The General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec effective May 25, 2018. The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations.
Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
This is the third in a series of articles addressing the top 10 operational impacts of the GDPR. Find Parts 1 and 2 here.
GDPR enhances requirements for obtaining data subject consent
Consent remains a lawful basis to transfer personal data under the GDPR; however, the definition of consent is significantly restricted. Where Directive 95/46/EC allowed controllers to rely on implicit and “opt-out” consent in some circumstances, the GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action.” The new law maintains the distinct requirements for processing “special categories of personal data” that were present in the Directive, but it expands the range of what is included in those special categories. Finally, the GDPR introduces restrictions on the ability of children to consent to data processing without parental authorization. This article addresses each of these GDPR consent provisions in turn.
GDPR mandates affirmative consent for data processing
Under the GDPR, consent must be “freely given, specific, informed and unambiguous.” There was uncertainty leading up to this final draft whether the EU would settle on “unambiguous” consent as required by the Directive, or the higher standard of “explicit” consent. The final draft has staked out a middle position, on the one hand opting for unambiguous consent, while on the other hand requiring such consent to be expressed “by a statement or by a clear affirmative action.” Recital 32 clarifies that an affirmative action signaling consent may include ticking a box on a website, “choosing technical settings for information society services,” or “another statement or conduct” that clearly indicates assent to the processing. “Silence, pre-ticked boxes or inactivity,” however, is presumed inadequate to confer consent.
The GDPR, therefore, creates additional hurdles for consent over what was required by the Directive. As interpreted by the Article 29 Working Party’s Opinion 15/2011 on the definition of consent, the Directive required the controller to provide “accurate and full information on all relevant issues,” including the nature of the data that will be processed, the purposes of processing, the identity of the controller, and the identity of any other recipients of the data. Consent had to be specific to the processing operations and the controller could not request open-ended or blanket consent to cover future processing. Significantly, while consent could be satisfied by an express statement, it also could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” consent.
The GDPR removes that possibility by requiring the data subject to make a statement or clear affirmative action. In particular, the GDPR includes three additional requirements:
First, Article 7(3) of the GDPR gives data subjects the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
Second, in Recital 43, the GDPR adds a presumption that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service.
Third, the GDPR adds that consent must be specific to each data processing operation. To meet the specificity requirement under Article 7, a request for consent to data processing must be “clearly distinguishable” from any other matters in a written document, and it must be provided “in an intelligible and easily accessible form, using clear and plain language.” However, the law exempts controllers from obtaining consent for subsequent processing operations if the operations are “compatible.” Recital 50 states that compatibility is determined by looking at factors including the link between the processing purposes, the reasonable expectations of the data subject, the nature and consequences of further processing, and the existence of appropriate safeguards for the data.
Under Article 5(1)(b), additional processing for archiving in the public interest (as defined by the member state), statistical purposes or scientific and historical research generally will be considered compatible, and, therefore, exempt from specific consent. This exception potentially is quite broad. Where it applies, under Article 89, controllers will not have to erase or rectify data after the data subject has withdrawn consent. It also impacts restrictions on processing, data portability and the data subject’s rights to object to and to be notified of processing operations. (The broader contours of this exception will be further discussed in a forthcoming article on the rules for research in the GDPR.)
Whenever a controller relies on consent as a basis for processing, under Article 7(1), the controller bears the burden of demonstrating that consent was obtained lawfully according to the principles above.
GDPR requires explicit consent for special categories of personal data
GDPR Article 9 requires a higher level of consent – “explicit” consent – for the processing of “special categories of personal data.” These special categories relate to personal data that are “particularly sensitive in relation to fundamental rights and freedoms” and, therefore, “deserve specific protection.” They include data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.”
The standard for explicit consent likely remains the same as under Directive 95/46/EC, which also required controllers to obtain explicit consent for processing special categories of personal data. Under the Directive, the Article 29 Working Party defined explicit consent as “all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing.” Thus, a user’s conduct or choice of browser settings probably will not be sufficient to meet this high bar. The GDPR also allows member states to enact laws that restrict the processing of some categories of data even if the data subject explicitly consents.
The only distinction between the Directive and the GDPR on this issue is that the GDPR expands the definition of sensitive data to include genetic data, biometric data, and data concerning sexual orientation. Genetic data is defined, under Article 4, as “personal data relating to the inherited or acquired genetic characteristics of natural persons which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.” Biometric data is personal data that identifies an individual based on the “specific technical processing” of the individual’s physical or behavioral characteristics. Recital 51 notes that photographs will qualify as biometric data only when they are processed “through a specific technical means allowing the unique identification or authentication of a natural person.”
GDPR requires parental consent for processing children’s personal data
In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorization. Previous drafts of the regulation set the age of consent at 13 years old, which would have been consistent with the age of consent set by COPPA in the U.S. However, a last-minute proposal aimed to raise the age of consent to 16 years old. After the last round of trilogue negotiations, the final draft opted for the age of consent to be set at 16 years, but it allows member states to set a lower age not below 13 years. Thus, unless otherwise provided by member state law, controllers must obtain the consent of a parent or guardian when processing the personal data of a child under the age of 16. They also must make “reasonable efforts” to verify that a parent or guardian has provided the appropriate consent. Differing rules on the age of consent in EU member states, as well as between the EU standard and the COPPA age 13 rule applicable in the U.S., could create significant challenges for companies that offer international services. It is unclear whether member states will act together on this issue. At this time, at least one member state, the UK, has vowed to lower its age of consent to 13.
Consent features in a variety of other sections of the regulation. For example, under the right to erasure, in Article 17, the data subject has the right to have the controller erase her data if she withdraws consent and the processing had been based on her consent. Under Article 18, where the data subject exercises her right to restrict data processing, the controller may only continue to process the data if it obtains the data subject’s consent or if processing is necessary for a legal claim. Article 20 grants the data subject the right to receive all the personal data about her in the controller’s possession where the processing is based on her consent. In these circumstances, the required level of consent is “unambiguous” consent.
The GDPR requires the data subject’s explicit consent in two other circumstances. Under Article 22, controllers need to obtain explicit consent to make decisions about the data subject “based solely on automated processing, including profiling.” Controllers also must seek explicit consent, under Article 49, to authorize transfers of personal data to countries that do not provide an adequate level of protection, if no other transfer mechanism is in place.
The GDPR provides for two different levels of administrative penalties. Some violations are subject to fines up to 10,000,000 EUR or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR or four percent of global turnover. Violation of the rules around consent generally subject controllers to the higher level of fines, but violations of the rules concerning age of consent are subject to the lower level of penalties.
Photo credit: checked_tick via photopin (license)
Looking to dive deeper into the General Data Protection Regulation to read the text regarding consent for yourself? Find the full text of the Regulation here in our Resource Center.
You’ll want to focus on these portions:
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(38) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
(42) Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC1 a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations.
(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. … Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
(171) Directive 95/46/EC should be repealed by this Regulation. Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed.
Article 4. Definitions;
-8 the data subject’s consent
Article 6. Lawfulness of processing
Article 7: Conditions for consent
Article 8: Conditions applicable to child’s consent in relation to information society services
Article 9: Processing of special categories of personal data
Article 14: Information to be provided where the data are collected from the data subject
Article 17: Right to erasure (“right to be forgotten”)
If you want to comment on this post, you need to login.