Data Privacy and Cybresecurity

Chapter 8: Consent – Unlocking the EU General Data Protection Regulation

Article
|
16 min read

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. Each and every data processing activity requires a legal basis (see Chapter 7). Consent provides a legal basis (subject to the requirements of EU data protection law regarding the nature of such consent). Other legal bases for processing are set out in Chapter 7. Without a legal basis, the processing of personal data is unlawful, and runs the risk of incurring substantial fines (see Chapter 16).

What types of organisations are most affected?

This topic is of particular relevance to organisations that rely on the consent of data subjects as a legal basis for any of their processing activities. Organisations that do not rely on consent are not directly affected by the requirements set out in this Chapter.

What should organisations do to comply?

Organisations that act as controllers need to ensure that they have a legal basis for all of their data processing activities (see Chapter 7). To the extent that any organisation relies on consent as the legal basis for any of its processing activities, it should review any consent mechanisms it has in place, to ensure that:

  • data subjects are provided with a clear explanation of the processing to which they are consenting;
  • the consent mechanism is genuinely of a voluntary and "opt-in" nature;
  • data subjects are permitted to withdraw their consent easily;
  • the organisation does not rely on silence or inactivity to collect consent (e.g., pre-ticked boxes do not constitute valid consent); and
  • wherever the organisation relies on the consent of EU employees as a legal basis for processing personal data, the organisation should consider whether such consent is really freely given.

 

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

 

Issue The Directive The GDPR Impact

The need for consent

All processing of personal data requires a legal basis (see Chapter 7). Consent provides one such legal basis.

Rec.30; Art.7(a)

In order for the processing of personal data to be lawful, the controller required either the consent of the data subject or another legal basis.

 Rec.40; Art.6(1); WP29 Guidelines on Consent under Regulation 2016/679 (wp259)

In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another legal basis.

 The GDPR does not materially change the principle that consent may provide a legal basis for data processing activities. However, as set out below, the GDPR makes it significantly more difficult for organisations to obtain valid consent.

Nature of valid consent

The consent of the data subject provides a legal basis for the processing of that data subject's personal data. However, such consent must meet certain requirements in order to be deemed sufficient for the purposes of EU data protection law.

Art.2(h), 7(a)

"Consent" was defined under the Directive as any freely given specific and informed indication of the data subject's wishes by which the data subject signifies agreement to the processing of his or her personal data. Such consent provided a legal basis for the processing of personal data provided that it was "unambiguous".

 Rec.32; Art.4(11), 6(1)(a), 7

"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.

 The Directive only stated that the data subject must "signify" consent. The GDPR makes it clear that consent requires a clear affirmative action by the data subject. This may make it harder for some organisations to obtain valid consent than was the case under the Directive.

Consent must be "freely given"

Consent must reflect the data subject's genuine and free choice. If there is any element of compulsion, or undue pressure put upon the data subject, consent will not be valid.

N/A

Although the Directive stated that consent must be freely given (see Art.2(h) considered above), it did not clarify the meaning of this phrase.

 Rec.32, 43; Art.7(4)

Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee), consent is presumed not to have been freely given.

When assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract.

 The Directive provided almost no guidance on the meaning of the phrase "freely given". Guidance from the WP29 (particularly in Opinion 15/2011 and the Guidelines on Consent under Regulation 2016/679 (wp259)) clarified many of these issues, but it is important to note that the WP29's guidance, while important, is not legally binding. The GDPR makes it significantly harder for organisations to demonstrate that the data subject's consent has been freely given. In particular:

  • organisations must ensure that data subjects have a genuine choice;
  • organisations should consider whether to rely on consent as a legal basis for processing the personal data of their own employees; and
  • wherever possible, organisations should avoid making the performance of a contract conditional upon the data subject's consent to the processing of personal data.

Consent must be "specific"

Blanket consent that does not specify the exact purpose of the processing is not valid consent.

Art.2(h)

"Consent" had to be specific. The Directive did not explain this term further.

 Rec.32; Art.6(1)(a)

"Consent" must be specific. The GDPR does not explain this term further.

