logo text

Wednesday, 25 May 2016

GDPR Readiness – Where to start?



The clock is now ticking before the General Data Protection Regulation (GDPR) comes into force across Europe.  Organisations have 2 years from today to assess how the new regulation affects them, and implement any necessary measures to ensure compliance by 25 May 2018. 

Don’t forget, the Data Protection Act 1998 (DPA) isn’t going anywhere for the time being – if you are complying with best practice under the DPA, then you on the right path, but depending on the nature of your business, you may have a way to go.

The implications for any company’s reputation for non-compliance with data protection law have always been significant, but with relatively weak punitive measures.  Under the GDPR the potential punitive measures are huge, with possible fines of up to 4% of annual worldwide turnover or €20 million.

So, what steps do you need to take? 

The ICO was quick to produce a guide on 12 important steps to take in the short term. It’s time now for organisations to start delving into the detail.  The important thing is not to get fazed - your approach should be based on a set of fairly simple principles.  In a throwback to ‘back to basics’ Pritchetts have distilled these principals down to the 4 R’s:

1)      Review


Or rather, what’s the state of the nation?  It’s vital to understand how your organisation works now, mapping out how (and what) information flows around it, how and where it is stored, and who has access to it. 


Next you should review the new regulations and highlight what elements of the new regulation framework are most relevant to your organisation.


Finally, undertake a gap analysis to identify how your current processes and systems measure up against the current law under the Data Protection Act 1998, and GDPR – what are the gaps that need to be filled now, and in readiness for the GDPR?


2)      Risk Analysis

Once you’ve understood the ‘to do’ list, the chances are you won’t have sufficient resources or management capability to oversee all necessary changes at once.  Defining your priorities, based on the risk to your organisation of not acting is vital.  Consider both the likelihood of something going wrong, and the magnitude of the impact.

3)      React

You’ve got your priority list, now it’s time to make the necessary changes.  You will likely need additional resource. This could be additional people, new skills, technological solutions or physical infrastructure (eg new data centres). 

It’s also probable that compliance with the GDPR will at best alter the budget but most likely increase the operational cost of most organisations.

Consider the value of creating a compliant solution. Your clients and competitors should be going through the same compliance exercise. If they are not doing so or they are saving this up as homework to do on the last possible day, you may be able to gain a real competitive advantage by offering a compliant solution straight away.

4)      Review again

Someone once said “nothing stands still, except in our memory”.  Based on your risk assessment, your organisation will need to determine how often all of the measures you have put in place, need to be reviewed and/or updated.

If you require any expert advice on how to assess your GDPR readiness, to develop your project plan, and to help you create a compliant solution, please don’t hesitate to get in touch with us.

Thursday, 5 May 2016

Obtaining Valid Consent Under the GDPR
 
This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.



Consent under the Data Protection Act 1998 and Data Protection Directive 95/46/EC



For discussion of the meaning of ‘consent’ under the existing Data Protection Act 1998 and Data Protection Directive 95/46/EC, see our previous blog article Obtaining Valid Consent Under the Data Protection Act1998. 



It is worth noting that consents obtained under the existing legislation should still continue to be effective under the EU General Data Protection Regulation (“GDPR”) when it comes into force on 25 May 2018, provided that they meet the new GDPR conditions.  These are set out in Recital 134 of the GDPR, where it is stated that:

  • Data Protection Directive 95/46/EC will be repealed by the GDPR. 
  • Processing already under way on the date of application of the GDPR should be brought into conformity with the GDPR within 2 years after the GDPR comes into force. 
  • Where processing is based on consent under Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the way the consent has been given is in line with the conditions of the GDPR, so as to allow the data controller to continue processing after the date of application of the GDPR.

 What does ‘consent’ mean under the GDPR? 


Article 4(8) of the GDPR defines the ‘data subject's consent’ as meaning:


“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. 


Recital 25 of the GDPR adds further clarification to this definition by adding that:

  • The action taken may be by written, electronic, or oral statement; 
  • This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. 
  • Silence, pre-ticked boxes or inactivity should not constitute consent. 
  • Consent should cover all processing activities carried out for the same purpose or purposes. 
  • When the processing has multiple purposes, consent should be granted for all of the processing purposes. 
  • If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Is consent required under the GDPR and what happens if one cannot obtain consent?



