Neil Brown reflects on updated guidance on consent, which was issued by the Article 29 Working Party in April 2018
The Article 29 Working Party (WP29) has, with just over a month to go before the GDPR applies, issued its guidance on consent.
Controllers relying on consent as a basis of lawfulness will want to familiarise themselves with this guidance in short order since, while much remains the same as the previously-issued draft guidance, some aspects have changed.
The revised guidance, WP258, is available here or can be downloaded from the link at the end of this article.
A reminder: what the GDPR says about consent
The GDPR defines ‘consent’ as:
‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
This can be contrasted with the definition in the 1995 Data Protection Directive:
‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.’
The two definitions are similar, and there is no major change to the notion of consent under the GDPR. WP29 considers that ‘most of the key elements of consent remain the same under the GDPR’, but that the GDPR means that consent is ‘raised to a higher standard’.
The main change is that, under the GDPR, consent must be obtained through an ‘unambiguous indication’, in the form of a ‘statement’ or a ‘clear affirmative action’. Some will undoubtedly say that this was expected under the 1995 Directive too but, whether that's correct or not, it is undoubtedly the case now.
Recital 32 gives some further statutory guidance on what ‘affirmative action’ looks like:
‘... ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.’
Notably, it also states clearly what will not be appropriate: ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’
It is against this framework that WP29 has issued its guidance.
Consent in employment situations
The mainstay of WP29's draft guidance remains unchanged, taking the position that ‘[f]or the majority of ... data processing at work, the lawful basis cannot and should not be the consent’.
The reasoning too remains consistent, advising that ‘it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal’.
‘Unlikely’, of course, is not absolutely and, while the WP29 considers that it applies to the ‘majority’ of processing, it also considers that, in ‘exceptional circumstances’, consent may be freely given.
Bundling of consent
WP29 re-asserts that bundling of consent is ‘highly undesirable’, with a ‘strong presumption’ that purported consent in such a situation is ‘not freely given’.
As with consent in an employment situation, bundling is not prohibited as such but, in WP29's (unchanged) view, the presumption would only be rebutted in ‘highly exceptional’ situations.
Importantly, WP29 has included a new paragraph, indicating that a controller cannot consider a user's bundled consent to be valid simply because there are competing services which a user could pick instead:
‘The WP29 considers that consent cannot be considered as freely given if a controller argues that a choice exists between its service that includes consenting to the use of personal data for additional purposes on the one hand, and an equivalent service offered by a different controller on the other hand. In such a case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent.’
Granularity of consent
The core principle remains unchanged; if a controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom, potentially vitiating consent. However, the example from the draft guidance has been extended:
‘Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid.’
WP29 has now added that ‘[i]n this case, a specific consent should be collected to send the contact details to commercial partners. Such specific consent will be deemed valid for each partner, whose identity has been provided to the data subject at the time of the collection of his or her consent, insofar as it is sent to them for the same purpose (in this example: a marketing purpose).’
Recital 42 provides that ‘[c]onsent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’
The mainstay of the WP29's position on detriment has not changed, but WP29 has added a number of examples.
Failure to permit an app to access a device's accelerometer for purposes unconnected with the provision of the app, which results in the (unnecessary) limiting of the app's functionality, is an ‘example of detriment’, but losing out on personalised advertisements (the horror) due to withdrawing consent for the collection of data necessary for that personalisation is not ‘detriment’. More interesting is example 10:
‘A fashion magazine offers readers access to buy new make-up products before the official launch.
The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round.
The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation.
In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.’
The inability to obtain an ‘exclusive preview’ of cosmetics does not, it seems, amount to ‘detriment’ in the eyes of WP29, because the data subjects would, at some point in the future, be able to buy the products anyway. I am sure that the next few months and years will see controllers seeing just how far this example can be stretched, and how much incentive a controller can give to encourage a data subject's consent, before it trips over the line.
Consent and website usage
WP29 has added an additional sentence to its draft guidance, stating explicitly that:
‘merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation’.
So those looking to deploy unnecessary cookies will need to find another way of obtaining consent if they are to comply with the framework.
What about ‘explicit consent’?
Although the standard of general consent under the GDPR increases, when compared with that of the Directive, there remains a notion of ‘explicit consent’. Where consent is to be used as the basis for the processing of special categories of data, it is this ‘explicit consent’ which is required.
The ICO currently advises that ‘Explicit consent must be expressly confirmed in words, rather than by any other positive action’ (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/).
This guidance does not appear to have any basis in the GDPR itself, and is contradicted by WP29’s guidance:
‘A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data”.’
In terms of capturing explicit consent over the phone, WP29 has included a new paragraph, stating that:
‘[a]n organisation may also obtain explicit consent through a telephone conversation, provided that the information about the choice is fair, intelligible and clear, and it asks for a specific confirmation from the data subject (e.g. pressing a button or providing oral confirmation).’
Perhaps we will see the ICO revisit its guidance in the light of the WP29's publication.
Unsurprisingly, WP29 warns — fairly — that consent is not a panacea and that, ‘if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent’. Moreover, ‘the controller cannot swap from consent to other lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent’.
Children and consent
Although the general principle remains that, where a controller intends to obtain consent from a child, its language must be sufficient simple and clear, WP29 now also requires that ‘If it is the parent that is supposed to consent, then a set of information may be required that allows adults to make an informed decision’.
WP29 has changed its position on whether re-capturing consent is required when a child turns 16. In the draft guidance, it required a controller to ‘send out messages to users periodically to remind them that consent for children will expire once they turn 16 and must be reaffirmed by the data subject personally’. Now, it is of the view that:
‘[a]fter reaching the age of digital consent, the child will have the possibility to withdraw the consent himself, in line with Article 7(3). In accordance with the principles of fairness and accountability, the controller must inform the child about this possibility’.
However — and the big change:
‘if the child does not take any action, consent given by a holder of parental responsibility ... given prior to the age of digital consent, will remain a valid ground for processing’.
‘Re-consenting’ and the GDPR.
In a statement which is likely to irk privacy experts who consider that ‘re-consenting’ is not required, WP29 notes at the end of the guidance that ‘[i]f a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must undertake action to comply with these standards, for example by refreshing consent in a GDPR-compliant way.’
Neil Brown runs decoded:Legal, a telecoms, technology and Internet law firm.