The General Data Protection Regulation will come into effect on May 25th, 2018. The GDPR is the result of the EU’s reform of its privacy laws, replacing the Data Protection Directive 95/46/EC and was designed to harmonize EU member states’ data privacy laws. Whilst the GDPR impacts to a certain degree every aspect of how the right to data protection is perceived and enforced, EU member states and Article 29 Working Party have taken steps to clarify how compliance can be achieved. For example, states like Germany, Austria and Belgium have already enacted bills further implementing GDPR. However, several notions introduced by GDPR remain to be clearly interpreted. A critical concern for US companies is the notion of consent, which is addressed in more detail by Article 29 Working Party’s Guidelines on Consent (“Guidelines”), published November 28th, 2017. This article focuses on key takeaways from the Guidelines.
The Notion of “Consent”
The notion of consent as previously used in the EU’s Data Protection Directive (Directive 95/46/EC) and in the e-Privacy Directive has evolved under the GDPR. GDPR defines consent under Article 4 (11) as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Whilst the requirements included in the concept of consent are similar to those under Directive 95/46/EC, the GDPR and Guidelines provide additional clarity as to how these requirements should be interpreted and applied, with significant impact on various marketing strategies. It is important to understand that the data controllers have the burden of proof regarding whether the consent obtained from the data subjects is valid.
Consent Must be Freely Given
In order to assess whether consent is conditional to the performance of a service or contract, or if it bundled with non-negotiable terms, it is important to determine the scope of the contract or service. If the data controller merely seeks to process personal data that is necessary for the performance of a contract, then “consent” as a lawful basis for processing may not be necessary. Similarly, if a data processing activity has multiple purposes, not all of them must be based on consent. Some purposes may be based on consent and others on a different lawful basis.
Another significant change is the requirement that the language used for obtaining consent is granular, so that it allows data subjects to give separate consent for all processing activities relating to each purpose.
GDPR also takes into account the notion of imbalance between the data controller and the data subject, Recital 43 clearly indicating that requests for consent by public authorities and employers are problematic, because of a presumed imbalance of power which restricts the ability of the data subject to give his or her consent freely.
Consent Must be Specific
Under the GDPR, the data subject must consent to one or more specific purposes. In accordance with Article 5 (1b), obtaining valid consent can only be achieved after the data controller has determined a specific, explicit and legitimate purpose for a processing activity.
If a data controller relies on consent for multiple purposes, the data controller should provide a separate opt-in and specific information related to each purpose, in order to avoid the widening or blurring of purposes for which the data is processed.
If a controller wishes to process data based on consent for other purposes than the one(s) for which the data was collected, the controller will generally need to seek a new consent from the data subject. A purpose that is too vague or general, such as a request to use personal data for “marketing purposes” or to “improve user experience” will not usually meet the criteria for being specific, without additional details.
It must be underlined that under GDPR and several EU national laws, the processing of data for a purpose other than for which the data subject initially consented to, may be processed on the basis of the “legitimate interest” of the controller, if the processing for such other purpose is compatible with the purpose for which the information was collected. To determine if the processing for the new purpose is compatible, the controller must carefully assess and balance its legitimate interest. For example, when data was collected in connection with the selling or provision of services, subsequent processing of information based on controller’s legitimate interests for direct marketing purposes without the data subject’s additional consent may be defensible.
Consent Must be Informed
Under the GDPR, the data controller has to provide accessible and clear information to the data subjects prior to obtaining their consent. The data controller must ensure the information provided to the data subject is provided transparently and includes at least the following pieces of information, as identified by WP 29: the controller’s identity, the purpose for each processing operation, the categories/type of data to be collected and used, the existence of the right to withdraw consent, and information about use of data for automated decision-making. If the consent is also provided for data transfers, the controller should also provide information about risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
A controller must also ensure that the information provided allows the data subjects to understand what they are agreeing to. WP 29 recommends the use of plain language and layered privacy notices. WP issued Guidelines on Transparency on November 28, 2017, which further clarify how information must be provided to data subjects.
Consent Must be Given Through an Unambiguous Statement or Clear Affirmative Action
When consent is sought to be provided by electronic means, the statement or affirmative action of providing consent can take many forms: checking an empty box, swiping up or down on a screen, turning a smartphone’s position, waving in front of the camera, password authentication, etc., as long as clear information is provided and it is clear that the motion or action in question signifies agreement to a specific request. However, blanket general acceptance of Terms and Conditions cannot be seen as a clear affirmative action to consent to the use of personal data. Similarly, the use of opt-out constructions that require an intervention to prevent consent are not acceptable under the GDPR.
Besides electronic means, consent may be provided in a form a written statement or recorded oral statement.
How Can an Attorney Help?
While we hope this article helps to better explain the notion of consent under the GDPR, we strongly suggest data controllers or processors consult a privacy and technology attorney on a regular basis regarding their data security program.