Matthew Holman and Lewis Borg analyse some of the most pressing issues on consent under the GDPR and challenge the ICO to clarify some of its guidance
Consent is, we think, one of the most interesting areas of data protection law. For those who take an academic and technical interest in the machinery that makes data protection work, consent is a source of reoccurring fascination: it is a conflation of morality and ethics and law and procedure.
We all know that the GDPR introduces widespread changes to many areas of data protection law and, as has been widely reported, the threshold for consent and the processes surrounding its use are changed. This article is not meant to be a summary of how and why consent is changing or a discussion of the basic issues which underlie consent as a lawful basis of processing personal data. Rather, it expounds the more complex aspects of the new definition of consent, examines critically the key gaps presented by the ICO’s draft guidance, pauses to consider the draft e-Privacy Regulation (ePR) and the thorny issues of direct marketing before concluding with a challenge to the ICO regarding the final form of its consent guidance due to be published during December 2017 to coincide with the Article 29 Working Party guidance.
The ICO Consent Guidance
Between the guidance and the follow-up myth-buster blogs, the ICO has tried to show that it is aware of the commercial value attributed to the consent process by businesses and the reliance they place upon it. However, the ICO’s draft guidance leaves several areas unclear for businesses and, we will argue, overreaches the specific requirement of consent in the GDPR. Its ambiguity and delay are having a real impact on how businesses plan for the GDPR.
The draft guidance was published by the ICO on 2 March 2017 and was open to consultation until 31 March 2017. It was originally due to be published in final form during the summer of 2017 but that was eventually pushed back to December 2017 in order to coincide with pan-European guidance from the WP29. The delay has understandably left many corporate entities frustrated and asking lots of very reasonable questions about what they do next, including whether they have to start listing third parties in consent notices or privacy policies.
‘Does the GDPR require us to name third parties?’
One of the big issues created by the ICO’s draft guidance is the specific stipulation that, in order to rely on consent under the GDPR, the consent notice must ‘name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR’.
This is a very significant change for several reasons. Firstly, it is our view that this represents interpretative overreaching from the ICO. A thorough review of Article 7 GDPR and the recitals regarding consent do not at any point reveal or imply that third parties who will rely on consent should be named. In fact, there is corroborative evidence to the contrary when one studies other parts of the GDPR. For example, under Articles 13(1)(e) and 14(1)(e) of the GDPR, which relate to the use of information and privacy notices, the controller is under an obligation to provide the data subject with information detailing, ‘…the recipient or categories of recipients of the personal data’ (our emphasis). The GDPR clearly envisages that describing recipients by category alone is an adequate way of informing data subjects of the use of their personal data.
The second reason that it is significant is not academic but practical: naming third parties is a major concern for many businesses due to its potential commercial impact on the use of direct marketing (which we discuss further below). Many businesses, large and small, rely on effective direct marketing in order to generate revenue and, certainly for large corporates, making even minor changes to the method of obtaining consent can have a disproportionately negative correlation to sales, potentially impacting millions of pounds of revenue. In addition to this, adding long lists of named third parties is likely to make some consent notices or fair processing notices more, not less, complicated for data subjects.
You could be forgiven for thinking that the ICO was radical in deciding to require that notices specifically name third parties. The reality is that there are already other EU member state laws which stipulate compulsory naming of third parties when obtaining consent (for example, the Netherlands). One could argue that such granularity empowers data subjects, enabling them to see beforehand where their data goes and so make informed decisions about processing of their personal data. But on the other hand, in light of public apathy about legal notices asking for consent, what is the likelihood that data subjects will interrogate any data protection notices naming third parties? This seems inconsistent with the move by the Commission in the ePR to scale back the use of cookie notices on websites due to their ineffectiveness. There is also the commercial conundrum of providing personal data to new third parties, not legally formed at the time consent was obtained, but who are able to offer new, more competitive products and services than those whose name is featured on the list. Any reasonable observer would recognise the commercial benefit of enhanced competition and the dynamic ability of the data controller to determine where and when the personal data is shared. In the Direct Marketing Association’s response to the ICO’s guidance, the DMA criticised the requirement to name third parties for the disproportionate impact that it may have on SMEs and their ability to grow.
