Obtaining Valid Consent Under the GDPR
This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.
This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.
Consent under the Data Protection Act 1998 and Data Protection Directive 95/46/EC
For discussion of the meaning of ‘consent’ under the
existing Data Protection Act 1998 and Data Protection Directive 95/46/EC, see
our previous blog article Obtaining Valid Consent Under the Data Protection Act1998.
It is worth noting that consents obtained under the existing
legislation should still continue to be effective under the EU General Data
Protection Regulation (“GDPR”) when it comes into force on 25 May 2018,
provided that they meet the new GDPR conditions. These are set out in Recital 134 of the GDPR,
where it is stated that:
- Data Protection Directive 95/46/EC will be repealed by the GDPR.
- Processing already under way on the date of application of the GDPR should be brought into conformity with the GDPR within 2 years after the GDPR comes into force.
- Where processing is based on consent under Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the way the consent has been given is in line with the conditions of the GDPR, so as to allow the data controller to continue processing after the date of application of the GDPR.
What does ‘consent’ mean under the GDPR?
Article 4(8) of the GDPR defines the ‘data subject's
consent’ as meaning:
“any freely given, specific, informed and unambiguous
indication of his or her wishes by which the data subject, either by a
statement or by a clear affirmative action, signifies agreement to personal
data relating to them being processed”.
Recital 25 of the GDPR adds further clarification to this
definition by adding that:
- The action taken may be by written, electronic, or oral statement;
- This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
- Silence, pre-ticked boxes or inactivity should not constitute consent.
- Consent should cover all processing activities carried out for the same purpose or purposes.
- When the processing has multiple purposes, consent should be granted for all of the processing purposes.
- If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Is consent required under the GDPR and what happens if one
cannot obtain consent?
Article 6(1) (Lawfulness of processing) of the GDPR sets out
one of the legitimising fair processing conditions for personal data as
follows:
“6(1) Processing of personal data shall be lawful only if
and to the extent that at least one of the following applies:…(a) the data
subject has given consent to the processing of their personal data for one or
more specific purposes”.
Article 9(2) (Processing of special categories of personal
data) of the GDPR then sets out one of the legitimising fair processing
conditions for special categories of personal data as follows:
“…the data subject has given explicit consent to the
processing of those personal data for one or more specified purposes, except
where Union law or Member State law provide that the prohibition referred to in
paragraph 1 may not be lifted by the data subject”.
Consent is, however, just one of the:
- Fair processing conditions that may be relied on to enable fair and lawful processing of:
- Any personal data under Article 6(1) of the GDPR; and of
- Sensitive personal data under Article 9(2) of the GDPR;
- Conditions that may be relied on to enable fair and lawful processing of Automated individual decision making (including profiling) under Article 20 of the GDPR;
- Grounds to enable fair and lawful transfer of personal data outside the EEA under Article 44(1)(a) of the GDPR. It is worth noting that where consent is relied on in this situation, ‘explicit consent’ is required for the proposed transfer and the data subject has to have been informed of the possible risks of such transfers etc.
It is, therefore, not mandatory to obtain consent if:
- One of the other fair processing conditions under Article 6(1) or Article 9(2) of the GDPR can be relied on;
- One of the other grounds for fair and lawful processing of automated individual decision making (including profiling) can be relied on under Article 20 of the GDPR;
- One of the other grounds for legitimate international data transfer under Article 44(1)(a) of the GDPR can be relied on; or
- One of the exceptions under the GDPR exists in relation to the intended processing.
As discussed in our previous blog article Obtaining ValidConsent Under the Data Protection Act 1998.
- Consent is often used by UK data controllers in practice as either the sole legitimising fair processing condition or sometimes as a back-up to another fair processing condition or grounds for processing, where it is the easiest condition or mechanism for the data controller to show they have complied with the DPA 1998. That is not to say that this is always the best condition or ground for data controllers to rely on. In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given.
- This is likely to continue to be the case under the GDPR. It will therefore continue to be prudent for data controllers to consider if another fair processing condition or ground for processing would be better to rely on in any particular case.
