On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Consent (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation.
CIPL acknowledges and appreciates the Working Party’s elaboration on some of the consent-related requirements, such as providing information relevant to consent in layered format and the acknowledgment of both the push and pull models for providing such information. Additionally, CIPL welcomes the clear acknowledgement that controllers have the flexibility to develop consent experiences suitable to their organizations. However, CIPL also identified several areas in the Guidelines that would benefit from further clarification or adjustment.
In its comments to the Guidelines, CIPL recommends several changes or clarifications the Working Party should incorporate in its final guidelines relating to the elements of valid consent, rules on obtaining explicit consent, the interaction between consent and other processing grounds in the EU GDPR, and specific areas of concern such as scientific research and consent obtained under the Data Protection Directive.
Some key recommendations include:
- Status of Consent: The Working Party should revise its statement that when initiating processing, controllers must always consider whether consent is the appropriate ground. No processing ground, including consent, is privileged over the other.
- Imbalance of Power: The Guidelines should clarify what constitutes an imbalance of power outside of cases involving public authorities and employers, and emphasize that such imbalances occur in only narrow situations where the individual truly does not have a meaningful opportunity to consent.
- Conditionality: The Working Party should clarify that incentivizing an individual (e.g., by reducing the generally applicable fee or providing additional features or services) to consent to additional processing should not be deemed inappropriate pressure preventing an individual from exercising their free will.
- Informed: While it should be easy to identify directly what information relates to the consent sought, the Guidelines should clarify that it may be important to include such information in context with other information to provide a full picture to the individual and safeguard transparency.
- Unambiguous Indication of Wishes: Consent must be expressed by a clear affirmative act and the Guidelines note that “merely proceeding with a service” cannot be regarded as such an act. The Working Party should clarify that “merely proceeding with a service” refers to a situation where no affirmative action is taking place at all. Completing a free-text field or other similar action may constitute a valid explicit affirmative act.
- Obtaining Explicit Consent: The Guidelines should clarify that mechanisms for “regular” consent, as defined in the GDPR, may also meet the “explicit consent” standard.
- Withdrawing Consent: The Working Party should clarify that withdrawal of consent should not automatically result in deletion of data processed prior to withdrawal. This may be contrary to the individual’s wishes, potentially interfere with other data subject rights (e.g., portability), and may even conflict with other regulations such as those regulating clinical trials or research.
- Alternative Processing Grounds: The Guidelines should clarify that it is possible to have multiple grounds for one and the same processing, and if consent is withdrawn but another ground is available and the conditions for the validity of the alternative ground are met, the controller may continue to process the data.
- Scientific Research: The Working Party should clarify that scientific research goes beyond medical research and also encompasses private sector R&D. Additionally, the Guidelines should revise the recommendation that providing a comprehensive research plan is a way to compensate for a lack of purpose specification related to research, as disclosures of such plans would carry risks for organizations’ intellectual property rights, undermine innovation and diminish transparency.
- Consent under the Directive: The Working Party should revise its statement that all consents obtained under the Directive that do not meet the GDPR standard must be re-obtained. Organizations should only have to re-obtain such consents if there is a material change in the processing and its purposes, the consents do not comply with the GDPR rules on conditionality (Article 7(4)), or the requirements of Article 8(1) on processing children’s data have not been met.
To read the above recommendations in more detail, along with all of CIPL’s other recommendations on consent, view the full paper.
CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 90 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.