The concept of consent as included in the EU General Data Protection Regulation seems to have stumped many organizations. They seem to be under the mistaken impression that they are no longer allowed to process personal data without asking consent for everything they do. Recently, the Greek Data Protection Authority issued a 150,000 euro fine against PricewaterhouseCoopers for the wrongful use of consent as a legal basis for processing its employees’ personal data.
Under the GDPR, consent should be freely given, specific, informed and unambiguous. Failure to meet any of these four criteria invalidates the consent and therefore the processing based on it. Additionally, the consent must be demonstrable, and someone must be able to revoke their consent at any time in a way that is as simple as it was to provide it.
What happened in Greece?
PWC asked its employees for permission to process their personal data when it should have used a different legal basis (combination of contract, legal obligations and legitimate interest). This means that the processing of data was unlawful. By choosing the incorrect legal basis for processing, the DPA argued, PWC also failed to inform its employees correctly and misrepresented the ability of employees to withdraw their consent. Additionally, having wrongfully chosen consent as the basis for processing meant that PWC could not meet its accountability requirements.
Furthermore, the Greek DPA noted that consent can rarely be used in the employee-employer relationship, as the imbalance of power in the relationship means that this consent cannot be seen as "freely given."
This concept of "unequal relationship" in relation to consent was also taken into account by the Swedish DPA, when it recently fined a high school for using facial recognition to take student attendance. Although the school had asked for the students' consent in relation to the pilot, the Swedish DPA indicated that this consent was invalid, as the students were in a dependent relationship with the school and their consent could not be labelled freely given.
Common misconceptions
PWC is not the only organization grappling with the GDPR's concept of consent. Organizations are asking for consent for all their processing, when in reality the processing is based on contractual relationships or legitimate interest. As demonstrated by the recent fine, this could land you in a world of trouble with the DPAs and leave you facing enforcement action.
Consent as a legal basis versus consent as an additional requirement
Additionally, organizations seem to struggle with the difference between consent (Article 6) as a legal basis for processing and consent as an additional requirement for lawfulness (e.g., additional explicit consent for processing special categories of data or consent being a requirement stemming from national law, as is, for example, the case in the Netherlands when municipality workers conduct house visits, in order to justify entry into the home).
Demonstrable consent
Demonstration of consent has also proven a difficult topic. Demonstrable does not equate written, despite claims to the contrary. Depending on the situation, consent can also be provided orally. You do have to take note of the consent provided, by, for example, processing the consent in your systems and taking care to add enough information to prove consent but not more than necessary. Be sure to check whether there are any obligations in national law requiring the consent be provided in a certain format.
Revoking consent
Organizations occasionally claim that an opt-out and revocation of consent are the same thing, but this is not entirely accurate. This is due to the fact that revocation of consent is dependent on having provided consent previously, while an opt-out is not. You are able to opt-out of services that are provided to you based on legitimate interest rather than consent. For example: After buying a product, the vendor starts sending you marketing emails about related products. Though you never consented to this, you are provided the option to opt-out of receiving the emails (in this example usually through an "unsubscribe" button in the email).
Now what?
Consent is not by any means a magic wand that can be used to process personal data. It is in fact more of a last resort — the legal basis you rely on only when you have no other choice. Ensuring adequate consent management within organizations can be complicated and when done incorrectly can lead not only to enforcement action, but also to unhappy citizens, customers or clients.
Consent should always be obtained in combination with compliance with all the other principles contained in Article 5 of the GDPR. It is wise to determine exactly which processing operations within your organization are based on consent, how you facilitate the withdrawal of this consent for those involved and what consequences the potential withdrawal entails for your organization.
Photo by David Paschke on Unsplash