Article 6(1) (Lawfulness of processing) of the GDPR sets out one of the legitimising fair processing conditions for personal data as follows: 



“6(1) Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:…(a) the data subject has given consent to the processing of their personal data for one or more specific purposes”.



Article 9(2) (Processing of special categories of personal data) of the GDPR then sets out one of the legitimising fair processing conditions for special categories of personal data as follows: 



“…the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”.



Consent is, however, just one of the: 


  • Fair processing conditions that may be relied on to enable fair and lawful processing of: 
    • Any personal data under Article 6(1) of the GDPR; and of 
    • Sensitive personal data under Article 9(2) of the GDPR; 
  • Conditions that may be relied on to enable fair and lawful processing of Automated individual decision making (including profiling) under Article 20 of the GDPR; 
  • Grounds to enable fair and lawful transfer of personal data outside the EEA under Article 44(1)(a) of the GDPR.  It is worth noting that where consent is relied on in this situation, ‘explicit consent’ is required for the proposed transfer and the data subject has to have been informed of the possible risks of such transfers etc.

It is, therefore, not mandatory to obtain consent if:

  • One of the other fair processing conditions under Article 6(1) or Article 9(2) of the GDPR can be relied on; 
  • One of the other grounds for fair and lawful processing of automated individual decision making (including profiling) can be relied on under Article 20 of the GDPR; 
  • One of the other grounds for legitimate international data transfer under Article 44(1)(a) of the GDPR can be relied on; or 
  • One of the exceptions under the GDPR exists in relation to the intended processing.  



As discussed in our previous blog article Obtaining ValidConsent Under the Data Protection Act 1998. 



  • Consent is often used by UK data controllers in practice as either the sole legitimising fair processing condition or sometimes as a back-up to another fair processing condition or grounds for processing, where it is the easiest condition or mechanism for the data controller to show  they have complied with the DPA 1998.  That is not to say that this is always the best condition or ground for data controllers to rely on.  In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given. 

  •  This is likely to continue to be the case under the GDPR. It will therefore continue to be prudent for data controllers to consider if another fair processing condition or ground for processing would be better to rely on in any particular case. 



In general terms, given the increased sanctions for  non-compliance under the GDPR, organisations should carry out a data mapping exercise and an audit to consider what fair processing conditions they currently rely on to justify their various data processing operations.  Where consent is currently relied on to justify processing under the DPA 1998, the existing mechanisms used for consent should be reviewed and the organisation should consider whether consent is still a practical and workable solution to justify their data processing activities. Under the new burdensome consent requirements of the GDPR, this may no longer be the case.



Administrative fines of up to EUR 20 Million, or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) may be levied under the GDPR for failure to comply with the basic principles for processing, including conditions for consent.



Obtaining consent for the processing of sensitive personal data under the GDPR



As discussed above, Article 9 (Processing of special categories of personal data) of the GDPR sets out lawful conditions for processing sensitive personal data categories (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation).



Consent to process sensitive personal data must be ‘explicit’ (Article 9(2)(a) of the GDPR), as is currently the case under the existing Data Protection Directive 95/46/EC. It has, however, been clarified in the GDPR that: 



  • Consent will be provided for specific pre-defined purposes and may not be used to justify data processing for any other purpose; 
  • Where disclosure of sensitive personal data is contrary to the national laws of an EU member state or otherwise contrary to EU law, consent from a data subject will not override the absolute prohibition of processing of any such information.

 How to obtain and withdraw consent under the GDPR



In addition to the definition of consent under Article 4(8) GDPR and the fair processing conditions set out under Articles 6(1) and 9(2) GDPR, Article 7 GDPR sets out specific conditions which must be met in relation to consent.



Many of these Article 7 conditions and the corresponding GDPR Recitals reflect current established guidance from the European Union Article 29 Working Party (the “Art 29 Working Party”) in the form of Opinion 15/2011 (“the 2011 Opinion”) which set out their view of what is meant by ‘consent’ for the purposes of the existing Data Protection Directive 95/46/EC. 

It is likely that the new European Data Protection Board (who will take over from the Art 29 Working Party under the GDPR) will establish a new and updated Opinion on consent in due course that will perhaps add some of the detail from the existing Opinion 15/2011 that has not made it in to the text of the GDPR.  For further discussion of Opinion 15/2011, our previous blog article Obtaining Valid Consent Under the DataProtection Act 1998. 