In general terms, given the increased sanctions for non-compliance under the GDPR, organisations
should carry out a data mapping exercise and an audit to consider what fair
processing conditions they currently rely on to justify their various data
processing operations. Where consent is
currently relied on to justify processing under the DPA 1998, the existing
mechanisms used for consent should be reviewed and the organisation should
consider whether consent is still a practical and workable solution to justify
their data processing activities. Under the new burdensome consent requirements
of the GDPR, this may no longer be the case.
Administrative fines of up to EUR 20 Million, or in case of
an undertaking, up to 4% of the total worldwide annual turnover of the
preceding financial year (whichever is higher) may be levied under the GDPR for
failure to comply with the basic principles for processing, including
conditions for consent.
Obtaining consent for the processing of sensitive personal
data under the GDPR
As discussed above, Article 9 (Processing of special
categories of personal data) of the GDPR sets out lawful conditions for
processing sensitive personal data categories (personal data revealing racial
or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of genetic data, biometric data in
order to uniquely identify a person or data concerning health or sex life and
sexual orientation).
Consent to process sensitive personal data must be
‘explicit’ (Article 9(2)(a) of the GDPR), as is currently the case under the
existing Data Protection Directive 95/46/EC. It has, however, been clarified in
the GDPR that:
- Consent will be provided for specific pre-defined purposes and may not be used to justify data processing for any other purpose;
- Where disclosure of sensitive personal data is contrary to the national laws of an EU member state or otherwise contrary to EU law, consent from a data subject will not override the absolute prohibition of processing of any such information.
How to obtain and withdraw consent under the GDPR
In addition to the definition of consent under Article 4(8)
GDPR and the fair processing conditions set out under Articles 6(1) and 9(2)
GDPR, Article 7 GDPR sets out specific conditions which must be met in relation
to consent.
Many of these Article 7 conditions and the corresponding
GDPR Recitals reflect current established guidance from the European Union
Article 29 Working Party (the “Art 29 Working Party”) in the form of Opinion
15/2011 (“the 2011 Opinion”) which set out their view of what is meant by
‘consent’ for the purposes of the existing Data Protection Directive
95/46/EC.
It is likely that the new European Data Protection Board
(who will take over from the Art 29 Working Party under the GDPR) will
establish a new and updated Opinion on consent in due course that will perhaps
add some of the detail from the existing Opinion
15/2011 that has not made it in to the text of the GDPR. For further discussion of Opinion
15/2011, our previous blog article Obtaining Valid Consent Under the DataProtection Act 1998.
The Article 7 GDPR conditions are as follows:
GDPR
Article
|
Additional
Information provided in GDPR Recitals and Author Commentary
|
Article 7(1)
states: “Where processing is based on
consent, the controller shall be able to demonstrate that consent was given
by the data subject to the processing of their personal data”
|
Under Article 7(1)
and in accordance with Recital 32 GDPR, data controllers have the burden of
proving that consent was obtained.
This will require a
significant tightening up of the requirements for establishing and proving
consent in the UK. Under the current legal regime, a rather more relaxed
approach has been taken to this.
Organisations that
rely on consent to enable some or all of their data processing under the
current legal regime will need to review the circumstances in which they will
collect consent under the GDPR, the fair processing information given to data
subjects in order to obtain consent and the technical methods used to collect
consent. Organisations will also need to consider how they will demonstrate
or show evidence of consent going forwards.
It is likely to be
expensive to implement and maintain consent systems in relation to ongoing
and future processing.
|
Article 7(2)
states: “If the data subject's consent
is given in the context of a written declaration which also concerns other
matters, the request for consent must be presented in a manner which is
clearly distinguishable from the other matters, in an intelligible and easily
accessible form, using clear and plain language. Any part of the declaration
which constitutes an infringement of this Regulation that the data subject
has given consent to shall not be binding”
|
Consents must be specific to the purposes
for which they are needed. Request for consent to a data subject will have to be clearly distinguishable from any other matters the individuals are notified about. Recital 32 GDPR goes on to clarify that:
· In line with Council Directive 93/13/EEC a
declaration of consent pre-formulated by the data controller should be
provided in an intelligible and easily accessible form, using clear and plain
language and it should not contain unfair terms.
