Recently, the EU’s Article 29 Working Party (the “Working Party”) adopted guidelines (the “Guidance”) on the meaning of consent under the EU General Data Protection Regulation (“GDPR”). In this Guidance, the Working Party has confirmed that consent should be a reversible decision where a degree of control must remain with the data subject. The Guidance provides further detail on what is necessary to ensure that consent satisfies the requirements of the GDPR:
- Freely given. Consent is not valid where there is an imbalance of power or where it is conditioned to the performance of a contract. In addition, consent must be granular and given separately for each data processing operation, and there should be no detriment to the data subject if the data subject elects to withdraw his or her consent.
- Specific. Consent must be given for the processing of personal data for a specific purpose.
- Informed. To be fully informed, the following information must be provided to the data subject before consent is given: (1) the identity of the data controller; (2) the purpose of each of the processing operations for which consent is sought, (3) the personal data that will be collected based on consent; (4) the existence of the right to withdraw consent; (5) information about the use of the personal data for decisions based solely on automated processing, including profiling; and (6) if the consent relates to transfers of personal data outside the EEA, information about the possible risks of personal data transfers to third-party countries in the absence of an adequacy decision and appropriate safeguards.
- Clear affirmative action. Consent must be an unambiguous indication of the data subject’s wishes and accordingly, must be given by a statement or by a clear affirmative action which signifies agreement to the processing of personal data relating to the data subject.
Meaning of Explicit Consent
The Guidance also provides further information on the meaning of “explicit” consent, which is obtained for the processing of special categories of data, the transfer of personal data outside the EEA, or for automated individual decision-making. The Guidance states that for consent to be “explicit,” the data subject must give an express statement of his or her consent, for example, by expressly confirming his or her consent in an explicit statement. In the electronic context, an express statement of consent could be given by the data subject by filling in an electronic form, sending an email, uploading a scanned document or using an electronic signature.
The Working Party indicates that data controllers are free to develop methods to demonstrate that consent has been validly obtained in a way that is fitting with their daily operations, and the GDPR is not prescriptive in this regard. Nevertheless, to demonstrate that consent was validly given, the data controller must be able to prove, in each individual case, that a data subject has given consent. In addition, the Guidance indicates that data controllers should retain records of consent only for so long as necessary for compliance with legal obligations to which it is subject, or for the establishment, exercise or defense of legal claims. The information retained should not go beyond what is necessary to demonstrate that valid consent has been obtained.
The GDPR requires parental consent in relation to the processing of children’s personal data in the context of information society services (e.g., a website or video streaming service) offered directly to children. The GDPR does not, however, specify the means that should be used to verify whether a user is a child or to obtain the consent of the child’s parents. The Guidance suggests that data controllers should adopt a proportionate approach based on the inherent risk associated with the processing and the available technology solutions. For example, the Working Party suggests that in low-risk scenarios, verification of parental responsibility by email may be sufficient, but in higher risk scenarios, more rigorous methods may be used, such as requiring the parent to make a £/$/€ 0.01 payment to the controller via a bank transaction. The Working Party recognizes, however, that verification may be challenging in a number of circumstances, and this will be taken into account when deciding whether the controller has taken “reasonable” efforts to ensure that parental consent has been obtained.
The Guidance indicates that consent which has been obtained prior to the GDPR will continue to be valid under the GDPR, provided it meets the conditions for consent required by the GDPR. The Working Party notes, in this regard, that existing consents must meet all GDPR requirements if they are to be valid, including the requirement that the data controller is able to demonstrate that consent was validly obtained. Thus, the Working Party is of the view that any consents which are presumed to be valid, but of which no record is kept, will not be valid under the GDPR. Similarly, existing consents that do not meet the “clear affirmative action” requirement under the GDPR, for example, because they were obtained by means of a pre-checked box, also will not be valid under the GDPR.
For processing operations in relation to which existing consent will no longer be valid, the Working Party recommends that data controllers (1) seek to obtain new consent in a way that complies with the GDPR, or (2) rely on a different legal basis for carrying out the processing in question. If a data controller is unable to do either of those things then the processing activities concerned should cease.