The Article 7 GDPR conditions are as follows: 

GDPR Article
Additional Information provided in GDPR Recitals and Author Commentary

Article 7(1) states: “Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data
Under Article 7(1) and in accordance with Recital 32 GDPR, data controllers have the burden of proving that consent was obtained.

This will require a significant tightening up of the requirements for establishing and proving consent in the UK. Under the current legal regime, a rather more relaxed approach has been taken to this. 

Organisations that rely on consent to enable some or all of their data processing under the current legal regime will need to review the circumstances in which they will collect consent under the GDPR, the fair processing information given to data subjects in order to obtain consent and the technical methods used to collect consent. Organisations will also need to consider how they will demonstrate or show evidence of consent going forwards.

It is likely to be expensive to implement and maintain consent systems in relation to ongoing and future processing.

Article 7(2) states: “If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of the declaration which constitutes an infringement of this Regulation that the data subject has given consent to shall not be binding
Consents must be specific to the purposes for which they are needed. 
Request for consent to a data subject will have to be clearly distinguishable from any other matters the individuals are notified about. 
Recital 32 GDPR goes on to clarify that:
·       In line with Council Directive 93/13/EEC a declaration of consent pre-formulated by the data controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.
·       For consent to be ‘informed’ the data subject should be aware at least of the identity of the data controller and the purposes of the processing for which the personal data are intended.
·       Consent should not be regarded as freely-given if the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment.
Generic consents often collected under the current legal regime (e.g. via standard contractual terms with vaguely drafted sections on consent) will need to be re-drafted so that they are more specific and tailored to collection of specific data sets used for specific purposes.

Article 7(3) states “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw consent as to give it.

Under this Article 7(3) GDPR, it is made clear that data subjects have the right to withdraw their consent at any time and it should be as easy for an individual to withdraw consent as to give it.

Article 17 of the GDPR further sets out detailed rights that data subjects have to request erasure of their information (the “right to be forgotten") including under Article 17(1)(b) where consent has been withdrawn by the data subject.

Article 14(1a)(ea) of the GDPR also makes it clear that where consent is relied on, as part of the fair processing information provided to individuals, they must be clearly told about their right to withdraw consent. 

The strengthened rights under the GDPR for data subjects to withdraw consent and their right to be forgotten means that organisations that currently rely on consent to enable some or all of their data processing under the current legal regime will need to carefully consider: 
·      What mechanisms they will implement to enable data subjects to withdraw their consent easily;
·      How readily consent is likely to be withdrawn and what the impact would be of that happening?
·      Whether they would have to stop processing the relevant data when consent was withdrawn? Could they do that? How would they do that?
If they ‘need’ to continue processing the data, on what other grounds could they justify doing so? If this necessitates a change of legal fair processing grounds, is this acceptable or does it call into question whether the information was being fairly processed in the first place? See further discussion of this in our previous blog article Obtaining Valid Consent Under the Data Protection Act 1998. 

Where personal data is processed for direct marketing the data subject will have a right to object. This right will have to be explicitly brought to their attention. See Recital 57 and Article 19 of the GDPR.

Article 7(4) states “When assessing whether consent is freely given, utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.

During negotiations over the final GDPR text there was a lot of debate around whether consent should provide a valid ground for data processing where there is a significant imbalance between the data subject and data controller.

The final text in Article 7(4) GDPR was intended in part to address this concern.

The GDPR Recitals also make it clear that:

·      Consent is not freely given if the data subject had no genuine and free choice and is unable to withdraw or refuse consent without detriment (Recital 32).
·      In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and this makes it unlikely that consent was given freely in all the circumstances of that specific situation.
·       Consent is presumed not to be freely given if it does not allow separate consent to be given to different data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service is made dependent on the consent despite this not being necessary for such performance.

In practice this means that attempts to bundle wide-ranging or generic consents into contractual language will no longer be allowed.

This Article 7(4) may have a huge impact on compliance requirements for e-commerce services, among others.

In addition, it is likely (and encouraged by GDPR Recital 124) that some EU Member States may provide more specific rules in due course surrounding the use of consent in the employment context. It is worth noting that the current ICO Employment Practices Code discourages reliance on consent when processing employee data, as employees will feel under duress to give the consent.  That said, in practice and in our experience most UK employers do tend to ask for consent from employees to, for example:

- help to demonstrate that fair processing information was provided; and also to
- cover certain types of data processing where neither the employment law compliance nor the legitimate interests fair processing conditions apply. 

