Privacy consent requires as higher level of compliance under the GDPR, especially in the light of the guidelines of the WP29 on the matter.
The Article 29 Working Party (WP29) issued the guidelines on privacy consent under the GDPR that will set a much higher threshold of compliance.
I have already touched the issues relating to the consent and how it differentiates from legitimate interest in this blog post, while this article specifically focuses on the requirements applicable to consent. I summarized the issues also in the video in Italian as part of my videoblog Diritto al Digitale and in more detail in English in the outline below:
Privacy consent is a legal basis for data processing, even though for some categories of personal data such as data relating to criminal convictions and offences, this would not suffice as the data processing would be lawful only when provided by local laws. Also, in the cases when data processing can occur on the basis of consent, once this is obtained, according to the WP29
“it would not legitimise collection of data which is not necessary in relation to a specified purpose of processing and fundamentally unfair“.
This seems an obvious assumption, but – based on my experience – there is a general understanding that consent can allow any type of data processing activity with reference to any possible personal data which on the contrary is not the case.
What are the requirements for privacy consent?
Under article 4(11) the GDPR, consent is defined as
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“
Based on the above, there are 4 elements to consider in order to assess the validity of privacy consent which needs to be
1. Freely given
This means according to the WP29 that privacy consent has to reppresent a “real choice and control for data subjects” and “if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given“.
Individuals shall be able to refuse or withdraw consent without suffering a detriment. As a consequence, consent cannot be a condition for the provision of a service or “tied” into a contract, if that data processing activity is not necessary in order to offer that service (e.g. collection of geolocation data for behavioural advertising purposes as a condition to provide a video editing service). Likweise, the processing of personal data for which consent is sought cannot become directly or indirectly the counterperformance of a contract that is a quite frequent scenario in relation for instance to free mobile Apps.
But the above is relevant also in order to introduce the concept of “imbalance of power” between data controller and data processor which makes – according to the Article 29 Working Party – consent not a valid legal basis in an employment relationship in the majority of the cases.
On the contrary, if a company offers individuals
“genuine choice if they were able to choose between a service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by the same controller that does not involve consenting to data use for additional purposes on the other hand. As long as there is a possibility to have the contract performed or the contracted service delivered by this controller without consenting to the other or additional data use in question, this means there is no longer a conditional service.“
And this scenario might apply for instance if a company uses to contract customers a machine learning technology which requires the review of conversations to improve its functioning, but informs customers of such circumstance and offers an alternative way of contracting that does not require such data processing activity.
Also, a crucial issue relates to the level of granularity of privacy consent to be requested and obtained from individuals. The matter is not reviewed in details by the WP29 which only provides that “if the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom“. But the example provided by the Article 29 Working Party is quite interesting as it refers to the impossibility to have a single consent to direct marketing and the sharing of data accross the group which might imply that it is not possible to request a single consent for direct marketing by the controller and its group companies.
The issue relating to the level of granularity of privacy consent is linked to the need to make it “specific” which means that:
- consent needs to be collected for specific, explicit and legitimate purposes and for instance a consent covering both the direct marketing from the data controller and third parties would not be enough specific;
- consent shall be collected for each specific purpose of the data processing; and
- specific information shall be provided with each separate consent request in order to make data subjects aware of the impact of the different choices they have.
Again, more examples on the matter would have helped.
According to the WP29 consent needs to include at least the following information:
- the controller’s identity,
- the purpose of each of the processing operations for which consent is sought;
- what (type of) data will be collected and used;
- the existence of the right to withdraw consent;
- information about the use of the data for decisions based solely on automated processing, including profiling, and
- if the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards.
The above does not clarify though whether such information can be provided by just even referring to the privacy information notice that includes all the above information and to which the consent form is attached.
In any case the information above cannot be given through long illegible privacy policies or statements full of legal jargon and consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form.
It is recommendable to put in place a layered data protection policy which includes a consent request and provides the requested information in a clearly understandable manner. This policy shall include according to the WP29 in the first information layer the contact details of the data controller. And the above is an approach already recommended for instance by the Italian data protection authority in relation to cookies.
4. An unambiguous indication of wishes
Privacy consent needs to be given by means of a “clear affirmative act” which means that the data subject must have taken a deliberate action to consent to the particular processing. This can be collected through a written or (a recorded) oral statement, including by electronic means that however need to clearly convey an affirmative act and for instance the scrolling of pages on a screen is considered by the WP29 as not sufficient. Likewise,
- pre-ticked opt-in boxes,
- silence or inactivity and
- consents given as part of agreeing to a contract or accepting general terms and conditions of a service
are not valid.
5. Explicit consent
Explicit consent (rather than “ordinary” consent mentioned above) can be the legal basis of the processing for
- special categories of data, such as health related data or biometric data;
- provisions on data transfers to third countries or international organisations in the absence of adequate safeguards; and
- automated individual decision making, including profiling.
According to the WP29, the requirement of the “explicit consent” can be met by means of not only a written statement, but also by “filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature“. It is not excluded that an oral statement can meet the requirements of an explicit consent, but according to the Article 29 Working Party, it might be difficult to prove that all the requirements are satisfied.
How do you prove consent?
How is consent withdrawn?
Individuals shall be able to withdraw consent at any time as easy as it was initially given. Where consent is obtained through use of a service-specific user interface (for example, via a website, an App, a log-on account, the interface of an IoT device or by e email), individuals shall be able to withdraw consent through the same modality free of charge and with no impact on the offered level of service.
The withdrawal of the consent does not impact previous data processing activities that remain lawful. However, if there is no other legal basis justifying the retention of personal data after the withdrawal of consent, data should be deleted or anonymised.
No plan B is allowed!
The WP29 emphasized that controllers cannot switch retrospectively the legal basis of the processing depending on the circumstances. For instance it is not possible to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Therefore, data controllers shall have very clear views on the legal basis of the data processing.
How to treat children?
The Article 29 Working Party does not provide indication on how age check should be performed on online platforms. It only provides that the requirement of obtaining privacy consent from parents in relation to the processing of personal data of children younger than 16 of age applies to
- the processing is related to the offer of online services directly to a child; and
- the processing is based on consent.
What happens to consents obtained under the old privacy regime?
The WP29 provides that consents obtained under laws implementing the EU Directive 95/46 remain valid as far as they are in line with the conditions set forth by the GDPR. This is a crucial point as for instance the requirements for marketing and profiling consents under the GDPR appear different from those validated by the Italian data protection authority in its guidelines on the matter.
This is why in the view of the upcoming GDPR, we are alrady implementing for our clients a “transitional” privacy information notice and consents that are compliant with both the current privacy regime and the GDPR, giving the possibility for our clients to “cure” their database before the 25th of May 2018.
With reference to the above, my position is that the WP29 set a level of compliance that will be difficult to achieve by a number of companies.
What is your position on the above?