Editor's Note:
The Article 29 Working Party published final guidance on consent on April 10, 2018, availablehere.
On Dec. 12, the Article 29 Working Party released for comment a draft of its guidance on consent under the upcoming General Data Protection Regulation. The draft will remain open for public comment until Jan. 23, 2018 (via JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr).
Consent is one of the six lawful bases for the processing of personal data under the GDPR and one of the permitted derogations by which personal data may be transferred to a third country outside of the European Union, even if that country has not been found by the Commission to provide an “adequate” level of protection.
At the outset, the Working Party emphasizes that while consent is critical to vindicating the rights of data subjects guaranteed in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (CFEU), obtaining consent will not “negate or in any way diminish the controller’s obligations …with regard to fairness, necessity and proportionality, as well as data quality.” Controllers should not view consent, even if obtained in full compliance with the GDPR, as a “free pass” when considering the other obligations imposed by the regulation. As a general rule, consent is a lawful basis for processing only “if a data subject is offered control and … a genuine choice with regard to accepting or declining the terms offered or declining them without detriment.”
The Working Party also cautions controllers that the notion of consent under the GDPR remains tied to consent under the draft ePrivacy Regulation, and that most controllers are “likely to need consent under the ePrivacy instrument for most online marketing messages or marketing calls, and online tracking methods including the use of cookies or apps or other software.”
Under the regulation, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Further, consent must be a reversible decision where a degree of control remains on the side of the data subject after consent has been obtained.
It's worthwhile to delve into the WP29's interpretation of each of these elements of valid consent:
Freely Given
The Working Party emphasizes that consent must involve “real choice and control for data subjects.” Consent bundled in non-negotiable terms and conditions will be presumed not to have been freely given. If consent cannot be refused or withdrawn without detriment, it is not freely given. The Working Party gives an example case of ineffective consent: a mobile photo-editing app that requires users to activate GPS location services for behavioral advertising purposes to use the app would not qualify as freely given. The Working Party emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.” Furthermore, what is “necessary for the performance of a contract” must be “interpreted strictly.” There must be “a direct and objective link” between processing and performance for performance to qualify as a lawful ground.
However, the Working Party states that if performance is satisfied, there is no need for consent, unless the processing deals with the “special categories of data” that are enumerated in Article 9 of the GDPR. If Article 9 special categories are implicated, performance of a contract is not a lawful basis for processing that type of personal information.
The imbalance of power between the data subject and data controller is another key component of whether consent is freely given. This is particularly important when considering public authorities who are data controllers — the Working Party notes that the imbalance of power between a data subject and public authority-controller and the probable lack of alternatives mean that other bases should generally be used by these entities, although consent is not “totally excluded” by the GDPR. The Working Party provides several examples of how a public authority might use consent properly.
The Working Party also warns that the imbalance of power between subject and controller means that “for the majority of … data processing at work, the lawful basis cannot and should not be the consent of the employees” as it is unlikely that employees will feel able to freely respond to a request to process, or able to refuse without detriment. Similar to public authorities, however, employers may rely on consent under some “exceptional circumstances.”
Imbalance of power must be considered in all processing operations relying on consent. As a general rule, consent is not free “in cases where there is any element of compulsion, pressure, or inability to exercise free will.” The Working Party states that “[i]n general terms, any element of inappropriate pressure or influence upon the data subject … which prevents [them] from exercising their free will, shall render the consent invalid.”
Nor should consent be applied with a blanket. If a service involves multiple processing operations or multiple purposes, consent to each must be freely given. Data subjects must be able to choose which purpose(s) to which they consent. According to the Working Party, “[i]f a controller has conflated several purposes for processing and has not attempted to seek consent for each … there is a lack of freedom.”
Specific
Specific consent is designed to “ensure a degree of user control and transparency for the data subject.” Specificity is closely linked to the requirement that consent be informed. The Working Party identifies three components of specificity controllers must apply:
- Purpose specification as a safeguard against function creep.
- Granularity in consent requests.
- Clear separation of information related to obtaining consent for data processing activities from information about other matters.
Controllers that wish to use collected data for new purposes are cautioned that they must obtain new consent from data subjects before doing so. Different purposes for processing require different opt-ins at the consent stage. Each consent must be accompanied by information specific to that request “in order to make data subjects aware of the impact of the different choices they have.”
Informed
The requirement for informed consent is drawn in part from the fundamental principle of transparency found in Article 5. Without accessible information, data subjects cannot make informed decisions, and “user control becomes illusory and consent will be an invalid basis for processing.”
The Working Party identified the following six categories as the minimum information necessary for consent to be informed:
- The controller’s identity.
