bought online, should be a separate action from agreeing to have your data shared with third parties for marketing purposes.
In addition, being informed means knowing about all the different purposes of processing, and knowing the identity of the data controller, as a bare minimum. It also means being informed of ones rights, such as the ability to withdraw consent or object to some types of processing, like profiling.
Although these kind of provisions have been around a long time – the requirements to meet them are much more defined in the GDPR. There has been a long history of smaller websites in particular cutting and pasting privacy notices from other sources without much thought. That kind of approach will be much higher risk under the GDPR. To produce a valid notice, organisations will have to have a thorough knowledge of their uses of personal data.
One of the many significant changes introduced by the GDPR is the move towards greater organisational accountability and a shifting of the burden of proof for compliance.
So one of the conditions for valid consent, in Article 7(1) states “the controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data.”
This means not just recording the fact that someone ticked a box in a form, but having an audit trail that links the action to any notice and the actual processing of the data concerned.
Failure to be able to verify consent records in some way will itself be a breach of the requirements for legal consent. This not only exposes the organisation to a risk of enforcement, it can also potentially render large swathes of personal data useless for any purposes that are reliant on consent.
It is well known that the GDPR creates the ability for regulators to impose huge fines on organisations for compliance failures. What has been less publicised is the granularity of detail of how these fines might be meted out.
In the UK we saw throughout 2015 how the ICO handed out its largest fines for unsolicited (read unconsented) marketing. The GDPR strengthens the hand of regulators for this type of enforcement.
So in Article 79 we see that infringements of the basic principles of processing “including conditions for consent” can be subject to the highest level of fines, which may be the higher of 20 Million Euros or 4% of “total worldwide turnover of the preceding financial year”. Ouch.
This area of compliance has until now and for many businesses been the least likely to be well managed, and most likely to be bending or breaking the rules. Under the GDPR legally valid, documented consent could well become one of the most important things to get right.
If you need any help preparing for the GDPR, and particularly with issues around use and proof of consent, please get in touch today.