The Article 29 Working Party (WP29) published draft Guidelines on Consent on 12 December 2017, providing a thorough analysis of the notion of consent under the GDPR. The guidelines build on the WP29's Opinion on consent in 2011, reflecting the evolution of the concept of consent since that time and the higher standards required by the GDPR.
Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The guidelines analyse the extent to which each of these elements require controllers to change their consent requests/ forms.
For consent to be valid, data subjects must have a real choice. The GDPR takes into account the notion of imbalance of power between the controller and the data subject, and this is examined further in the context of public authorities and employment relationships. Although it is unlikely that public authorities can rely on consent for processing due to the likely imbalance of power, the guidelines set out some examples where consent may nevertheless be appropriate (for example, signing up to an email to receive updates on council maintenance works). In an employment context, WP29 considers that employees can only give free consent in 'exceptional circumstances', when there can be no fear of adverse consequences.
If consent is bundled up as a non-negotiable part of terms and conditions, there will be a presumption that it will not have been given freely. For example, if users of a mobile app for photo editing cannot use the app without providing consent to GPS localisation and online behavioural advertising (neither of which are necessary for the photo editing service), then consent will not be considered to be freely given. The purpose of Article 7(4) of GDPR is to ensure that processing for which consent is sought cannot become (directly or indirectly) the counter-performance of a contract. The guidelines emphasise that the two lawful bases for processing, namely consent and contract, cannot be merged and blurred. If a controller seeks to process personal data that are in fact necessary for the performance of a contract, that is likely to be the correct legal basis for processing, not consent.
The guidelines provide that in order to obtain 'specific' consent, a controller must:
For consent to be informed, the data subject must be provided with certain information prior to obtaining consent. The WP29 guidance sets out the minimum information it considers is required for obtaining valid consent as follows: (i) the controller’s identity; (ii) the purpose of each of the processing operations for which consent is sought; (iii) the type of data to be collected and used, (iv) the existence of the right to withdraw consent; (v) information about the use of the data for decisions based solely on automated processing, including profiling; and (vi) if the consent relates to transfers, the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
The guidelines also consider how the information should be provided. Clear and plain language should be used in all cases, understandable for the 'average person'. Consent must be clear and distinguishable from other matters and provided in an intelligible and easy accessible form, not hidden in general terms and conditions. A controller must also assess its audience, for example, making information understandable for minors, if applicable.
A "clear affirmative action" involves the data subject taking a deliberate action to consent to the particular processing. Silence or inactivity cannot be regarded as an active indication of consent and the use of pre-ticked opt-in boxes is invalid under the GDPR. Nor can consent be obtained through the same action as agreeing to a contract or accepting general terms and conditions of a service.
The guidelines examine what actions through electronic means may qualify as a clear affirmative action. Examples include swiping on a screen and turning a smartphone clockwise or in a figure of eight. Scrolling down or swiping through terms and conditions which include declarations of consent will not satisfy the requirement of a clear and affirmative action, however.
In a digital context, the WP29 discuss the issue of 'click fatigue' and the possibility of obtaining the consent of users via their browser settings. The guidelines provide that such settings should be developed in line with the conditions for valid consent, so for example, consent will still need to be granular for each purpose envisaged and the name of the controller will need to be provided.
The guidelines clarify what extra efforts a controller should undertake in order to obtain the 'explicit' consent of a data subject in certain situations required by the GDPR (for example, for the processing of special categories of data and for automated individual decision-making, including profiling). An express statement of consent is required, which may take the traditional form of a signed written statement. In a digital or online context, the requirement will also be satisfied by the completion of an electronic form, an email or uploading a scanned (signed) document. Although oral statements may suffice in theory, it may be difficult to prove valid explicit consent without a recorded statement.
Demonstrating consent: Article 7(1) of the GDPR sets out an explicit obligation on the controller to demonstrate consent: WP29 considers that controllers are free to develop their own methods to comply with this provision. The guidelines also point out that there is no specific time limit for how long consent will last but the WP29 recommends as best practice that consent should be refreshed at appropriate intervals.
Withdrawal of consent: Article 7(3) of the GDPR prescribes that a controller must ensure that consent can be withdrawn as easily as it is given at any time. This means that, when consent has been obtained via electronic means through, for example, a mouse-click or keystroke, data subjects must be able to withdraw that consent just as easily.
The guidelines also examine a number of specific areas of concern in the GDPR, namely children's consent and scientific research. A set of 'frequently asked questions' will be added following the public consultation on the guidance which runs until 23 January 2018.
The ICO published its draft guidance on consent under the GDPR in March 2017 (see our previous update) and has been awaiting the WP29 guidance before producing its own final guidance. We will report on further developments on both sets of guidance in upcoming bulletins.
In the meantime, the WP29 encourages controllers to review current work processes and records in detail, before 25 May 2018, to be sure that existing consents meet the GDPR standard. As well as rewriting privacy policies, consent mechanisms may need to be altered. If existing procedures for obtaining and managing consent do not meet the GDPR standard, controllers will need to obtain fresh GDPR-compliant consent or assess whether the processing may be based on a different lawful basis. Otherwise the processing activities must be stopped.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.