In December 2017, the Article 29 Working Party (A29WP) published draft guidance on consent under GDPR. A29WP is accepting comments on the guidance until 23 January 2018.
1. Freely given
Imbalance of power? Hard to get valid consent
The data subject must have real choice and not feel compelled to consent or feel that any negative consequences would result from withholding consent. An imbalance of power, such as a public authority's power or an employer/employee relationship, may invalidate consent, although A29WP acknowledges that this may not always be the case. Specifically, the guidelines state that employees can only give free consent in exceptional circumstances and usually, the lawful basis for processing employee data should not be consent.
Mixing consent and access to services: will give you a hangover, don’t do it
Making use of a service conditional on consent being given is not allowed, where the relevant processing is not 'necessary for the performance of that contract'. A29WP states that this needs to be interpreted strictly – 'there needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract'. Addresses for delivery of online shopping or processing salary information in order to pay an employee's wages are highlighted as examples where the processing is directly linked to the contract. As A29WP notes, in most cases, controllers who satisfy this test will not need to rely on consent in any event – as they can justify the processing on the basis of contractual necessity. As A29WP notes, this point is most likely to be useful for controllers processing sensitive data, where contractual necessity is not enough to provide a lawful basis for processing. For example, it will be necessary for a health related app to process health data – this will be necessary for the contract and the controller would be able to say that access to the service is conditional on the user giving consent to processing of health data for that purpose).
Paying for services with data? Data subjects do get the proverbial 'free lunch'
A29WP acknowledges that in very limited cases controllers could make access to a service conditional on consent – if the controller also makes available a genuinely equivalent service – including with not extra cost. This will be deeply problematic for controllers (such as publishers) who depend on the processing of personal data (usually for ad-related purposes) as the way to pay for free content provided online. According to A29WP consent is only valid if the publisher makes available equivalent services, which do not depend on use of personal data, for no extra cost.
In similar manner, if the individual chooses to withdraw consent, this must not lead to cost or disadvantage to the individual: if it does, the original consent will not have been valid.
Lots of choice
Where a controller has "conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom". To avoid any issues, consent for each specific purpose should be obtained.
A29WP re-iterates the need to obtain separate consents for different processing activities. A29WP notes that, for each separate purpose where consent is sought, controllers should provide specific information about the data that will be processed for that purpose.
A29WP suggests a list of minimum information which must be provided for consent to be valid:
- the identity of each controller which will rely on the consent;
- the purpose of each of the processing operations for which consent is sought;
- what (type of) data will be collected and used;
- the existence of the right to withdraw consent;
- information about the use of automated processing techniques which have legal or similarly significant effect; and
- if the consent relates to transfers of data outside the EEA, information about the possible risks of data transfers to third countries.
The wording and format must be easily understandable for the average person (taking into account the average data subject with which the controller will be engaging). Consent must not be hidden amongst other general terms. If consent is obtained through (paper) contractual relationships, a request for consent must be "clearly distinguishable from other matters" so that it stands out and grabs the attention of the data subject. The same is true for electronic means used to obtain consent. Controllers should consider using a layered way of presenting the information where appropriate.
4. Unambiguous & active
Written statements by the individual (e.g. typed instructions) are suggested as the surest way of evidencing this – although A29WP does acknowledge that this is not often realistic.
Alternatives could include recorded oral statements or opt-in tick boxes. Pre-ticked opt-in or unticked opt-out boxes are specifically identified as non-compliant, as is blanket acceptance of general terms and conditions.
There is clearly a risk that when every controller provides options for individuals to give detailed, specific, consent that this will produce "click fatigue". A29WP places responsibility for this back with controllers, noting "GDPR places upon controllers the obligation to develop ways to tackle this issue".
As long as it meets the requirements above, consent does not generally need to be 'explicit'. Explicit consent is only required if it is relied on for processing of special categories of data, data transfers in the absence of adequate safeguards and automated individual decision-making with legal or similarly significant effect.
Here, a written statement is a 'best practice' explicit form of consent. The guidelines recommend the statement is signed by the data subject where appropriate. Another possibility envisaged by A29WP would be a two-stage verification process involving an email verification to ensure the consent is explicit and clear.
Controllers do not just need to obtain valid consent: they need to be able to demonstrate they have done this.
GDPR does not prescribe how this is done, but A29WP notes that whatever method is used should not lead to excessive amounts of additional data processing (only enough data to evidence the consent and no more than that should be processed).
For consent obtained online, the guidelines suggest retaining information of the session in which consent was obtained, together with 'documentation of the consent workflow at the time of the session' and a copy of the information presented to the individual (presumably a record of the page displayed).
The guidelines recommend refreshing consent at "appropriate intervals" and when doing so, providing all the information again to ensure the consent is still informed.
Withdrawal of Consent
Data subjects must be able to withdraw consent, at any time, as easily as consent was given. In particular, A29WP highlights that the same service-specific user interface should be available, such as using the same website, to both consent and withdraw; consenting via website and having to phone a call-centre to withdraw would not be sufficient.
If consent is withdrawn, this does not affect the lawfulness of processing that took place before such withdrawal. However, the controller must stop processing from that point forward and delete or anonymise the personal data that was processed before.
If the individual withdraws consent and the controller still wants to process the personal data on another lawful basis (for example contractual necessity), A29WP notes that the controller must notify the data subject of this and of the new lawful basis.
Interaction between consent and other lawful grounds in Article 6 GDPR
A29WP suggests that controllers can only rely on one lawful basis to justify their processing of personal data for a particular purpose. If the controller processes personal data for multiple purposes, however, then each purpose could have a separate lawful basis. The guidelines state that once consent is identified as the specific legal basis (which must be communicated to the data subject), the processing cannot then be made lawful by other legal bases through swapping them in as 'back-ups'. This seems to conflict with the comments earlier in the guidance (and in GDPR) which recognise that if an individual requires erasure, because consent for processing has been withdrawn, that the controller may be justified in retaining the data if there is another lawful basis for processing.
Article 8 GDPR provides that, where a controller offers an information society service to children and relies on consent as the lawful basis for processing, that consent must be obtained from the person holding parental responsibility. A29WP notes that this provision only applies where the services are 'offered directly to a child': if the controller makes it clear that it only intends to offer services to persons aged 18 or over then the provision will not apply. As the parental consent rule relates to children between 13 and 16 (depending on member state requirements), A29WP seems to have consigned 16 & 17 year olds to some kind of teenage limbo.
Member states may choose to lower the age of parental consent below 16. A29WP states that they may also choose to apply their rules on the basis either of controllers with a main establishment in their country or the residence of the child.
A29WP states that controllers must make reasonable efforts to verify that the user is over the age of digital consent. A29WP states "the mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor."
A similar approach applies to obtaining parental consent. Where there is little risk involved, a simple email verification system is suggested by A29WP. Once a minor reaches the age of digital consent, any parent-based consent expires.
GDPR contains specific carve-outs for consent in the context of scientific research – where recitals recognise that it can be difficult to fully identify the purposes of processing at the outset, so that individuals could instead give consent to certain areas of scientific consent.
A29WP guidance limits the scope of this – stating that this does not displace the requirement for consent to be specific and that if purposes are unclear the research programme will likely not comply with GDPR. A29WP also states that scientific research purpose must be "in accordance with relevant sector-related methodological and ethical standards" and that if individuals withdraw consent to processing that data must be deleted or anonymised – irrespective of the impact this could have on the research.