· For consent to be ‘informed’ the data subject should
be aware at least of the identity of the data controller and the purposes of
the processing for which the personal data are intended.
· Consent should not be regarded as freely-given if
the data subject has no genuine and free choice and is unable to refuse or
withdraw consent without detriment.
Generic consents often collected under the
current legal regime (e.g. via standard contractual terms with vaguely
drafted sections on consent) will need to be re-drafted so that they are more
specific and tailored to collection of specific data sets used for specific
purposes. |
Article
7(3) states “The data subject shall
have the right to withdraw his or her consent at any time. The withdrawal of
consent shall not affect the lawfulness of processing based on consent before
its withdrawal. Prior to giving consent, the data subject shall be
informed thereof. It shall be as easy to withdraw consent as to give it.”
|
Under this Article
7(3) GDPR, it is made clear that data subjects have the right to withdraw
their consent at any time and it should be as easy for an individual to
withdraw consent as to give it.
Article 17 of the
GDPR further sets out detailed rights that data subjects have to request
erasure of their information (the “right to be forgotten") including
under Article 17(1)(b) where consent has been withdrawn by the data subject.
Article 14(1a)(ea)
of the GDPR also makes it clear that where consent is relied on, as part of
the fair processing information provided to individuals, they must be clearly
told about their right to withdraw consent.
The strengthened
rights under the GDPR for data subjects to withdraw consent and their right
to be forgotten means that organisations that currently rely on consent to
enable some or all of their data processing under the current legal regime
will need to carefully consider:
· What mechanisms they will implement to enable data
subjects to withdraw their consent easily;
· How readily consent is likely to be withdrawn and
what the impact would be of that happening?
· Whether they would have to stop processing the
relevant data when consent was withdrawn? Could they do that? How would they
do that?
If
they ‘need’ to continue processing the data, on what other grounds could they
justify doing so? If this necessitates a change of legal fair processing
grounds, is this acceptable or does it call into question whether the
information was being fairly processed in the first place? See further
discussion of this in our previous blog article Obtaining Valid Consent Under the Data Protection Act 1998.
Where personal data is processed
for direct marketing the data subject will have a right to object. This right
will have to be explicitly brought to their attention. See Recital 57 and
Article 19 of the GDPR.
|
Article
7(4) states “When assessing whether
consent is freely given, utmost account shall be taken of the fact whether,
among others, the performance of a contract, including the provision of a
service, is made conditional on the consent to the processing of data that is
not necessary for the performance of this contract.”
|
During negotiations
over the final GDPR text there was a lot of debate around whether consent
should provide a valid ground for data processing where there is a
significant imbalance between the data subject and data controller.
The final text in
Article 7(4) GDPR was intended in part to address this concern.
The GDPR Recitals also
make it clear that:
·
Consent
is not freely given if the data subject had no genuine and free choice and is
unable to withdraw or refuse consent without detriment (Recital 32).
·
In
order to safeguard that consent has been freely-given, consent should not
provide a valid legal ground for the processing of personal data in a
specific case, where there is a clear imbalance between the data subject and
the controller, in particular where the controller is a public authority and
this makes it unlikely that consent was given freely in all the circumstances
of that specific situation.
·
Consent is presumed not to be freely given
if it does not allow separate consent to be given to different data
processing operations despite it being appropriate in the individual case, or
if the performance of a contract, including the provision of a service is
made dependent on the consent despite this not being necessary for such
performance.
In practice this
means that attempts to bundle wide-ranging or generic consents into
contractual language will no longer be allowed.
This Article 7(4)
may have a huge impact on compliance requirements for e-commerce services,
among others.
In addition, it is
likely (and encouraged by GDPR Recital 124) that some EU Member States may
provide more specific rules in due course surrounding the use of consent in
the employment context. It is worth noting that the current ICO Employment
Practices Code discourages reliance on consent when processing employee data,
as employees will feel under duress to give the consent. That said, in practice and in our
experience most UK employers do tend to ask for consent from employees to,
for example:
- help to
demonstrate that fair processing information was provided; and also to
- cover certain
types of data processing where neither the employment law compliance nor the
legitimate interests fair processing conditions apply.
|
No comments:
Post a Comment