Understanding consent under the GDPR
Consent is a core tenet of data protection law. It is one among several available legal grounds to process personal data under the current European Data Protection Directive (95/46/EC), (DPD). At face value, obtaining an individual’s consent in order to process their personal information may seem an easy way to establish a legal basis for processing, however consent is not as straightforward a concept as it may at first appear, particularly when it is not clear what conditions must be met for that person’s consent to be effective.
This lack of clarity in the current law has, over the years, given rise to a variety of different Member State approaches on interpreting consent, with some jurisdictions taking a stricter view than others to what makes a person’s consent to the processing of their data valid. The working party of data protection regulators, the Article 29 working party, produced an opinion in 2011 on the definition of consent that ran to 38 pages which may give readers a better sense as to why consent is not the easy legal ground for personal data processing that it may first appear.
The revision of EU data protection law in the form of the General Data Protection Regulation, (GDPR) presented the European legislators with an opportunity to put beyond doubt the meaning of consent and ensure a more uniform and consistent approach across the EEA to the interpretation of this important concept. So what is the revised approach to the concept of consent, is the definition of consent any clearer and will it be easier to work with when the GDPR applies automatically in EU Member States from 25 May 2018?
The legal definition of consent
The definition of consent at Article 4 (11) of the GDPR, may not initially appear to be a wholescale departure from that found within the DPD. Consent of the data subject means:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Those areas of text appearing in bold, reflect our emphasis to show where the new definition of consent in the GDPR expands on the old definition of consent under the DPD.
Looking first at the specific points of difference from the DPD, it is apparent that these changes do extend the requirements for consent.
“unambiguous” – there must be an unambiguous indication of the data subject’s wishes meaning, in practice, that the way the consent is collected should leave no room for doubt about the data subject’s intentions in providing their agreement to their personal data being processed. This may be relatively straightforward to achieve where consent is being sought for a single processing activity, such as signing up to receive a newsletter, but will potentially be harder to demonstrate where the personal data collected is to be processed for multiple purposes.
“statement or clear affirmative action” – this ties into the second new element of the definition of consent around the components for proof, meaning that there needs to be a positive indication of agreement by the data subject to their personal data being processed and that is not based, for example, on silence, pre-ticked boxes or inaction on the part of the data subject. Examples referred to at Recital 32 include ticking a box when visiting a website, choosing technical settings for online services or another statement or action which clearly indicates in that context, the data subject’s acceptance of the proposed processing of their data.
There is also further detail found variously within the Articles and the Recitals to the GDPR that provide supplementary meaning around those terms within the definition that we are more familiar with from the current consent definition under the DPD.
“freely given” – current guidance on interpreting freely given consent takes the approach that there should a genuine choice on the part of the data subject when providing their data and that they should not have been misled, intimidated or negatively impacted by withholding consent. The GDPR seeks to formalise this view at Article 7 and also by way explanation within the separate Recitals so that consent will not be regarded as freely given where:
- the data subject has no genuine or free choice or is unable to refuse or withdraw consent easily and without detriment, (Article 7(3) and Recital 42);
- the conditions of a contract (including the provision of a service) are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract, (Article 7(4));
- there is a clear imbalance between the data subject and the controller. The example given at Recital 43 is where the controller is a public body, however it is worth noting that another relationship where an imbalance or element of subordination can exist in is that between an employer and an employee), (Recital 43); and
- separate consent cannot be given to different data processing operations, despite it being appropriate in the individual case, (Recital 43).
“specific” – consent must be obtained in a manner that is distinguishable from other matters. It must cover all processing activities carried out for the same purpose or purposes and where processing has multiple purposes, consent must be given for all of them, (Article 7(2) and Recital 32).
“informed” – there are a number of references within the Articles of the GDPR and the Recitals that adds some colour to this requirement, in particular:
- the data subject should be aware at least of the identity of the controller and the intended purposes of the processing, (Recital 42);
- data subjects must be informed of their right to withdraw consent at any time prior to giving consent, (Article 7(3)); and
- to the specific information requirements found at Articles 12 to 14 of the GDPR that set out the information that must be given to the data subject to ensure fair and transparent processing.
Both the Articles and the Recitals include further requirements and interpretation relevant to consent. In particular:
- the controller must not simply obtain consent, it must also be able to demonstrate that the data subject has consented to processing of his data, meaning that records will need to be kept for consent to be verifiable, (Article 7(1));
- requests for consent in the context of a written declaration or that are pre-formulated must be presented in an intelligible and easily accessible form, using clear and plain language and (in the latter case) not including any unfair terms, (Article 7(2) and Recital 42);
- requests for consent made by a data controller using electronic means must be clear, concise and not necessarily disruptive to the use of the service for which it is collected, (Recital 32); and
- the data subject must be able to withdraw his or her consent at any time and the process for withdrawing consent must be as easy as that for giving consent, (Article 7(3)).
The specific requirements for consent can also vary depending on the context of the specific processing. One example in the context of the processing of data of children is where, depending on the age of the child and the nature of the processing, the consent of the holder of parental responsibility may be required.
In other cases consent approaches may still vary across Member States where the GDPR allows for different approaches. Looking again at the example of children, this includes the option for Member States to lower age thresholds for children, below which parental consent to processing would be needed, thereby retaining some divergent approaches to consent across the EEA, depending on the circumstances.
Consent and explicit consent
One final and important point to bear in mind when considering the legal definition of consent is that there remains a distinction in the GDPR between the definition of consent and the separate references in the GDPR to explicit consent.
The need for explicit consent is referred to separately in a number of places within the GDPR. Examples include in the context of processing special categories of data, (referred to in the DPD as sensitive categories of personal data) or in the explicit consent-based derogation for transfers of data subject data to third countries. Despite these specific references to the need for explicit consent, this term is not separately defined from consent in the GDPR and the difference between these two terms is, therefore, unclear.
In conclusion – consent is not the easy option
For the reasons explained above, consent is far removed from an easy option under the GDPR. Greater specification around what is meant by consent has brought with it more detailed and onerous obligations. Data controllers may first wish to look closely at the other legal grounds available to establish whether there is an available alternative to the consent path.
In addition, given the extensive lengths that a data controller now has to go to demonstrate a valid consent, it is difficult to see what further steps may be needed to distinguish such a consent from one that is explicit. For this and other reasons, the arguments around what makes consent effective are unlikely to be put to bed by the GDPR and it remains a rough-edged concept to tackle.