May the fourth be with you GDPR - finally approved and in force from 25 May 2016!

The European Parliament formally adopted the General Data Protection Regulation ("GDPR") and it was then published in the EU Official Journal on 4th May 2016. Star Wars fans and data protection geeks alike were no doubt cheering 'May the fourth be with you' all day yesterday.  From today, 5th May 2016, the 20 day countdown period commenced and the GDPR will come into force on 25 May 2016. After the 2 year implementation period, it will become directly applicable and enforceable in all Member States from 25 May 2018.

Organisations must therefore now begin ensuring that new policies, procedures and systems are in place to ensure compliance.

The ICO has created a micro-site dedicated to updates on the GDPR and aims to ensure that all relevant GDPR guidance and any guidance updated in light of the GDPR will be added to that site. The ICO's initial posting on the site sets out a useful guide on 12 suggested steps to take now in order to prepare for the GDPR.

The EU Article 29 Working Party ("Art29 WP") has also published its action plan outlining how the GDPR should be implemented. The Art29 WP highlights 4 priority areas:
  1. Setting up the European Data Protection Board ("EDPB") structure and its administration;
  2. Preparing the One-Stop-Shop and the consistency mechanism;
  3. Issuing guidance for data controllers and processors; and
  4. Communication around the EDPB and the GDPR.

Many of our clients have begun asking us for bespoke advice on how the GDPR will affect them and have asked us to carry out data protection compliance and gap analysis audits, highlighting increased compliance risks under the proposed GDPR changes.  If we can assist you with this also, please do contact us.

Obtaining Valid Consent under the Data Protection Act 1998




This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.



Background to Consent


To satisfy the first data protection principle in the Data Protection Act 1998 (“DPA 1998”) as derived from the European Data Protection Directive 95/46/EC, data controllers must be able to demonstrate, amongst other matters, that they have met:

  • one of the grounds for processing personal data under Schedule 2 of the DPA 1998; and
  • if the data constitutes sensitive personal data, then in addition to this, one of the grounds for processing sensitive personal data under:
    • Schedule 3 of the DPA 1998; or under
    • The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417), which sets out additional conditions which allow the processing of sensitive personal data in limited circumstances.

One of the numerous legitimising fair processing conditions that can be complied with to enable fair and legal processing of personal data governs a situation where the data controller obtains ‘consent’ from the data subject before processing the personal data or sensitive personal data.


Under the eighth data protection principle of the DPA 1998, data controllers must also show how they can legally justify transferring a data subject’s personal data outside of the European Economic Area (the “EEA”). One of the grounds that might be used to justify such a transfer is also consent (following Article 26(1)(a) of the Data Protection Directive).


The requirements to comply with the fair processing conditions under the first data protection principle and to comply with the eighth data protection principle surrounding transfer of personal data outside the EEA apply unless a relevant exemption under the DPA 1998 exists.

What does ‘consent’ mean?


Although ‘consent’ was not defined within the text of the DPA 1998, UK courts and tribunals are required to interpret the terminology used in the DPA 1998 in accordance with the wording and purpose of the Data Protection Directive 95/46/EC.


Article 2(h) of the Data Protection Directive defines consent as:

‘any freely-given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’.


Article 7(a) of the Data Protection Directive goes on to set out that the data subject should have unambiguously given his or her consent.


The European Union Article 29 Working Party (the “Art 29 Working Party”) has also produced Opinion 15/2011 (“the 2011 Opinion”) on their view of what is meant by ‘consent’ for the purposes of:
  • Directive 95/46/EC; and
  • Directive 2002/58/EC which was implemented in the UK through the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (as revised by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)) (“E-Privacy Regulations”).

Although Art 29 Working Party opinions are not directly binding on data controllers, they will be considered by the UK Information Commissioner’s Office (the “ICO”) when it is interpreting the DPA 1998. We have therefore taken account of the 2011 Opinion in drafting this Practice Note.


Is consent required and what happens if one cannot obtain consent?


As mentioned above, consent is one of a number of:
  • Fair processing conditions that may be relied on to enable fair and lawful processing of personal data under the first data protection principle;
  • Grounds to enable fair and lawful transfer of personal data outside the EEA under the eighth data protection principle.

