The new legal framework in relation to the processing of personal data (GDPR) will apply as of 25 May 2018. Amongst the changes that are introduced by the GDPR, the changes to the concept of consent merit careful attention. The concept of consent has undergone some subtle changes, which may have important consequences for the practical organization to the processing of personal data.
What is meant by “consent”?
Under the Directive 95/46/EC (Directive), the data subject’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” (article 2.h of the Directive).
Although the GDPR has retained the legal grounds for the processing of personal data listed in the Directive, consent has now been defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (underlined by us).
This definition is the result of long negotiations between the European Parliament, the European Commission and the European Council. Whereas the first two institutions wanted to impose the requirement of explicit consent, the European Council was opposed to this position. A compromise was finally found, but the result is somewhat equivocal.
The consent must only be explicit in case of processing of special categories of personal data. For the processing of other personal data, the consent must be unambiguous, but not necessarily explicit. For the sake of completeness, it should be added that some specific data processing activities also require an explicit consent. This is the case for automated individual decision making and profiling (article 22.2 (c) GDPR) and the consent based transfer of personal data outside the EU (article 49.1 (a) GDPR).
The manner in which the consent must be given is clarified in the recitals to the GDPR. It appears that the consent must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to personal data relating to him or her being processed, such as by a written, including electronic, or oral statement. A consent may for instance be given by ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity however do not constitute consent under the GDPR.
Moreover, if the processing relates to several purposes, the consent should be granted for all of the purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. To assess whether or not the consent was freely given, it is of particular importance to know if the performance of a contract, including the provision of a service is made dependent on the consent, despite this not being necessary for such performance.
Given the importance of consent as a legal ground for the processing of personal data, it is important that data controllers verify to which extent they use consent as a legal ground for their processing activities.
Consent as a legal ground for the processing of personal data
For a data processing activity to be legitimate, it must be based on one of the following legal grounds (article 7 of the Directive):
- The data subject has unambiguously given his consent;
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the data controller is subject;
- The processing is necessary in order to protect the vital interests of the data subject;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or in a third party to whom the data are disclosed;
- The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.
Consequently, consent is one of the legal grounds that render the processing of personal data legitimate. In practice, it is also the legal ground which is currently favoured by most companies. For instance, if the data controller seeks to conclude an agreement, he can insert in that agreement an additional clause to obtain consent for the processing of personal data. The data controller frequently enters into contact with the data subject, which allows him to request the consent of that person at the same moment. This explains why data controllers often simply use only consent as a legal ground for the processing of personal data, rather than using a combination of different legal grounds. This practice is widespread due to the fact that the Directive does not require the data controller to inform the data subjects about the legal grounds he invokes for the processing of personal data.
Even though the GDPR does not prevent the data controller from continuing to use consent as a legal ground for the processing of personal data, the GDPR does require in the future that the data controller informs the data subjects about the legal grounds he invokes for the processing of personal data.
Moreover, the GDPR requires that the data controller is able to demonstrate that consent was given by the data subject, if he uses consent as a legal ground for the processing of personal data. The data controller thus has the burden of proof in relation to the consent and the compliance with the intrinsic conditions imposed by the GDPR with regard to consent.
If the data subject's consent is given in the context of a written declaration which also concerns other matters (e.g. general conditions, a policy, …), the regulation further requires that the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
The right to withdraw consent
Another important change introduced by the GDPR improves the ease to exercise the right to withdraw consent in the future. Once the regulation applies, the data subject shall be entitled to withdraw his consent at any time without any justification whatsoever. The withdrawal of consent shall however not affect the lawfulness of processing based on consent before its withdrawal. Moreover, the data subject must be informed about the existence of his right to withdraw consent and he must be able to withdraw his consent as easy as he has given his consent.
Given the ease with which it will in the future be possible to withdraw consent, it is very likely that consent will be used less frequently as a legal ground for the processing of personal data or, at least, in a much more fine-tuned manner. It would indeed be preferable to use consent only if there is no other legal ground for the processing of personal data, because the other legal grounds for the processing of personal data are not subject to the right to withdraw consent.
Moreover, the information obligation of the data controller vis-à-vis the data subject reinforces the necessity to opt for a more fine-tuned approach towards the legal grounds for the processing of personal data in the future. Under the regulation, if the data controller only mentions consent as a legal ground for the processing of personal data, he implicitly renounces the possibility to invoke the other legal grounds for the processing of personal data, even if they could be applied. In case of withdrawal of consent or an issue in relation to the obtained consent, the data controller would be confronted with a situation where he can no longer continue the processing of personal data because he lacks a legal ground for the processing of personal data.
In order to prevent the scope of the right to withdraw consent from becoming too broad and in order to limit the contaminating effect this might have, it is recommended to offer the right to withdraw consent to the data subject by means of a dashboard, which would allow the data subject to give and withdraw consent in a fine-tuned manner.
Is it necessary to request a new consent for existing data processing activities?
A recurring question from data controllers that have a large number of existing data processing activities based on consent is whether or not a consent that has been validly obtained under the Directive remains valid under the GDPR.
The GDPR does not mention anything to that effect. The GDPR does not contain any transitional provision in relation to consent. However, the preamble to the GDPR provides some indications, since it mentions that a data controller will have to request a new consent if the consent given under the Directive does not comply with the requirements of the GDPR. In practice, this implies that each data controller shall have to review the quality of the consents he has obtained in the past and implement mechanisms to obtain a new consent if necessary. This review risks to be a costly exercise.
It appears that the GDPR has introduced some major changes to the concept of consent. This relates to the increased participation that is required from the data subject when he gives his consent and also to the possibility to withdraw consent at any time. It is this latter change which risks to remove the privileged status of consent as a legal ground for the processing of personal data. This is all the more likely, given the reinforced information obligation of the data controller, who will in the future have to inform the data subjects about the legal grounds he invokes for the processing of personal data.
The data controllers will also have to verify the quality of the consents they have obtained in the past for their existing data processing activities. If these consents fail to meet the standards imposed by the GDPR or if they are not able to demonstrate their compliance with these standards, the data controllers will have to request a new consent of the data subject or seek another legal ground for the processing of personal data.
To comply with these changes, it is prudent to start thinking about the most practical and cost-effective manner to obtain such a consent. Doing so will help to avoid ending up in a stalemate situation once the GDPR applies. At the same time, the data controllers have every interest to review their privacy policies with a view of including the additional information that is required by the GDPR and to distinguish, to the greatest extent possible, between the different legal grounds they invoke for the processing of personal data.