Chapter 8: Consent – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 8: Consent – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. Each and every data processing activity requires a lawful basis (see Chapter 7). Consent provides a lawful basis (subject to the requirements of EU data protection law regarding the nature of such consent). Other lawful bases for processing are set out in Chapter 7. Without a lawful basis, the processing of personal data is unlawful, and runs the risk of incurring substantial fines (see Chapter 16).

What types of organisations are most affected?

This topic is of particular relevance to organisations that rely on the consent of data subjects as a lawful basis for any of their processing activities. Organisations that do not rely on consent are not directly affected by the requirements set out in this Chapter.

What should organisations do to prepare?

Organisations that act as controllers need to ensure that they have a lawful basis for all of their data processing activities (see Chapter 7). To the extent that any organisation relies on consent as the lawful basis for any of its processing activities, it should review any consent mechanisms it has in place, to ensure that:

  • data subjects are provided with a clear explanation of the processing to which they are consenting;
  • ……the consent mechanism is genuinely of a voluntary and "opt-in" nature; …
  • …data subjects are permitted to withdraw their consent easily;
  • ……the organisation does not rely on silence or inactivity to collect consent (e.g., pre‑ticked boxes do not constitute valid consent);
  • and ……wherever the organisation relies on the consent of EU employees as a lawful basis for processing personal data, the organisation should consider whether such consent is really freely given.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

The need for consent
All processing of personal data requires a lawful basis (see Chapter 7). Consent provides one such lawful basis.

blank

Rec.30; Art.7(a)

In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another lawful basis.

does not materially change

Rec.40; Art.6(1)

In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another lawful basis.

neutral

The GDPR makes no material change to the principle that consent may provide a lawful basis for data processing activities. However, as set out below, the GDPR makes it significantly more difficult for organisations to obtain valid consent.

blank

Nature of valid consent

The consent of the data subject provides a lawful basis for the processing of that data subject's personal data. However, such consent must meet certain requirements in order to be deemed sufficient for the purposes of EU data protection law.

blank

Art.2(h), 7(a)

"Consent" means any freely given specific and informed indication of the data subject's wishes by which the data subject signifies agreement to the processing of his or her personal data. Such consent provides a lawful basis for the processing of personal data provided that it is "unambiguous".

materially changes

Rec.32; Art.4(11), 6(1)(a), 7

"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.

negative

The Directive only states that the data subject must "signify" consent. The GDPR makes it clear that consent requires a clear affirmative action by the data subject. This may make it harder for some organisations to obtain valid consent.

blank

Consent must be "freely given"

Consent must reflect the data subject's genuine and free choice. If there is any element of compulsion, or undue pressure put upon the data subject, consent will not be valid.

blank

N/A

Although the Directive states that consent must be freely given (see Art.2(h) considered above), it does not clarify the meaning of this phrase

materially changes

Rec.32, 43; Art.7(4)

Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee), consent is presumed not to have been freely given.

When assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract.

negative

The Directive provides almost no guidance on the meaning of the phrase "freely given". Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies many of these issues, but it is important to note that the WP29's guidance, while important, is not legally binding. The GDPR makes it significantly harder for organisations to demonstrate that the data subject's consent has been freely given. In particular:

  • organisations must ensure that data subjects have a genuine choice;
  • …organisations should consider whether to rely on consent as a lawful basis for processing the personal data of their own employees; and
  • wherever possible, organisations should avoid making the performance of a contract conditional upon the data subject's consent to the processing of personal data.

blank

Consent must be "specific"

Blanket consent that does not specify the exact purpose of the processing is not valid consent.

blank

Art.2(h)

"Consent" must be specific. The Directive does not explain this term further.

does not materially change

Rec.32; Art.6(1)(a)

"Consent" must be specific. The GDPR does not explain this term further.

neutral

The WP29 has clarified (in Opinion 15/2011) that, in order to be specific, consent must be intelligible. The controller must clearly and precisely explain the scope and the consequences of the data processing. Consent cannot apply to an open-ended set of processing activities—it must be limited to a specific context. This requirement does not materially change as a result of the introduction of the GDPR.

blank

Consent must be "informed"

In order for consent to be valid, data subjects must be provided with sufficient information to enable them to understand what they are consenting to.

blank

Rec.25; Art.2(h)

Consent must be "informed". The Directive does not explain this term further.

materially changes

Rec.32, 42; Art.4(11), 7(1)

Consent must be "informed". In order for consent to be informed:

  • the nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms; and
  • the data subject should be aware at least of the identity of the controller and the purposes for which the personal data will be processed.

negative

The GDPR requires organisations to take significant extra steps in order to ensure that data subjects are properly informed of the purposes for which their personal data will be used. If this information is not provided in line with these requirements, any "consent" obtained may not be valid.

blank

Method of obtaining consent

EU data protection law does not specify the method by which consent should be obtained. An organisation may use any appropriate mechanism to obtain consent.

blank

N/A

The Directive does not provide details on the methods that can be used to obtain valid consent

materially changes

Rec.32

Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.

positive

The GDPR specifically recognises the validity of a number of commonly used methods of collecting consent, and affirms the principle that any appropriate method can be used. Organisations should give careful thought to ensuring that their consent mechanisms are appropriate to the nature of the consent being sought.

blank

Silence is not consent

Acquiescence is not the same thing as consent. The fact that a data subject says nothing when given the opportunity to object, or fails to opt-out or unsubscribe, will not amount to valid consent.