It is not, therefore, mandatory to obtain consent if one of the other fair processing conditions under the first principle or one of the other international transfer grounds can be relied on.


Consent is, however, often used by UK data controllers in practice as either the sole legitimising fair processing condition (or sometimes as a back-up to another fair processing condition or grounds for processing), where it is the easiest condition or mechanism by which the data controller can show that they have complied with the DPA 1998.


That is not to say that this is always the best condition or ground for data controllers to rely on. In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given.

For these reasons, it is always prudent for data controllers to consider if another fair processing condition or international data transfer ground would be better to rely on in any particular case.


Obtaining consent for the processing of sensitive personal data


Where consent is used as a legitimising ground for processing:

  • Personal data under Schedule 2 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his consent to the processing’;

  • Sensitive personal data under Schedule 3 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his explicit consent to the processing of the personal data’.

The key distinction therefore when looking at legitimate processing of sensitive personal data is that a data subject’s consent should be ‘explicit’.


The Art 29 Working Party Opinion 15/2011 sets out that ‘explicit consent’:
  • Means the same as express consent;
  • Encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing;
  • Is usually given in writing with a hand-written signature or in equivalent electronic form (for example, signified online through the use of clickable icons, by sending confirmation e-mails or by using electronic or digital signatures). For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data;
  • While traditionally given in writing, it can also be given orally, although the Art 29 Working Party highlight that oral consent may be difficult to prove and, therefore, in practice, data controllers are advised to resort to written consent for evidentiary reasons;
  • Means that consent that is inferred, implied or an ‘opt-out’ will not normally meet the requirement of explicit consent

The ICO have also set out in their guidance that ‘explicit consent’:

  • Means that the data subject’s consent should be ‘absolutely clear’;
  • Should only be given where the data subject has been given a clear outline of the type of information (or the specific information) being processed, the purpose of the processing and ‘any special aspects that may affect the individual, such as disclosures that will be made’.

How to obtain consent generally


The Art 29 Working Party Opinion 15/2011 sets out that when obtaining consent generally, be that explicit consent or regular consent, the following requirements should be met:

  • It should be obtained before processing starts;
  • It should ‘include any indication of a wish, by which the data subject signifies his agreement’;
  • It should not be inferred from silence or inaction of the data subject;
  • It should be freely given;
  • It should be specific;
  • It should be informed;
  • It should be unambiguous.
We have explained each of these requirements in more detail below:

1. Consent should be obtained before processing starts
Neither the DPA 1998 nor Directive 95/46/EC specify exactly when consent should be obtained but the Art 29 Working Party Opinion 15/2011 suggests that, as a general rule, it should be obtained before the data controller starts processing personal data. The Art 29 Working Party does, however, explain that there is a difference between:
  • Stuations where obtaining consent is a legal requirement (for example, in some cases when sending out direct marketing electronically or where consent is the only available ground for processing personal data under the DPA 1998 because none of the other fair processing conditions can be used to justify the processing in question. In this situation, the data controller must obtain consent before the processing starts to avoid prior processing being unlawful if the data subject does not ultimately provide consent; and
  • Situations where the data subject exercises their right to object to processing. For example, the data controller may be relying on a different fair processing condition under Schedules 2 and 3 of the DPA 1998 to justify their processing (i.e. a condition other than consent). The data subject may decide to exercise their right to object to the processing being carried out or they may withdraw their consent at any time (see below), but until such times as they do so, the data controller can continue processing the personal data. Data controllers should consider any objections or withdrawal of consent promptly so that the processing continues to be fair and lawful (see below).

2. The consent should ‘include any indication of a wish, by which the data subject signifies his agreement’
The data subject should indicate his/her wishes and signify their agreement in some way that enables the data controller to understand their wishes. The method the data controller uses to obtain and record consents should be proportionate to the circumstances.
Consent does not therefore need to be in writing. It is, however, usually best practice to obtain written consent for evidentiary purposes, particularly when dealing with sensitive personal data, as the Art 29 Working Party recommends. (see above).

Obtaining consent orally or from ‘behaviour from which consent could be reasonably concluded’ may be perfectly acceptable in some circumstances, though. The Art 29 Working Party gives the example of dropping a business card in a glass bowl or an individual sending his name and address to an organisation in order to obtain information from it. “In this case his action should be understood to constitute to the processing of such data insofar as it is necessary to process and respond to the request.”


