In anticipation of 25 May 2018, the Article 29 Working Party (“WP29”) regularly publishes guidelines with regards to certain main concepts featured in the Privacy Regulation. In this update, Ovidius discusses the guidelines relating to the (tricky) concept of ‘consent’.
When is consent required?
Under the Privacy Regulation, processing personal data is only permitted if one of the -limitative- processing grounds applies. One of these grounds is consent: the data subject gives his permission for the processing of its personal data. This seems straightforward, but that is not (always) the case. For lawful processing, the consent needs to be ‘valid’.
What constitutes as ‘valid’ consent?
The conditions for ‘valid’ consent are listed in article 4 of the Privacy Regulation: the consent must be (i) freely given; (ii) specific; (iii) informed and (iv) unambiguously declared.
(I) Freely given
The data subject should have a real choice as to whether he wants to give his consent. Under certain circumstances, such a real choice does not exist, for example because there is
Example:an employee will not quickly object to filling out an assessment form or the monitoring of his workplace, out of fear that this will be used against him by his employer. In general, an employer cannot rely on consent to legitimise its processing of personal data.
In addition, the consent to processing can not be bundled with the consent for other purposes, such as the performance of certain services. This mostly occurs when personal data that is not required for the performance of an agreement, is nevertheless processed based on such (hidden) ‘consent’. However, if a controller wants to process more personal data than strictly necessary under the agreement, the data subject has to explicitly and separately agree thereto. The same goes if personal data is processed for more than one purpose: the data subject than needs to agree to each and every purpose individually. Moreover, it must be possible to differentiate, consenting to one purpose but not to the other.
Example:if consent can be given by ticking a box on a webpage, it is not allowed that retracting such consent is only possible by sending a registered letter to the foreign mother company.
(II) Specific
Consent does not mean much if the data subject is unaware what he consents to. Therefore, the data subject must consent to a specifically described purpose.
Example:a user may allow Netflix to generate personal suggestions for new movies on Netflix based on his viewing habits. If Netflix then wants to allow third parties to use such data for targeted advertising, new consent is needed.
(III) Informed
The requirement of specificity closely mirrors that of the information requirement: only informed consent can be valid. The controller has to provide
(IV) Unambiguous declaration
Finally, the consent needs to be given unambiguous. That means that as a controller, you cannot simply presume someone consents to processing just because he has not objected thereto.
Example: sometimes an electronic form contains a box by means of which consent can be given for processing of personal data. If the box is empty and needs to be ticked for consent to be given, such can be considered an unambiguous declaration. If, however, the box is always ticked, it is possible a data subject forgets or overlooks that he needs to untick that box to avoid giving consent. Under the Privacy Regulation, that is not allowed.
As a controller, you need to carefully review how consent is currently obtained in the organisation, and if this meets the (new) requirements of the Privacy Regulation.
Valid consent? Prove it!
It is not sufficient just to have a data subject’s consent. A controller must be able to prove it has been given consent for processing. This means that consent needs to be
The transition to the Privacy Regulation
The transition to the Privacy Regulation does not necessarily require that each data subject renews his consent for the processing of his personal data. However, this only applies if the consent is valid under the Privacy Regulation. As such, new consent needs to be obtained if:
- The consent was not registered by the controller;
- The consent was not unambiguous (for example, because it consists of not unticking a box by means of which consent is given);
- The consent for processing was bundled with consent for other purposes.
In short: controllers who rely on the consent of data subjects might be up for a task. The attorneys of Ovidius would be happy to advise you on the best approach for your organisation.
Source:WP29 Guidelines on Consent under Regulation 2016/679