The Article 29 Working Party (A29WP) has now published its final guidance on consent under GDPR (WP259 rev 0.1).
The main changes from the draft guidance are:
insertion of a new section addressing requests for consent online, where continued use of a site is stated to amount to consent - A29WP says this will be inadequate
‘Controllers must avoid ambiguity and must ensure that the action by which consent is given can be distinguished from other actions. Therefore, merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation’; and
deletion of text requiring controllers to offer cost free services, which are not dependent on provision of personal data.
(Art.7(4) GDPR states that, when assessing if consent is freely given, utmost account must be taken of whether provision of a service is made conditional on consent to process personal data that is not necessary for performance of the contract. In the guidance, WP29 notes that a controller may be able to show that consent is freely given if it offers a genuinely equivalent service where provision of personal data is not required. In the draft guidance, WP29 went on to note that this must include providing an equivalent service at no extra cost. This last statement has been deleted, although comments about no cost are contained elsewhere in the guidance - in the context of revocation of consent).
1. Freely given
Imbalance of power? Hard to get valid consent
The data subject must have real choice and not feel compelled to consent or feel that any negative consequences would result from withholding consent. An imbalance of power, such as a public authority's power or an employer/employee relationship, may invalidate consent, although A29WP acknowledges that this may not always be the case. Specifically, the guidelines state that employees can only give free consent in exceptional circumstances and usually, the lawful basis for processing employee data should not be consent.
Mixing consent and access to services: will give you a hangover, don’t do it
Making use of a service conditional on consent being given is not allowed, where the relevant processing is not 'necessary for the performance of that contract'. A29WP states that this needs to be interpreted strictly – 'there needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract'. Addresses for delivery of online shopping or processing salary information in order to pay an employee's wages are highlighted as examples where the processing is directly linked to the contract. As A29WP notes, in most cases, controllers who satisfy this test will not need to rely on consent in any event – as they can justify the processing on the basis of contractual necessity. As A29WP notes, this point is most likely to be useful for controllers processing sensitive data, where contractual necessity is not enough to provide a lawful basis for processing. For example, an airline which offers mobility assistance could rely on traveller consent to process disabity data: this is necessary to deliver the contracted service.
Paying for services with data? Must have equivalent data-free services
A29WP acknowledges that controllers could make access to a service conditional on consent – if the controller also makes available a genuinely equivalent service. Arguments that others in ‘the market’ offer such services is not sufficient.
In similar manner, if the individual chooses to withdraw consent, this must not lead to cost or disadvantage to the individual: if it does, the original consent will not have been valid.
Lots of choice
Where a controller has "conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom". To avoid any issues, consent for each specific purpose should be obtained. Examples given include separate consents for an organisations own marketing and sharing with group companies for marketing.
A29WP re-iterates the need to obtain separate consents for different processing activities. A29WP notes that, for each separate purpose where consent is sought, controllers should provide specific information about the data that will be processed for that purpose.
A29WP suggests a list of minimum information which must be provided for consent to be valid:
- the identity of each controller which will rely on the consent;
- the purpose of each of the processing operations for which consent is sought;
- what (type of) data will be collected and used;
- the existence of the right to withdraw consent;
- information about the use of automated processing techniques which have legal or similarly significant effect; and
- if the consent relates to transfers of data outside the EEA, information about the possible risks of data transfers to third countries.
The wording and format must be easily understandable for the average person (taking into account the average data subject with which the controller will be engaging). Consent must not be hidden amongst other general terms. If consent is obtained through (paper) contractual relationships, a request for consent must be "clearly distinguishable from other matters" so that it stands out and grabs the attention of the data subject. The same is true for electronic means used to obtain consent. Controllers should consider using a layered way of presenting the information where appropriate.
4. Unambiguous & active
Written statements by the individual (e.g. typed instructions) are suggested as the surest way of evidencing this – although A29WP does acknowledge that this is not often realistic.
Alternatives could include recorded oral statements or opt-in tick boxes. Pre-ticked opt-in or unticked opt-out boxes are specifically identified as non-compliant, as is blanket acceptance of general terms and conditions.