 The WP29 has clarified (in Opinion 15/2011) that, in order to be specific, consent must be intelligible. The controller must clearly and precisely explain the scope and the consequences of the data processing. Consent cannot apply to an open-ended set of processing activities—it must be limited to a specific context. This requirement did not materially change as a result of the introduction of the GDPR and this approach is also supported by guidance from the WP29 (in particular, the Guidelines on Consent under Regulation 2016/679 (wp259)).

Consent must be "informed"

In order for consent to be valid, data subjects must be provided with sufficient information to enable them to understand what they are consenting to.

Rec.25; Art.2(h)

Consent had to be "informed". The Directive did not explain this term further.

 Rec.32, 42; Art.4(11), 7(1)

Consent must be "informed". In order for consent to be informed:

  • the nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms; and
  • the data subject should be aware at least of the identity of the controller and the purposes for which the personal data will be processed.

 The GDPR requires organisations to take significant extra steps in order to ensure that data subjects are properly informed of the purposes for which their personal data will be used. If this information is not provided in line with these requirements, any "consent" obtained may not be valid. Guidance from the WP29 (in particular, the Guidelines on Consent under Regulation 2016/679 (wp259)) elaborates on the meaning of "informed" and provides a list of the elements which must be present for consent to be considered "informed".

Method of obtaining consent

EU data protection law does not specify the method by which consent should be obtained. An organisation may use any appropriate mechanism to obtain consent.

N/A

The Directive did not provide details on the methods that could be used to obtain valid consent.

 Rec.32

Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
 

 The GDPR specifically recognises the validity of a number of commonly used methods of collecting consent, and affirms the principle that any appropriate method can be used. Organisations should give careful thought to ensuring that their consent mechanisms are appropriate to the nature of the consent being sought.

Silence is not consent

Acquiescence is not the same thing as consent. The fact that a data subject says nothing when given the opportunity to object, or fails to opt-out or unsubscribe, will not amount to valid consent.

N/A

The Directive did not explicitly make the point that silence cannot be consent.

 Rec. 32

Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.

 The Directive did not specifically state that silence and inactivity cannot amount to consent. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarified this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear. This is also reflected in the WP29 Guidelines on Consent under Regulation 2016/679 (wp259). Organisations should ensure that they do not rely on silence or inactivity as consent.

​​​​Consent must be distinguishable from other matters

A data subject's consent to the processing of his or her personal data should not be tied to other matters.

N/A

The Directive did not explicitly discuss the need to separate consent from other matters.

 Art.7(2)

If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If the data subject is asked to consent to something that is inconsistent with the requirements of the GDPR, that consent will not be binding.

 The Directive did not specifically address the requirement to separate consent from other matters. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarified this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear, emphasising its importance by stating that consent language that is inconsistent with the requirements of the GDPR is non-binding. Organisations should ensure that consent to the processing of personal data is always clearly distinguished from other matters (e.g., consent is not wrapped up as part of a wider set of terms and conditions). The need for consent to be separate from other matters and not "bundled" with terms and conditions is emphasised in the WP29 Guidelines on Consent under Regulation 2016/679 (wp259).

The controller must be able to demonstrate consent

There is clearly potential for disagreements as to whether or not a data subject actually consented to the processing of his or her personal data.

N/A

The Directive did not directly address the obligation of controllers to maintain evidence of consent obtained from data subjects.

 Rec.42; Art.7(1)

Where any processing activity is performed on the basis of consent, the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects.

 Although it has always been advisable for controllers to retain evidence of consent, the Directive did not specifically require controllers to do so. The GDPR places the burden of proof squarely on the controller, which may result in increased costs and administrative burdens for some organisations. The WP29 Guidelines on Consent under Regulation 2016/679 (wp259) clarify this requirement and emphasises that being able to demonstrate consent should not lead to excessive amounts of additional processing.