The ‘indication of wishes’ from the data subject must be clear to enable valid consent for the processing for data. To extend the example given by the Art 29 Working Party, let us assume that the data subject may have dropped their business card in a bowl in response to a sign advertising that a competition winner would be drawn from the business cards in the bowl but stating nothing else. If the sign does not make it clear that the business also intends to use the information from the business card for on-going marketing use, is it fair to assume the person consented to that, or that they merely consented to participating in the competition and being contacted for those purposes only? It seems likely that the latter would be considered the case.

3. Consent should not be inferred from silence or inaction of the data subject

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • For an individual to signify their agreement, there must usually be some type of active communication between the parties;
  • Data controllers should not infer consent from non-response to a general communication (for example, from passive behaviour like failure to respond to a communication, return a form, tick a box or respond to a leaflet).

The Art 29 Working Party suggests that without active communication data controllers will often be unable to prove whether the data subject intended to consent.

4. Consent should be freely given

Consent has to be freely given. The Art 29 Working Party Opinion 15/2011 states that:
  • Consent “can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent”.
  • It has explored the limits of consent in several opinions in relation to situations where consent cannot be freely given (e.g.in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48) and on processing of data by the World Anti-Doping Agency (WP162)).
  • If, once consent is withdrawn, the data processing continues based on another legal ground, doubts could be raised as to the original use of consent as the initial legal ground: if the processing could have taken place from the beginning using this other ground, presenting the individual with a situation where he is asked to consent to the processing could be considered as misleading or inherently unfair.
  • In practice the data subject must have a genuine ability to refuse to give their consent or to withdraw their consent in order for consent to be ‘freely given’. In the employment context, for example, consent may be freely given provided there are appropriate safeguards in place to ensure that the employee has a genuine option to decline (see Opinion 15/2011 for more discussion about the use of consent in an employment relationship.
5. Consent should be specific

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • The wording used to obtain any consent should:
    • Be clear and understandable;
    • Relate to the actual type of data and the actual purposes of the data processing to be carried out, not to ‘an open-ended set of processing activities’ (i.e. blanket generic processing consents should not be sought for all processing, but instead the different purposes must be identified individually (e.g. international data transfer, data sharing, direct marketing etc.));
    • Reflect the reasonable expectation of the parties;Give the data subject the choice to consent in respect of specific processing activities. As the ICO has described: “If you process information for a range of purposes, you should explain this to people. When doing so, you should provide a clear and simple way for them to indicate that they agree to each type of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another”.
    • The ICO recommends that you should list the different purposes where you are relying on consent with individual unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice or, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time.
  • Consent will be valid ‘as long as the processing to which it relates continues'.
  • If new kinds of data processing are required, new consents will need to be obtained. Consents linking back to the original notified purposes will not be valid to cover new data processing activities. Note that other fair processing conditions under Schedules 2 and 3 of the DPA 1998 might apply (as discussed above) but in any event it is likely that new fair processing information will need to be provided to the data subject in relation to the new processing that the controller intends to be carried out.
  • It is acceptable for data controllers to obtain consent only once for related but different operations that take place at different times if each of those operations falls within the reasonable expectation of the data subject at the time the individual consented.
6. Consent should be informed

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:
  • Adequate fair processing information should be provided to enable compliance with the first data protection principle;
  • Consent should be ‘based [on] appreciation and understanding of the facts and implications’;
  • Any information given in order to obtain consent should:
    • Be in a language that is clear, legible and intelligible to an average user;
    • Be set out in a clear, understandable, transparent, clearly visible and prominent manner. As the ICO have stated “good practice is to use an unticked opt-in box. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid”;
    • Be easy to understand, perhaps using a multi-layered approach to privacy notices to aid understanding but ensuring that these are all clearly signposted and easy to access. See the ICO’s Privacy Notices Code of Practice for more information;
    • Make clear any adverse consequences associated with the data processing; and
    • Provide more detailed and appropriate information where there are complex data processing operations involved.
  • Consent should be based on honest information. You should not lead people to believe that they can exercise choice over the collection and use of their personal data if in reality they have not got that choice. As the ICO have stated, “there is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent”.
  • To gain consent to using personal data for direct marketing purposes, you should have a separate, unticked, opt-in box prominently displayed. See the ICO’s Guidance on Direct Marketing and the ICO’s Personal Information Online Code of Practice for more detailed information on how to gain valid consent in the marketing context.
7. Consent should be Unambiguous