It is our view that data subjects and corporates would be better served with a consent or privacy notice which contains well-drafted, specific and tailored description of the categories of third parties relying on the consent rather than a list of the applicable third parties. The ICO should remove the obligation to name third parties from its final guidance.
Unambiguous consent and clear affirmative action
The GDPR’s definition of consent includes two important new criteria: consent must be an ‘unambiguous indication of wishes…by a statement or by clear affirmative action’. There are numerous good academic articles on the distinction between ‘explicit’ consent required for processing sensitive categories of personal data and ‘unambiguous indication of wishes’ for ordinary, non-sensitive personal data. No longer will silence, pre-ticked boxes or inaction on the part of the data subject constitute valid consent.
The draft guidance fails to embellish what these mean in practice. Regarding unambiguous consent, it simply says that ‘this requires more than just a confirmation that they have read terms and conditions – there must be a clear signal that they agree. If there is any room for doubt, it is not valid consent.’ Regarding a clear affirmative act, the guidance says that ‘someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default…the idea of an affirmative act does still leave room for implied consent in some circumstances, particularly in more informal offline situations.’
What the guidance fails to do is adequately explain what sort of clear affirmative acts can be undertaken to demonstrate consent in an online context other than an opt-in option or switching technical settings. If one agrees that most consumers are not technologically literate, it is reasonable to deduce that requiring someone to use default privacy settings on a device is unlikely to be meaningful to large swathes of the population, leaving (through absence of any genuine alternative) only opt–in tick boxes which are a binary choice. It is our view that the ICO could provide better assistance here to make things clearer for businesses, particularly as consent tends to raise its head more often than not in the online world.
Playing the waiting game
The frustration that we have seen from clients and other businesses and professionals regarding the delay in finalising the consent guidance is understandable. When the ICO published the draft guidance in March, it was due to be finalised in the summer 2017 before pushing this back to December 2017.
The delay is particularly acute for businesses that undertake direct marketing using consent. Many businesses are now aware that the GDPR requires consent to be brought up to date with the new standards and so they are undertaking a repermissioning exercise, approaching data subjects who have consented to direct marketing under the DPA and essentially obtaining their consent anew. The difficulty with this is, as all technology lawyers who have drafted consent wording will know, there is great subtlety in the proper drafting of consent notices which require input from legal and marketing professionals. This means that, in order to get the wording just right, the lawyers need to have total confidence that the regulatory guidance is concrete. That is not the case due to the delay in publishing the guidance. In addition to this, most marketing professionals affirm that it can take 12 months to build a sizeable database of direct marketing contacts. There are now just six months to go (at the time of writing) to the implementation of the GDPR but no finished guidance from the regulator and a reasonable probability, due to some of the more controversial aspects of the guidance, that the final form will change.
In its myth buster blog, the ICO has said that ‘It is unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.’ However, those technology lawyers who have been in practice long enough to remember the dawn of cookie consent notices will recall that, in the run up to the enforcement date (May 2012), the ICO published one piece of guidance suggesting that consent really ought to be by opt-in tick box to meet the requirements of Directive 95/46/EC, only to then change this guidance just weeks before the enforcement date, rowing backwards to a position where implied consent was acceptable. So, the regulator has form for making last-minute changes to guidance about consent which can significantly alter how it is implemented in practice.
There also remains the looming issue of enforcement. We know the ICO has the power to levy large fines under the GDPR and that theoretically such fines could be levied from May 2018. Failure to obtain consent in accordance with Article 7 is punishable by the higher threshold of €20m or 4% of worldwide turnover, whichever is the higher. The ICO has already said that ‘it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.’. However, we empathise with the call from business representatives and lobbyists calling for an extended grace window when it comes to direct marketing and repermissioning, a window of time equal in length to the period of delay in publishing the final guidance.
