Article 29 Working Party publishes draft guidance on consent under the GDPR
In December 2017, the Article 29 Working Party (WP29) published detailed draft guidelines on consent under the General Data Protection Regulation (GDPR). The guidance, which is currently open for consultation until 23 January 2018 provides an analysis of the concept of consent, together with guidance for organisations on the requirements to (i) obtain; (ii) demonstrate and (iii) maintain valid consent under the GDPR. The UK ICO issued its own draft guidance on consent earlier last year.
Consent is one of the six lawful bases for processing personal data under the GDPR. It is therefore crucial, where consent is the basis to be relied upon, that organisations ensure any consent obtained from data subjects is, in fact, valid. The guidelines expand on existing WP29 opinions on consent whilst reminding organisations to consider whether or not consent is the most appropriate lawful basis for processing.
- Obtaining valid consent
The guidelines begin by considering the key elements of valid consent, namely, that it must be:
In order for consent to be valid data subjects must have a real choice, should not feel compelled to consent and will not endure negative consequences if they do not consent. A data subject will not have a real choice where there is an imbalance of power between the controller and the individual and that such an imbalance can be found between public authority and citizen and between employer and employee. The WP29 considers that consent cannot (and should not) be the chosen lawful basis for the majority of data processing at work under the employer/employee relationship.
Consent will be presumed not to have been freely given if it is “bundled up as a non-negotiable part of terms and conditions” or tied to the provisions of a contract or service, unless necessary for the performance of that contract or service. What is considered necessary is to be interpreted strictly. Consent cannot be said to be freely given where withholding/withdrawing consent would lead to cost or disadvantage to the data subject (e.g. being denied the service because consent is refused/withdrawn).
The guidelines emphasise the importance of ensuring consent is specific and that the way in which it is sought is sufficiently granular, i.e. organisations need to obtain separate consents for each specific purpose for which it intends to process the data subject’s personal data. This element serves to safeguard against function creep. For each separate purpose for which consent is sought, controllers should provide specific information about the data that will be processed for that purpose.
Data subjects must be fully informed for their consent to be valid and the WP29 suggests a list of minimum content requirements to meet this criteria. The guidelines also emphasise the need for the information to be clear, easily accessible and distinguishable (i.e. not hidden within standard terms and conditions).
Controllers must review the current wording and format of consent requests to ensure that the average person can easily understand the information being provided.
Consent is unambiguous when it is provided by way of a clear affirmative action or declaration and the WP29 state that it must be obvious that the data subject has consented. The GDPR Recitals and previous ICO guidance advise that the criteria for unambiguous consent can be met by way of ticking a box. The guidelines provide in greater detail that, for example, “swiping on a screen”, “waiving in front of a smart camera” or “turning a smartphone around clockwise” would all signify a clear affirmative action, provided the data subject has been clearly informed that such action constitutes consent.
The WP29 emphasises that pre-ticked boxes will be non-compliant and, in terms of tackling the issue of “click fatigue” (which could result in consent requests not being read), the obligation to mitigate this risk is on the controller. The guidelines do, however, suggest that consent could be obtained through a data subject’s internet browser settings. In any event, the WP29 highlight its long-held view that it is “clearly implied” that consent must be given prior to the processing activity.
Given these heightened requirements for ‘regular’ consent under the GDPR, the guidelines seek to clarify the extra efforts a controller needs to undertake when required to obtain ‘explicit’ consent (e.g. for processing sensitive data or when transferring personal data to countries outside the EEA in the absence of adequate safeguards).
The guidelines provide that obtaining explicit consent requires the data subject to provide an express statement of consent, whether that be by way of a written and signed statement, the sending of an e-mail or a two stage verification process including a verification link or code to ensure the consent is explicit and clear. However, the WP29 emphasises that explicit consent is not the only, and may not be the most appropriate, lawful basis for the processing of such data.
2. Demonstrating valid consent
The guidelines reiterate the obligation on controllers not only to obtain valid consent, but to be able to demonstrate and prove that valid consent was obtained. Although neither the GDPR nor the WP29 prescribe how this is to be done, the WP29 notes that this duty should not in itself lead to excessive amounts of additional data processing. Organisations should have enough data to evidence obtaining consent only and should not be collecting any more information than necessary.
Underpinned by the accountability principle, the WP29 suggests this obligation could be achieved by keeping records of consent statements received to show (i) how and when consent was obtained; (ii) what information was provided to the data subject at the time of consent; and (iii) that the criteria for valid consent was met.
3. Maintaining valid consent
The guidance emphasises that it would be wrong of controllers to consider that once consent is validly obtained that it can be relied upon open-endedly / until withdrawn. The WP29 advises that best practice would be to refresh consent at appropriate intervals (i.e. if the context or scope of the original consent or processing operations change).
In terms of withdrawal of consent, the GDPR requires controllers to ensure that it should be as easy for data subjects to withdraw consent as it is for them to give it. The guidelines state that for an individual to have to switch interfaces in order to withdraw consent would not meet the requirement of an easy withdrawal (e.g. where consent is given by e-mail but the data subject is required to call a customer helpline in order to withdraw consent). Although controllers who currently process data based on consent will not automatically be required to renew all consents, current processes will require to be carefully reviewed to ensure compliance with the GDPR’s enhanced standards.
Withdrawal of consent will not invalidate any processing that took place prior to the withdrawal. However, the controller must stop processing the personal data for the purpose for which the consent was obtained and (if no other lawful basis justifies the processing) delete or anonymise the data. To this end, the WP29 emphasises the need for controllers to be clear from the outset about which lawful basis is being relied upon for each specific purpose since, should the controller wish to continue to process the data on another lawful basis following withdrawal of consent, they cannot “silently migrate” or swap between bases.
Although controllers who currently process data based on consent will not automatically be required to renew all consents, current processes will require to be carefully reviewed to ensure compliance with the GDPR’s enhanced standards.
Given the importance attached to consent, the completed WP29 guidance is awaited with interest as is the UK ICO’s finalized guidance on consent.
This article was co-written by Rhea McKenzie