Pritchetts

Obtaining Valid Consent Under the GDPR
 
This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.

Consent under the Data Protection Act 1998 and Data Protection Directive 95/46/EC

For discussion of the meaning of ‘consent’ under the existing Data Protection Act 1998 and Data Protection Directive 95/46/EC, see our previous blog article Obtaining Valid Consent Under the Data Protection Act1998. 

It is worth noting that consents obtained under the existing legislation should still continue to be effective under the EU General Data Protection Regulation (“GDPR”) when it comes into force on 25 May 2018, provided that they meet the new GDPR conditions.  These are set out in Recital 134 of the GDPR, where it is stated that:

• Data Protection Directive 95/46/EC will be repealed by the GDPR. 
• Processing already under way on the date of application of the GDPR should be brought into conformity with the GDPR within 2 years after the GDPR comes into force. 
• Where processing is based on consent under Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the way the consent has been given is in line with the conditions of the GDPR, so as to allow the data controller to continue processing after the date of application of the GDPR.

 What does ‘consent’ mean under the GDPR? 

Article 4(8) of the GDPR defines the ‘data subject's consent’ as meaning:

“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. 

Recital 25 of the GDPR adds further clarification to this definition by adding that:

• The action taken may be by written, electronic, or oral statement; 
• This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. 
• Silence, pre-ticked boxes or inactivity should not constitute consent. 
• Consent should cover all processing activities carried out for the same purpose or purposes. 
• When the processing has multiple purposes, consent should be granted for all of the processing purposes. 
• If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Is consent required under the GDPR and what happens if one cannot obtain consent?

Article 6(1) (Lawfulness of processing) of the GDPR sets out one of the legitimising fair processing conditions for personal data as follows: 

“6(1) Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:…(a) the data subject has given consent to the processing of their personal data for one or more specific purposes”.

Article 9(2) (Processing of special categories of personal data) of the GDPR then sets out one of the legitimising fair processing conditions for special categories of personal data as follows: 

“…the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”.

Consent is, however, just one of the: 

• Fair processing conditions that may be relied on to enable fair and lawful processing of: 
• Any personal data under Article 6(1) of the GDPR; and of 
• Sensitive personal data under Article 9(2) of the GDPR; 
• Conditions that may be relied on to enable fair and lawful processing of Automated individual decision making (including profiling) under Article 20 of the GDPR; 
• Grounds to enable fair and lawful transfer of personal data outside the EEA under Article 44(1)(a) of the GDPR.  It is worth noting that where consent is relied on in this situation, ‘explicit consent’ is required for the proposed transfer and the data subject has to have been informed of the possible risks of such transfers etc.

It is, therefore, not mandatory to obtain consent if:

• One of the other fair processing conditions under Article 6(1) or Article 9(2) of the GDPR can be relied on; 
• One of the other grounds for fair and lawful processing of automated individual decision making (including profiling) can be relied on under Article 20 of the GDPR; 
• One of the other grounds for legitimate international data transfer under Article 44(1)(a) of the GDPR can be relied on; or 
• One of the exceptions under the GDPR exists in relation to the intended processing.  

As discussed in our previous blog article Obtaining ValidConsent Under the Data Protection Act 1998. 

• Consent is often used by UK data controllers in practice as either the sole legitimising fair processing condition or sometimes as a back-up to another fair processing condition or grounds for processing, where it is the easiest condition or mechanism for the data controller to show  they have complied with the DPA 1998.  That is not to say that this is always the best condition or ground for data controllers to rely on.  In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given. 

•  This is likely to continue to be the case under the GDPR. It will therefore continue to be prudent for data controllers to consider if another fair processing condition or ground for processing would be better to rely on in any particular case. 

In general terms, given the increased sanctions for  non-compliance under the GDPR, organisations should carry out a data mapping exercise and an audit to consider what fair processing conditions they currently rely on to justify their various data processing operations.  Where consent is currently relied on to justify processing under the DPA 1998, the existing mechanisms used for consent should be reviewed and the organisation should consider whether consent is still a practical and workable solution to justify their data processing activities. Under the new burdensome consent requirements of the GDPR, this may no longer be the case.

Administrative fines of up to EUR 20 Million, or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) may be levied under the GDPR for failure to comply with the basic principles for processing, including conditions for consent.

Obtaining consent for the processing of sensitive personal data under the GDPR

As discussed above, Article 9 (Processing of special categories of personal data) of the GDPR sets out lawful conditions for processing sensitive personal data categories (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation).

Consent to process sensitive personal data must be ‘explicit’ (Article 9(2)(a) of the GDPR), as is currently the case under the existing Data Protection Directive 95/46/EC. It has, however, been clarified in the GDPR that: 

• Consent will be provided for specific pre-defined purposes and may not be used to justify data processing for any other purpose; 
• Where disclosure of sensitive personal data is contrary to the national laws of an EU member state or otherwise contrary to EU law, consent from a data subject will not override the absolute prohibition of processing of any such information.

 How to obtain and withdraw consent under the GDPR

In addition to the definition of consent under Article 4(8) GDPR and the fair processing conditions set out under Articles 6(1) and 9(2) GDPR, Article 7 GDPR sets out specific conditions which must be met in relation to consent.

