Consent, in its simplest form, is a data subject’s indication of agreement to his or her personal data being processed, and when treated as a real choice, allows data subjects to be in control of their personal data. As one of the core principles found in the FTC FIPPs, OECD Guidelines, and various data protection regulations (including the EU Data Protection Directive, ePrivacy Directive and upcoming EU General Data Protection Regulation (GDPR), the concept of consent has had a long history in privacy and data protection. These days, however, the concept has been evolving, and as stated by the Article 29 Working Party (WP29) in their recent draft Guidelines on Consent under the GDPR, “[t]he GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent.”
In this article, we discuss the expanded requirements for consent found in the GDPR (along with a healthy mix of guidance from the WP29), and will recommend some steps that your organization can begin taking today to help prepare for the coming of the GDPR on 25 May 2018.
Consent under the GDPR
There are six legal bases for processing personal data under the GDPR.1 These legal bases include: consent, performance of a contract, compliance with a legal obligation, protection of vital interests of the data subject or another other natural person, performance of task in the public interest or exercise of official authority, or legitimate interests of the data controller or a third party.
Consent has been one of the most common legal bases relied on for the processing of personal data. However, under the upcoming GDPR, additional conditions will need to be met which could make reliance on consent more difficult. For example, under the GDPR, the “opt-out” method of obtaining consent — i.e., processing personal data unless the data subject objects — will no longer be valid as it does not require a “clear affirmative action” on the part of the data subject.2 More on that later.
Additionally, those who violate the GDPR’s consent requirements may be subject to administrative fines of up to 20 million euro or 4% of total worldwide annual turnover, whichever is higher, along with the possibility of individual member state penalties.3 For these reasons, and others (including moral, ethical and business considerations), getting consent practices right by 25 May will be critical.
Elements of valid consent
Under Article 4(11) of the GDPR, “’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
If we unpack that definition, we are left with the following four elements of a valid consent under the GDPR: 1) freely given, 2) specific, 3) informed, and 4) unambiguous. If any of these elements are missing, then the consent would be considered invalid.
First, the data subject’s consent must be freely given. According to the WP29, this means that the data subject must be provided with “real choice and control” in a “granular” way over multiple purposes of processing, and be able to refuse or subsequently withdraw their consent in a manner that is as easy as it was to give consent.4 Additionally, consent typically will not be considered freely given where there is a “clear imbalance between the data subject and the controller” (e.g., in the employment context), or where performance of a contract is conditioned on consent to processing that is not necessary for the performance of that contract.5
Second, the consent must be specific — i.e., it must be tied to “one or more specific purposes” and the data subject must have a choice in relation to each.6 According to the WP29, to comply with this requirement, data controllers must ensure three things: 1) purpose specification as a safeguard against function creep, 2) granularity in consent requests, and 3) clear separation of information related to obtaining consent for data processing activities from information about other matters.7