blank

N/A

The Directive does not explicitly make the point that silence cannot be consent.

materially changes

Rec.32

Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.

negative

The Directive does not specifically state that silence and inactivity cannot amount to consent. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear. Organisations should ensure that they do not rely on silence or inactivity as consent.

blank

Consent must be distinguishable from other matters

A data subject's consent to the processing of his or her personal data should not be tied to other matters.

blank

N/A

The Directive does not explicitly discuss the need to separate consent from other matters.

materially changes

Art.7(2)

If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If the data subject is asked to consent to something that is inconsistent with the requirements of the GDPR, that consent will not be binding.

negative

The Directive does not specifically address the requirement to separate consent from other matters. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear, emphasising its importance by stating that consent language that is inconsistent with the requirements of the GDPR is non-binding. Organisations should ensure that consent to the processing of personal data is always clearly distinguished from other matters (e.g., consent is not wrapped up as part of a wider set of terms and conditions).

blank

The controller must be able to demonstrate consent

There is clearly potential for disagreements as to whether or not a data subject actually consented to the processing of his or her personal data.

blank

N/A

The Directive does not directly address the obligation of controllers to maintain evidence of consent obtained from data subjects.

materially changes

Rec.42; Art.7(1)

Where any processing activity is performed on the basis of consent, the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects.

negative

Although it has always been advisable for controllers to retain evidence of consent, the Directive does not specifically require controllers to do so. The GDPR places the burden of proof squarely on the controller, which may result in increased costs and administrative burdens for some organisations.

blank

Right of data subjects to withdraw consent

Consent, by its nature, must be capable of being withdrawn. If the controller does not permit the data subject to withdraw consent then it is unlikely that the consent is valid. However, the right of data subjects to withdraw consent is not retrospective (i.e., data subjects cannot withdraw consent to processing that has already happened).

blank

N/A

The Directive does not specifically address the issue of withdrawal of consent.

materially changes

Rec.42, 65; Art.7(3)

Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.

negative

Although the Directive does not expressly state that there is a right to withdraw consent, this right is implied from the nature of consent, and has generally been enforced by DPAs. The GDPR formalises this right, but also obliges organisations to make it easy for individuals to withdraw consent, which may require businesses to create new systems and procedures to satisfy this requirement.

blank

Consent can provide a lawful data transfer mechanism

If the data subject has consented to the transfer of his or her personal data to a jurisdiction outside the EEA, that consent provides a lawful data transfer mechanism (see Chapter 13).

blank

Rec.58

Cross-Border Data Transfers may lawfully be made on the basis of the data subject's consent.

does not materially change

Rec.111; Art.49(1)(a), (3)

In the absence of other safeguards, transfers may take place if the data subject has explicitly consented to the transfer, having previously been informed of its possible risks. This does not apply to public authorities in the exercise of their powers.

neutral

The GDPR makes no material change to the principle that consent may provide a lawful data transfer mechanism, but it explicitly names it as a legal basis for Cross-Border Data Transfers.

blank

Impact of the GDPR on existing consent

The GDPR imposes new requirements in relation to consent. Any existing consents that are valid under the Directive, but do not satisfy the requirements of the GDPR, will have to be re-obtained.

blank

N/A

The Directive does not address this issue.

materially changes

Rec.171

Where an organisation has already collected consent from data subjects (prior to the GDPR Effective Date) it is not necessary to collect that consent a second time in consequence of the GDPR, provided that the initial consent was compliant with the requirements of the GDPR.

negative

In some cases, organisations may be able to rely on existing consents collected under the Directive. However, in many cases, historic consents will not be compliant with the requirements of the GDPR, and in such cases it will be necessary to collect fresh consents. For some organisations, this will be an onerous task.

 

Further analysis

Commentary: Consent must be "informed"

The requirement that consent must be 'informed' is intended to ensure that data subjects understand the risks associated with the processing of their personal data. The information to be provided to data subjects should include:

  • the identity of the controller (and, where appropriate, its representative—see Chapter 10);
  • the purposes for which the data will be processed;
  • any further information that is necessary to enable the data subject to understand the processing to which they are being asked to consent (e.g., the third parties with whom the data may be shared;
  • the existence of the right of access to, and the right to rectify, personal data;
  • the existence of the right to object to processing and the right to be forgotten; and
  • the existence of the right to withdraw consent.

Commentary: "Clear affirmative action"

Under the GDPR, consent must be provided in the form of a clear, affirmative action of the data subject. The first point to make is that consent generally cannot be obtained from a third party (i.e., one individual cannot normally consent to the processing of another individual's data), although there are some minor exceptions (particularly in the case of parents providing consent in relation to their children).

Second, the consent itself must be something that the data subject has said or done to indicate that they agree to the processing of their personal data. This agreement can take any appropriate form (e.g., a signature, a tick-box, a verbal consent, etc.), but it must be affirmative in nature—mere silence, passive acquiescence or failure to opt-out does not constitute valid consent under the GDPR.

Commentary: Withdrawal or refusal of consent

Data subjects have the right to refuse to consent, and the right to withdraw any consent they have given. Following any such refusal or withdrawal of consent, organisations should be wary of proceeding with the proposed data processing activity. If, following withdrawal of consent, the organisation continues to process the data subject's personal data in reliance on another lawful basis (see Chapter 7) then that further processing may call into question the validity of the consent (and any similar consent provided by other data subjects).

 

NEXT CHAPTER
Chapter 9: Rights of data subjects

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP