The European Data Protection Board (“EDPB”) published updated guidelines for personal data processing related consents under the EU’s General Data Protection Regulation (“GDPR”) in May 2020, namely Guidelines 05/2020 on consent under Regulation 2016/679 (“Guidelines”). These Guidelines bring clarity and provide much needed practical guidance for applying consent as a legal ground for processing personal data.
Consent is one of six lawful bases to process personal data provided in Article 6 of the GDPR. Any data controller must always consider what would a suitable and an appropriate legal ground for the planned personal processing when initiating such activities.
Consent is “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” as defined under Article 4(11) of the GDPR.
Consent can not be used as an appropriate lawful basis unless a data subject is offered control and is offered a genuine choice of accepting the terms offered or declining them without detriment. A data controller must assess if all the requirements to obtain valid consent are met. If a consent is not obtained in full compliance with the GDPR, the data subject’s control becomes illusory and consent will not be a valid basis for processing personal data causing the processing to be unlawful.
Attention should be paid especially to the following characteristics of consent while using it as a legal basis for processing personal data:
1) Freely given;
2) Specific;
3) Informed; and
4) Unambiguous indication of the data subject's wishes.
Freely given
The Guidelines highlight that the element “free” implies real choice and control for data subjects. As a general rule, if the data subject has no real choice, may feel compelled to provide consent or will endure negative consequences if they do not provide consent, then consent will not be valid. If consent is bundled up as a non-negotiable part of terms and conditions under a contract, for example, it is presumed not to have been freely given. The data subject must always be able to refuse or withdraw his or her consent without detriment. The imbalance between the data controller and the data subject due to their relationship and/or power should also be considered and any inappropriate pressure or influence upon the data subject, which prevents a data subject from exercising their free will, also causes the consent to be invalid.
Specific
According to Article 6(1)(a) of the GDPR the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject must have a choice in relation to each of them. This aims to ensure a degree of user control and transparency for the data subject and is closely linked to the requirement of 'informed' consent. In order to comply with the requirement of “specific”, the Guidelines provide that the data controller must apply: a) Purpose specification as a safeguard against function creep, b) Granularity in consent requests (i.e. a separate opt-in for each purpose), and c) Clear separation of information related to obtaining consent for data processing activities from information about other matters.
Informed
“Informed” is an essential element of consent. The Guidelines define that it is necessary to inform the data subject of certain elements that are crucial to make a choice in order to enable the consent to be informed and, thus, valid:
- the controller’s identity,
- the purpose of each of the processing operations for which consent is sought,
- what (type of) data will be collected and used,
- the existence of the right to withdraw consent,
- information about the use of the data for automated decision-making, and
- on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards.
If the requirement of “informed” is not fulfilled by the data controller, the obtained consent is invalid. The request for consent must be clear and concise. Layered and granular information can enable being both precise and complete and understandable but the data controller must also carefully asses the target audience and what would be understandable for them.
Unambiguous indication of the data subject's wishes
The Guidelines highlight that the GDPR is clear on the matter that consent must always be given through an active motion or declaration and it must be obvious that the data subject has consented to the particular processing by a clear affirmative act. A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the certain processing.
Consent can be collected through a written or (a recorded) oral statement, including by electronic means. Written statements can be provided in may ways that would comply with the GDPR but the national legislation of the EU Member States may impact on what is acceptable in a certain Member State. For example, consent can be obtained through a recorded oral statement. The use of pre-ticked opt-in boxes is invalid under the GDPR but opt-in box ticked by the data subject is acceptable. However, silence or inactivity on the part of the data subject, as well as merely proceeding with using a service, are not regarded as an active indication of choice.