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that for consent to be unambiguous:
  • It should not usually be based on inaction or silence from data subjects as this always carries inherent ambiguity;
  • There should be ‘no doubt as to the data subject's intention to deliver consent’ i.e. as per the Opinion, “the indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent. If there is a reasonable doubt about the individual's intention, there is ambiguity”;
  • Data controllers should have implemented robust procedures to capture consents appropriately (whether that is clear express consent or clear inferred consent) and to ensure that the person giving consent is actually the data subject (especially where consent is obtained over the telephone or online)
  • Data controllers should keep evidence of the consents obtained and how they were obtained.
Unambiguous consent may be obtained using different methods of collection (such as signed or written statements, online forms which are ticked or express oral recorded consent), as discussed elsewhere in this practice note.

We have set out below some examples below of how one might gain valid consent in different scenarios (e.g. in relation to children, where there are incapacity issues etc.).


Consent from Children and Others with Incapacity


Neither the DPA 1998 nor Directive 95/46/EC specify how consent should be obtained from individuals who lack full legal capacity, including children.

The Art 29 Working Party Opinion 15/2011 sets out that:
  • The conditions for obtaining valid consent from children vary across the EEA.
  • When children's consent is sought, legal requirements may require obtaining the consent of the child and the representative, or the sole consent of the child if he or she is already mature. The ages when one or the other rule applies vary. There are no harmonized procedures for verifying a child’s age.

The ICO's ‘Personal Information Online Code of Practice’ sets out how to obtain consents from vulnerable individuals and children in the context of the online environment. This guidance may perhaps be extended to offline processing of information relating to children and vulnerable people as well, but the ICO has not made this clear. Some of the key points coming out of that ICO guidance are as follows:

  • The ICO refers to ‘vulnerable people’ as, “anyone who, for whatever reason, may find it difficult to understand how their information is used. This could be because they are children, have a learning disability or lack technological understanding”.
  • The DPA 1998 requires fair processing of personal data – this applies regardless of the level of understanding of the people you collect information from. Data Controllers should therefore assess the level of understanding of the people their service is aimed at and must not exploit any lack of understanding from those people. This can be particularly challenging when engaging with people online.
  • In the UK there is no simple legal definition of a ‘child’ based on age alone. Children of a similar age can have different levels of maturity and understanding. Data Controllers should consider the particular circumstances of the processing as well as the individuals’ ability to understand these to ensure that children’s data is processed fairly.
  • Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Having said that, a practical view would be that some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.
  • The ICO recommends consideration of other laws, industry rules and codes of practice to consider if any restrictions on apply to children under a certain age.
  • The ICO also highlights various instances in which it is good practice to seek parental consent relating to the collection or use of information about a child.

Withdrawing consent

Data subjects may withdraw their consent to data processing at any time but it will not have retroactive effect.

The Art 29 Working Party refer in Opinion 15/2011 to its previous Opinion 5/2005 on Article 9 of Directive 2002/58/EC in which it formulated the view that:
  • Withdrawal of consent relates to withdrawal in relation to future processing, not for the data processing that took place in the past, in the period during which the data was collected legitimately;
  • Decisions or processes previously taken on the basis of this information can therefore not be simply annulled. However, if there is no other legal basis justifying the further storage of the data, they should be deleted by the data controller.

This means that in practice a withdrawal of consent requires data controllers to stop processing any personal data where that processing was carried out on the basis of that consent (see ‘Is consent required and what happens if we can’t obtain consent?’ above).


Rights around withdrawal of consent were further considered in the ECJ case of Google Spain SL and another v Agencia Española de Protección de Datos (AEPD) and another (Case C-131/12) in which data subjects were entitled to ask a search engine operator that has ‘a branch or a subsidiary’ in an EU member state to delete from websites any links to the data subject’s name.

What is changing in relation to consent under the GDPR?

It is intended that Directive 95/46/EC will be replaced by a new General Data Protection Regulation (the “GDPR”), which is due to come into force on 25 May 2018. For more information on the GDPR reforms and their likely impact on your organisation, contact us.