There is clearly a risk that when every controller provides options for individuals to give detailed, specific, consent that this will produce "click fatigue". A29WP places responsibility for this back with controllers, noting "GDPR places upon controllers the obligation to develop ways to tackle this issue".
As long as it meets the requirements above, consent does not generally need to be 'explicit'. Explicit consent is only required if it is relied on for processing of special categories of data, data transfers in the absence of adequate safeguards and automated individual decision-making with legal or similarly significant effect.
Here, a written statement is an 'obvious way' to obtain explicit consent. Other options are possible though - eg sending an email or uploading a scanned wet-ink signature.
Controllers do not just need to obtain valid consent: they need to be able to demonstrate they have done this.
GDPR does not prescribe how this is done, but A29WP notes that whatever method is used should not lead to excessive amounts of additional data processing (only enough data to evidence the consent and no more than that should be processed).
For consent obtained online, the guidelines suggest retaining information of the session in which consent was obtained, together with 'documentation of the consent workflow at the time of the session' and a copy of the information presented to the individual (presumably a record of the page displayed).
The guidelines recommend refreshing consent at "appropriate intervals" and when doing so, providing all the information again to ensure the consent is still informed.
Withdrawal of Consent
Data subjects must be able to withdraw consent, at any time, as easily as consent was given. In particular, A29WP highlights that the same service-specific user interface should be available, such as using the same website, to both consent and withdraw; consenting via website and having to phone a call-centre to withdraw would not be sufficient.
If consent is withdrawn, this does not affect the lawfulness of processing that took place before such withdrawal. However, the controller must stop processing from that point forward and delete or anonymise the personal data that was processed before.
If the individual withdraws consent and the controller still wants to process the personal data on another lawful basis (for example contractual necessity), A29WP notes that the controller must notify the data subject of this and of the new lawful basis.
Interaction between consent and other lawful grounds in Article 6 GDPR
A29WP suggests that controllers can only rely on one lawful basis to justify their processing of personal data for a particular purpose. If the controller processes personal data for multiple purposes, however, then each purpose could have a separate lawful basis. The guidelines state that once consent is identified as the specific legal basis (which must be communicated to the data subject), the processing cannot then be made lawful by other legal bases through swapping them in as 'back-ups'.
Article 8 GDPR provides that, where a controller offers an information society service to children and relies on consent as the lawful basis for processing, that consent must be obtained from the person holding parental responsibility.
A29WP notes that this provision only applies where the services are 'offered directly to a child': if the controller makes it clear that it only intends to offer services to persons aged 18 or over then the provision will not apply. As the parental consent rule relates to children between 13 and 16 (depending on member state requirements), A29WP seems to have consigned 16 & 17 year olds to some kind of teenage limbo.
Member states may choose to lower the age of parental consent below 16. A29WP states that they may also choose to apply their rules on the basis either of controllers with a main establishment in their country or the residence of the child.
A29WP states that controllers must make reasonable efforts to verify that the user is over the age of digital consent. A29WP states "the mechanism chosen to verify the age of a data subject should involve an assessment of the risk of the proposed processing. In some low-risk situations, it may be appropriate to require a new subscriber to a service to disclose their year of birth or to fill out a form stating they are (not) a minor."
A similar approach applies to obtaining parental consent. Where there is little risk involved, a simple email verification system is suggested by A29WP. Once a minor reaches the age of digital consent, any parent-based consent expires.
GDPR contains specific carve-outs for consent in the context of scientific research – where recitals recognise that it can be difficult to fully identify the purposes of processing at the outset, so that individuals could instead give consent to certain areas of scientific consent.
A29WP guidance limits the scope of this – stating that this does not displace the requirement for consent to be specific and that if purposes are unclear the research programme will likely not comply with GDPR. A29WP also states that scientific research purpose must be "in accordance with relevant sector-related methodological and ethical standards" and that if individuals withdraw consent to processing that data must be deleted or anonymised – irrespective of the impact this could have on the research.