- The purpose of each of the processing operations for which consent is sought.
- What (type of) data will be collected and used.
- The existence of the right to withdraw consent.
- Information about the use of the data for decisions based solely on automated processing (including profiling).
- If the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision/appropriate safeguards.
If there are joint controllers, all must be named. Processors need not be named under this requirement, although the Working Party notes that Articles 13 and 14 will likely require controllers to identify them. Additionally, some cases may require additional disclosure “to allow the data subject to genuinely understand the processing operations at hand.”
Valid disclosure can be presented in written, oral, audio or visual form. The Working Party focuses on the heightened requirements of “clarity and accessibility” over specific formatting. Messages must be “easily understandable for the average person” and not “statements full of legal jargon.” Data subjects must be able to clearly identify (1) the controller and (2) the purpose of the processing. The Working Party suggests that the tension between the requirements to provide “complete” as well as “accessible” information can be met by providing information in a “layered and granular” fashion. Controllers must also asses the "targeted audience" of their service — with particular caution concerning minors.
The Working Party emphasizes that the regulation requires consent requests in both paper and electronic contracts to “be clearly distinguishable from other matters.” If an electronic transaction is likely to involve a situation with restricted room for information (such as a small screen) the Working Party suggests that “a layered way of presenting information” may be appropriate.
A final aspect of the Working Party’s guidance on the "informed" element is its recognition that “valid informed consent can exist, even when not all elements of Articles 13 and/or 14 are mentioned in the process of obtaining consent” so long as the disclosures required by other parts of the regulation are made elsewhere by the company.
Unambiguous indication of wishes
The final element of GDPR-compliant consent is that it be a statement or affirmative act from the data subject — meaning an active motion or declaration. The Working Party highlights the difference from the 95 Directive via the additional language requiring “unambiguity” and “clear or affirmative action.” Written (or recorded oral) statements, including electronic statements, may satisfy this, “[w]ithout prejudice to existing (national) contract law.” However, pre-ticked boxes are invalid under the regulation, as is silence, inactivity, “merely proceeding with a service” or general agreement to a contract blanket terms of service.
But what of "electronic means" and settings? First, consent requests should not be “unnecessarily disruptive” to the service to which they apply. An “active affirmative motion” is necessary when a “less infringing or disturbing modus would result in ambiguity.” This may require disruption of the user experience. A physical motion can qualify as compliance within the regulation. The Working Party gives several examples, including: swiping on screen, waving in front of a smart camera, swiping, and turning a phone in a specified direction, so long as “clear information is provided” and “agreement to a specific request” is signified. If a controller chooses this method, withdrawal must be as easy as consent. Simple scrolling, however, is insufficient.
The Working Party recognizes the issue of “consent fatigue” resulting from multiple consent requests on a daily basis, but reminds controllers that they retain the obligation to solve this problem. The Working Party also states that the GDPR clearly implies that consent “must always be obtained before the controller starts processing personal data for which consent is needed.”
Explicit consent
In situations where “serious data protection risks emerge,” explicit consent is required, a different level of consent from what has been outlined above. The Working Party highlights processing of Article 9 “special category” data, transfers to countries or organizations lacking an adequacy decision under Article 40, and automated individual decision-making under Article 22 (including profiling) as applicable circumstances. “Explicit” is differentiated from “regular” consent (confirmed via clear affirmative act) via the means by which it is obtained from the data subject: “Explicit” requires “an express statement.” The Working Party suggests that a written statement (signed by the data subject where appropriate) is one means.
Other means, particularly in the electronic context, include having the data subject: fill in an electronic form; send an email; upload a scanned document with signature; record an oral statement (although controllers are cautioned that this may be difficult), or verifying consent via a two-stage authentication process (such as an email followed by SMS message).
Additional conditions for obtaining valid consent
The Working Party notes that controllers must obtain, maintain and demonstrate valid consent per the requirements laid out in Article 7 of the GDPR.
The duty to demonstrate valid consent is on the data controller, though controllers are free to develop methods to comply with this provision. The Working Party warns against “excessive additional processing” arising from this duty; controllers “should have enough data to show a link to the processing” but be careful of collecting more than necessary. This obligation remains for as long as the processing activity lasts. After processing ends, “proof of consent should be kept no longer than strictly necessary” to comply with legal obligations or to establish, exercise, or defend legal claims.
