By UpCounsel Technology and Privacy Attorney Alexander Popescu

Attorney Adverstising

Published on March 29, 2018

The General Data Protection Regulation will come into effect on May 25th, 2018. The GDPR is the result of the EU’s reform of its privacy laws, replacing the Data Protection Directive 95/46/EC and was designed to harmonize EU member states’ data privacy laws. Whilst the GDPR impacts to a certain degree every aspect of how the right to data protection is perceived and enforced, EU member states and Article 29 Working Party have taken steps to clarify how compliance can be achieved. For example, states like Germany, Austria and Belgium have already enacted bills further implementing GDPR. However, several notions introduced by GDPR remain to be clearly interpreted. A critical concern for US companies is the notion of consent, which is addressed in more detail by Article 29 Working Party’s Guidelines on Consent (“Guidelines”), published November 28th, 2017. This article focuses on key takeaways from the Guidelines.

The Notion of “Consent”

The notion of consent as previously used in the EU’s Data Protection Directive (Directive 95/46/EC) and in the e-Privacy Directive has evolved under the GDPR. GDPR defines consent under Article 4 (11) as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Whilst the requirements included in the concept of consent are similar to those under Directive 95/46/EC, the GDPR and Guidelines provide additional clarity as to how these requirements should be interpreted and applied, with significant impact on various marketing strategies. It is important to understand that the data controllers have the burden of proof regarding whether the consent obtained from the data subjects is valid.

Consent Must be Freely Given

According to the Guidelines, consent will only be considered “freely given” if the data subject has genuine or real choice to give it, as well as the ability to withhold or withdraw consent at any time without any detriment. Article 7 (4) GDPR indicates that, for example, if the language requesting consent from the data subject is being bundled as a non-negotiable part of a website’s Privacy Policy or Terms and Conditions, where the data subject uses such website, the data subject’s consent may be presumed as not being freely given. This is due to the fact that the data subject would be unable to refuse or withdraw his or her consent without detriment. Presumably lacking valid consent are also situations in which the performance of a contract or service is contingent on the data subject providing consent for processing personal data which is not “necessary” for the performance for the contract or service.

In order to assess whether consent is conditional to the performance of a service or contract, or if it bundled with non-negotiable terms, it is important to determine the scope of the contract or service. If the data controller merely seeks to process personal data that is necessary for the performance of a contract, then “consent” as a lawful basis for processing may not be necessary. Similarly, if a data processing activity has multiple purposes, not all of them must be based on consent. Some purposes may be based on consent and others on a different lawful basis.

Another significant change is the requirement that the language used for obtaining consent is granular, so that it allows data subjects to give separate consent for all processing activities relating to each purpose.

GDPR also takes into account the notion of imbalance between the data controller and the data subject, Recital 43 clearly indicating that requests for consent by public authorities and employers are problematic, because of a presumed imbalance of power which restricts the ability of the data subject to give his or her consent freely.

Consent Must be Specific

Under the GDPR, the data subject must consent to one or more specific purposes. In accordance with Article 5 (1b), obtaining valid consent can only be achieved after the data controller has determined a specific, explicit and legitimate purpose for a processing activity.

If a data controller relies on consent for multiple purposes, the data controller should provide a separate opt-in and specific information related to each purpose, in order to avoid the widening or blurring of purposes for which the data is processed.

If a controller wishes to process data based on consent for other purposes than the one(s) for which the data was collected, the controller will generally need to seek a new consent from the data subject. A purpose that is too vague or general, such as a request to use personal data for “marketing purposes” or to “improve user experience” will not usually meet the criteria for being specific, without additional details.

It must be underlined that under GDPR and several EU national laws, the processing of data for a purpose other than for which the data subject initially consented to, may be processed on the basis of the “legitimate interest” of the controller, if the processing for such other purpose is compatible with the purpose for which the information was collected. To determine if the processing for the new purpose is compatible, the controller must carefully assess and balance its legitimate interest. For example, when data was collected in connection with the selling or provision of services, subsequent processing of information based on controller’s legitimate interests for direct marketing purposes without the data subject’s additional consent may be defensible.

Consent Must be Informed

Under the GDPR, the data controller has to provide accessible and clear information to the data subjects prior to obtaining their consent. The data controller must ensure the information provided to the data subject is provided transparently and includes at least the following pieces of information, as identified by WP 29: the controller’s identity, the purpose for each processing operation, the categories/type of data to be collected and used, the existence of the right to withdraw consent, and information about use of data for automated decision-making. If the consent is also provided for data transfers, the controller should also provide information about risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.

A controller must also ensure that the information provided allows the data subjects to understand what they are agreeing to. WP 29 recommends the use of plain language and layered privacy notices. WP issued Guidelines on Transparency on November 28, 2017, which further clarify how information must be provided to data subjects.

Consent Must be Given Through an Unambiguous Statement or Clear Affirmative Action

When consent is sought to be provided by electronic means, the statement or affirmative action of providing consent can take many forms: checking an empty box, swiping up or down on a screen, turning a smartphone’s position, waving in front of the camera, password authentication, etc., as long as clear information is provided and it is clear that the motion or action in question signifies agreement to a specific request. However, blanket general acceptance of Terms and Conditions cannot be seen as a clear affirmative action to consent to the use of personal data. Similarly, the use of opt-out constructions that require an intervention to prevent consent are not acceptable under the GDPR.

Besides electronic means, consent may be provided in a form a written statement or recorded oral statement.

How Can an Attorney Help?

While we hope this article helps to better explain the notion of consent under the GDPR, we strongly suggest data controllers or processors consult a privacy and technology attorney on a regular basis regarding their data security program.

Download the Whitepaper: GDPR Compliance – Navigating the Legal Requirements

About the author

Alexander Popescu

Alexander Popescu

Alexander Popescu has over 10 years of experience advising technology companies of all sizes. He focuses on the intersection between e-commerce, advertising and technology, as well as complex transactions, business disputes, outsourcing, intellectual property, international privacy and data transfer issues.

His background in IT coupled with his desire to cultivate growth and innovation makes Alex the ideal legal partner for any business involving e-commerce, digital marketing, product development and/or technology.

View all posts Request a Proposal

Post a Job on
UpCounsel and get
high quality legal work done

Post a Job on UpCounsel
/* ]]> */