Right of data subjects to withdraw consent

Consent, by its nature, must be capable of being withdrawn. If the controller does not permit the data subject to withdraw consent then it is unlikely that the consent is valid. However, the right of data subjects to withdraw consent is not retrospective (i.e., data subjects cannot withdraw consent to processing that has already happened).

N/A

The Directive did not specifically address the issue of withdrawal of consent.

 Rec.42, 65; Art.7(3)

Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.

 Although the Directive did not expressly state that there is a right to withdraw consent, this right was implied from the nature of consent, and has generally been enforced by DPAs. The GDPR formalises this right, but also obliges organisations to make it easy for individuals to withdraw consent, which may require businesses to create new systems and procedures to satisfy this requirement. The WP29 Guidelines on Consent under Regulation 2016/679 (wp259) clarify this requirement and emphasise that once consent is withdrawn, organisations cannot silently migrate to another legal basis to continue processing the relevant personal data. It is also stressed that withdrawal of consent should be without detriment to the individual.

Consent can provide a lawful data transfer mechanism

If the data subject has consented to the transfer of his or her personal data to a jurisdiction outside the EEA, that consent provides a lawful data transfer mechanism (see Chapter 13).

Rec.58

Cross-Border Data Transfers could lawfully be made on the basis of the data subject's consent.

 Rec.111; Art.49(1)(a), (3)

In the absence of other safeguards, transfers may take place if the data subject has explicitly consented to the transfer, having previously been informed of its possible risks. This does not apply to public authorities in the exercise of their powers.

 The GDPR does not materially change the principle that consent may provide a lawful data transfer mechanism, but it explicitly names it as a legal basis for Cross-Border Data Transfers.

Impact of the GDPR on existing consent

The GDPR imposes new requirements in relation to consent. Any existing consents that are valid under the Directive, but do not satisfy the requirements of the GDPR, will have to be re-obtained.

N/A

The Directive did not address this issue.

 Rec.171

Where an organisation has already collected consent from data subjects (prior to the GDPR Effective Date) it is not necessary to collect that consent a second time in consequence of the GDPR, provided that the initial consent was compliant with the requirements of the GDPR.

 In some cases, organisations may be able to rely on consents collected under the Directive. However, in many cases, historic consents will not be compliant with the requirements of the GDPR, and in such cases it will be necessary to collect fresh consents. For some organisations, this will be an onerous task.

 

Commentary: Consent must be "informed"

The requirement that consent must be 'informed' is intended to ensure that data subjects understand the risks associated with the processing of their personal data. The information to be provided to data subjects should include:

  • the identity of the controller (and, where appropriate, its representative—see Chapter 10);
  • the type of data being collected and processed;
  • the purposes for which the data will be processed;
  • any further information that is necessary to enable the data subject to understand the processing to which they are being asked to consent (e.g., the third parties with whom the data may be shared and any use of the data for automated decision-making purposes);
  • the existence of the right of access to, and the right to rectify, personal data;
  • the existence of the right to object to processing and the right to be forgotten; and
  • the existence of the right to withdraw consent.

Commentary: "Clear affirmative action"

Under the GDPR, consent must be provided in the form of a clear, affirmative action of the data subject. The first point to make is that consent generally cannot be obtained from a third party (i.e., one individual cannot normally consent to the processing of another individual's data), although there are some minor exceptions (particularly in the case of parents providing consent in relation to their children).

Second, the consent itself must be something that the data subject has said or done to indicate that they agree to the processing of their personal data. This agreement can take any appropriate form (e.g., a signature, a tick-box, a verbal consent, etc.), but it must be affirmative in nature—mere silence, passive acquiescence or failure to opt-out does not constitute valid consent under the GDPR.

Commentary: Withdrawal or refusal of consent

Data subjects have the right to refuse to consent, and the right to withdraw any consent they have given. Following any such refusal or withdrawal of consent, organisations should be wary of proceeding with the proposed data processing activity. If, following withdrawal of consent, the organisation continues to process the data subject's personal data in reliance on another legal basis (see Chapter 7) then that further processing may call into question the validity of the consent (and any similar consent provided by other data subjects).

 

 

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Legal basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP

 

Top