Many of these Article 7 conditions and the corresponding GDPR Recitals reflect current established guidance from the European Union Article 29 Working Party (the “Art 29 Working Party”) in the form of Opinion 15/2011 (“the 2011 Opinion”) which set out their view of what is meant by ‘consent’ for the purposes of the existing Data Protection Directive 95/46/EC. 

It is likely that the new European Data Protection Board (who will take over from the Art 29 Working Party under the GDPR) will establish a new and updated Opinion on consent in due course that will perhaps add some of the detail from the existing Opinion 15/2011 that has not made it in to the text of the GDPR.  For further discussion of Opinion 15/2011, our previous blog article Obtaining Valid Consent Under the DataProtection Act 1998. 

The Article 7 GDPR conditions are as follows: 

GDPR Article	Additional Information provided in GDPR Recitals and Author Commentary
Article 7(1) states: “Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data”	Under Article 7(1) and in accordance with Recital 32 GDPR, data controllers have the burden of proving that consent was obtained. This will require a significant tightening up of the requirements for establishing and proving consent in the UK. Under the current legal regime, a rather more relaxed approach has been taken to this.  Organisations that rely on consent to enable some or all of their data processing under the current legal regime will need to review the circumstances in which they will collect consent under the GDPR, the fair processing information given to data subjects in order to obtain consent and the technical methods used to collect consent. Organisations will also need to consider how they will demonstrate or show evidence of consent going forwards. It is likely to be expensive to implement and maintain consent systems in relation to ongoing and future processing.
Article 7(2) states: “If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of the declaration which constitutes an infringement of this Regulation that the data subject has given consent to shall not be binding”	Consents must be specific to the purposes for which they are needed.  Request for consent to a data subject will have to be clearly distinguishable from any other matters the individuals are notified about.  Recital 32 GDPR goes on to clarify that: ·       In line with Council Directive 93/13/EEC a declaration of consent pre-formulated by the data controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. ·       For consent to be ‘informed’ the data subject should be aware at least of the identity of the data controller and the purposes of the processing for which the personal data are intended. ·       Consent should not be regarded as freely-given if the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment. Generic consents often collected under the current legal regime (e.g. via standard contractual terms with vaguely drafted sections on consent) will need to be re-drafted so that they are more specific and tailored to collection of specific data sets used for specific purposes.
Article 7(3) states “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw consent as to give it.”	Under this Article 7(3) GDPR, it is made clear that data subjects have the right to withdraw their consent at any time and it should be as easy for an individual to withdraw consent as to give it. Article 17 of the GDPR further sets out detailed rights that data subjects have to request erasure of their information (the “right to be forgotten") including under Article 17(1)(b) where consent has been withdrawn by the data subject. Article 14(1a)(ea) of the GDPR also makes it clear that where consent is relied on, as part of the fair processing information provided to individuals, they must be clearly told about their right to withdraw consent.  The strengthened rights under the GDPR for data subjects to withdraw consent and their right to be forgotten means that organisations that currently rely on consent to enable some or all of their data processing under the current legal regime will need to carefully consider:  ·      What mechanisms they will implement to enable data subjects to withdraw their consent easily; ·      How readily consent is likely to be withdrawn and what the impact would be of that happening? ·      Whether they would have to stop processing the relevant data when consent was withdrawn? Could they do that? How would they do that? If they ‘need’ to continue processing the data, on what other grounds could they justify doing so? If this necessitates a change of legal fair processing grounds, is this acceptable or does it call into question whether the information was being fairly processed in the first place? See further discussion of this in our previous blog article Obtaining Valid Consent Under the Data Protection Act 1998.  Where personal data is processed for direct marketing the data subject will have a right to object. This right will have to be explicitly brought to their attention. See Recital 57 and Article 19 of the GDPR.
Article 7(4) states “When assessing whether consent is freely given, utmost account shall be taken of the fact whether, among others, the performance of a contract, including the provision of a service, is made conditional on the consent to the processing of data that is not necessary for the performance of this contract.”	During negotiations over the final GDPR text there was a lot of debate around whether consent should provide a valid ground for data processing where there is a significant imbalance between the data subject and data controller. The final text in Article 7(4) GDPR was intended in part to address this concern. The GDPR Recitals also make it clear that: ·      Consent is not freely given if the data subject had no genuine and free choice and is unable to withdraw or refuse consent without detriment (Recital 32). ·      In order to safeguard that consent has been freely-given, consent should not provide a valid legal ground for the processing of personal data in a specific case, where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and this makes it unlikely that consent was given freely in all the circumstances of that specific situation. ·       Consent is presumed not to be freely given if it does not allow separate consent to be given to different data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service is made dependent on the consent despite this not being necessary for such performance. In practice this means that attempts to bundle wide-ranging or generic consents into contractual language will no longer be allowed. This Article 7(4) may have a huge impact on compliance requirements for e-commerce services, among others. In addition, it is likely (and encouraged by GDPR Recital 124) that some EU Member States may provide more specific rules in due course surrounding the use of consent in the employment context. It is worth noting that the current ICO Employment Practices Code discourages reliance on consent when processing employee data, as employees will feel under duress to give the consent.  That said, in practice and in our experience most UK employers do tend to ask for consent from employees to, for example: - help to demonstrate that fair processing information was provided; and also to - cover certain types of data processing where neither the employment law compliance nor the legitimate interests fair processing conditions apply.