The European Data Protection Board (“EDPB”) published updated guidelines concerning consent with respect to personal data processing under the EU´s General Data Protection Regulation (“GDPR”) in May 2020, namely Guidelines 05/2020 on consent under Regulation 2016/679 (“Guidelines”). The Guidelines bring clarity and provide much needed practical guidance for the use of consent as a legal ground for processing personal data.
Basics of Consent Under GDPR
Consent is one of six lawful bases for processing personal data under Article 6 of the GDPR. Data controllers always must determine whether there is a suitable and appropriate legal ground for processing personal data when considering such activities.
Consent is “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” as recited in Article 4(11) of the GDPR.
Consent is not an appropriate lawful basis unless a data subject is offered control and a genuine choice of accepting the terms offered or declining them without detriment. A data controller must assess if all the requirements for obtaining valid consent are met. If consent is not obtained in full compliance with the GDPR, the data subject’s control becomes illusory and consent is not a valid basis for processing personal data, resulting in any such processing being unlawful.
Specific Aspects of Consent Under GDPR Guidelines
Under the GDPR Guidelines, particular attention should be given to the following aspects of consent as a legal basis for processing personal data:
1) Freely given
4) Unambiguous indication of the data subject's wishes.
1. Freely given
The Guidelines highlight that the element “free” implies real choice and control for data subjects. As a general rule, if the data subject has no real choice, feels compelled to provide consent or will endure negative consequences if he or she does not provide consent, then consent will not be valid.
If consent is bundled as a non-negotiable part of terms and conditions under a contract, for example, it is presumed not to have been freely given. The data subject must always be able to refuse or withdraw his or her consent without detriment. The imbalance between the data controller and the data subject due to their relationship and/or power also should be considered and any inappropriate pressure or influence upon the data subject, which prevents a data subject from exercising his or her free will, also renders consent invalid.
According to Article 6(1)(a) of the GDPR the consent by a data subject must be given in relation to “one or more specific” purposes and a data subject must have a choice in relation to each purpose. This ensures a degree of user control and transparency for the data subject and is closely linked to the requirement of “informed” consent. In order to comply with the requirement of “specific”, the Guidelines provide that the data controller must consider the following: a) purpose specification as a safeguard against function creep, b) granularity in consent requests (i.e., a separate opt-in for each purpose), and c) clear separation of information related to obtaining consent for data processing activities from information about other matters.
“Informed” is an essential element of consent. The Guidelines note that it is necessary to inform the data subject of certain elements that are crucial for making a choice in order to enable the consent to be informed and, thus, valid including:
- the controller’s identity
- the purpose of each of the processing operations for which consent is sought
- what (type of) data will be collected and used
- the existence of the right to withdraw consent
- information about use of the data for automated decision-making
- the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards
The request for consent must be clear and concise. Layered and granular information is more precise and complete and is generally more understandable, but the data controller must also carefully assess the target audience and determine what information would be understandable to such audience. If the requirement of “informed” is not fulfilled by the data controller, any consent otherwise obtained is invalid.
4. Unambiguous indication of the data subject's wishes
The Guidelines highlight that the GDPR is clear on the matter that consent must always be given through an active motion or declaration and it must be obvious that the data subject has consented to particular processing by a clear affirmative act. A “clear affirmative act” means that the data subject must have taken deliberate action indicating consent to certain processing.
Consent can be collected through a written or (recorded) oral statement, including by electronic means. Written statements can be provided in many ways that would comply with the GDPR, but national legislation of an EU Member States may dictate what is acceptable in a particular Member State. In addition, the use of pre-ticked opt-in boxes is invalid under the GDPR but an opt-in box ticked by the data subject is acceptable. However, silence or inactivity on the part of the data subject or merely proceeding with use of a service, are not regarded as active indications of choice.
To ensure that consent for personal data processing is valid, particular attention should be paid to the EDPB Guidelines concerning the four key elements discussed above. Specifically, valid consent must be freely given and specific to the matter. In addition, the data subject must be well-informed and provide an unambiguous indication of his or her wishes. Otherwise, any purported consent is not valid and its basis as a legal ground for personal data processing is lost.
Please see the link for additional information on the EDPB Guidelines relating to consent.