Electronic Direct Marketing and Consent
Consent tends to create the biggest waves in the world of direct marketing. One of the consistent questions we have seen posed over the course of the last 12 months is how to reconcile the apparently conflicting rules in the GDPR and the draft ePR regarding electronic direct marketing communications. The issue could be summarised as follows.
On the one hand, the GDPR states that direct marketing can be carried out as a legitimate business interest (implying that consent is not required). This assertion is found in the final sentence of Recital 47 and simply reads: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’ (our emphasis). There are several things worth noting about this assertion. Firstly, all recitals in the GDPR are merely guidance as to interpretation of the articles. They are not capable of being legally binding on their own without a concomitant article and there is no article in the GDPR which states that direct marketing is a legitimate business interest. At best, Recital 49 is guidance about interpretation of Article 6 (1) (f) which states that personal data can be lawfully processed on the grounds of the controller’s legitimate business interest. Secondly, Recital 49 is not media specific. It fails to address whether electronic direct marketing is captured within its meaning and so ought (in our view) to be given its widest meaning, ie that all methods of direct marketing are prima facie within the scope of legitimate business interests. Thirdly, this Recital was not in the original 2012 draft of the Regulation but rather found its way in during trilogue. It was the product of debate between the political bodies in the process of finalising the draft and is arguably an afterthought.
On the other hand Article 16 (1) of the draft ePR says ‘Natural or legal persons may use electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons that have given their consent.’ It does not, as many would like, also end with the words ‘or where the controller has legitimate business interests to send such communications’ and so it is reasonable to see that a potential conflict arises between GDPR and ePR on this point. However, in our view no conflict exists. The ePR is designed to particularise and complement the GDPR and so it would be reasonable to interpret the ePR in a similar way to the interpretation of the Data Protection Act 1998 and PECR, meaning that that the PECR (and by analogy the ePR) creates an extra layer of protection for data subjects in addition to the DPA 1998. We know the standard of consent in the ePR is the same as that in the GDPR and we can also observe that, whilst there is no specific article in the GDPR about this point in the GDPR, there is an article in the ePR. In light of the status of the ePR as a Union regulation rather than a directive, it must be the intention of the Union legislature to ensure that electronic direct marketing does not take place without consent and that consent must be the standard set out in the GDPR. The only other option is presented by the ePR itself in Article 16 (2), which preserves the current soft opt in rules for electronic marketing communications.
This article was never drafted to provide all the answers to the stinging issue that is consent under the GDPR. We hope that it has illuminated some of the more theoretical and commercially challenging areas. We hope also that it has drawn out the shortcomings of the draft guidance. You could come away from this article with the view that we are thoroughly dissatisfied with the ICO’s draft guidance; this is not the case. There are many areas where it is useful. However, the shortcomings highlighted throughout this article are having a real impact on businesses and we call on the ICO to take these points into account as it finalises its consent guidance and works with the WP29 to produce new guidance, which is due to be published shortly.
Matthew Holman is a principal and Head of Technology and Data Protection at EMW. He is an SCL Accredited IT Lawyer and acts for many global brands, UK plcs and technology businesses. He also does extensive media and presentation work regarding the GDPR.
Lewis Borg is a solicitor in EMW’s Technology and Data Protection team, specializing in data protection law.
Matthew and Lewis would like to acknowledge the contributions of Natalie Ingram, trainee solicitor and research assistant at EMW.
 General Data Protection Regulation 2016/679
 ICO Consultation: GDPR Consent Guidance
 See the draft regulation published on 10 January 2017 entitled ‘A Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications, repealing Directive 2002/58/EC’
 Recitals 32, 33, 42, 43 and 171
 The Dutch Data Protection Act and guidance of Autoriteit Persoonsgegevens
 Article 4 (11)
 Recital 32
 Recital 171
 Article 83
 Article 83 (5).
 A more detailed examination of legitimate business interest is outside the scope of this article.
 Article 1 (3) ePR
 Privacy & Electronic Communications (EC Directive) Regulations 2003, as amended
 Article 4 (1) (a) EPR