The Working Party suggests that controllers should retain evidence that consent was obtained, the subject was informed and that the controller’s workflow matched requirements for valid consent. This must be subject-specific — for example, an electronic controller could not “simply refer to a correct configuration of the respective website.” Additionally, the effective duration of a valid consent is contextual — the Working Party explicitly notes that a considerable change or evolution of processing will require a new consent, but also suggests that “as a best practice, consent should be refreshed at appropriate intervals.”
The GDPR also obligates controllers to ensure that consent can be withdrawn as easily as it can be given, at any time, though not necessarily via the same action. However, the Working Party notes that in the electronic context, if consent is obtained via a single action (mouse-click, swipe, keystroke, etc.) or via the interface of a single IoT device, withdrawal should be possible through the same interface. Withdrawal must also be without detriment (meaning without charge or lowering of service).
Failure of a withdrawal mechanism to meet GDPR standards results in the failure of the consent’s validity. In the event of a withdrawal, processing that previously took place remains lawful, but further processing must cease. If the controller wishes to continue processing a subject’s data after withdrawal on another lawful basis, the Working Party suggests that controllers assess the appropriateness of continued processing (even in the absence of an erasure request) and recall their obligation to notify a data subject per Articles 13 and 14. Silently migrating from consent to another lawful basis for processing is not permitted.
Specific areas of concern of the GDPR
The Working Party discusses several areas of enhanced concern under the regulation that are worth looking at one at a time:
Children
An “additional layer of protection” is necessary where personal data of “vulnerable natural persons” is processed. This is not limited to marketing or profiling, but includes the “wider collection of personal data with regard to children,” under the broader umbrella of “information society services.” The GDPR sets a default age of 16 for the validity of consent to the processing of a child’s personal information — below that age, a holder of parental responsibility must provide authorization, though Member States can lower that age to a minimum of 13. However, controllers relying on consent for the processing of children’s information should take note that they still must comply with the earlier-discussed requirements; consent must still be informed, meaning language must be clear and plain for children on how the controller intends to process collected data.
Controllers that make clear their services is offered only to persons aged 18 or over will not be considered offered directly to a child, unless countervailing evidence (e.g. site content or advertising) is offered.
As for how to acquire parental consent, WP29, in absence of an specification in the GDPR, recommends that controllers adopt a “proportionate approach” to establish that “someone is entitled to perform this action.” The Working Party suggests that controllers might obtain “a limited amount of information” such as contact details. The risks inherent in the processing coupled with available technology should dictate the reasonability of the methods used to verify that a child is over the required consent age or that the provider of consent is in fact the child’s guardian. The Working Party suggests a range from verification via email (for low-risk processing) to additional requests of proof for higher risk endeavors — but excessive collection in verification should be avoided. Any authorization obtained via parental consent on behalf of a child data subject will expire when the child reaches the age of digital consent. Consent for ongoing processing must then be obtained from the data subject him or herself.
The Working Party notes, per Recital 38, the exception of preventive or counseling services offered directly to the child from the requirement of parental consent. Furthermore, the Working Party distinguishes GDPR consent requirements from national contract law concerning the validity of contract formation with a child.
Scientific research
The Working Party limits the definition of “scientific research” to “its common meaning” — a “research project set up in accordance with relevant sector-related methodological and ethical standards.” This definition is critical, as the GDPR itself notes the flexibility of specification and granularity where scientific research is concerned. However, Recital 33 suggests that data subjects should “have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.” The Working Party suggests that this means GDPR compliance will be difficult where the purposes of a project are unclear at its outset, unless the project meets the purpose exception in Recital 33.
However, the Working Party cautions that if a project includes the processing of Article 9 special categories, the Recital 33 exception will be interpreted narrowly and require “a high degree of scrutiny.”
Furthermore, in the absence of specific purposes at the outset, controllers must “seek other ways to ensure the essence of consent requirements.” This might include “more general consent terms” or consent to the know stages of a project, followed by additional consents as new stages are developed. The Working Party also notes the obligation of controllers to apply safeguards such as minimization, anonymization, and data security “as appropriate” per Article 89(1) for scientific/historical processing. A research plan specifying questions and methodology envisaged might also help controllers without specific purposes to comply. Scientific or historical research is not exempt from the withdrawal requirements.
Consent obtained under Directive 95/46/EC
Finally, pre-GDPR consent compliant with national law need not be automatically refreshed. The Working Party acknowledges that “consent … obtained to date continues to be valid insofar as it is in line with the conditions laid down in the GDPR.”
However, the Working Party warns controllers that the GDPR raises the bar in practice and requires several alterations to existing consent mechanisms, not simple alterations of privacy policies. The Working Party particularly cautions controllers relying on “presumed consents” that lack references, or consents based on a more “implied form of action” than the “statement or clear affirmative action” now required.