The Article 29 Working Party (WP29) has, with just over a
month to go before the GDPR applies, issued its guidance on consent.
Controllers relying on consent as a basis of lawfulness will
want to familiarise themselves with this guidance in short order since, while
much remains the same as the previously-issued draft guidance, some aspects
have changed.
The revised guidance, WP258, is available here
or can be downloaded from the link at the end of this article.
A reminder: what the GDPR says about consent
The GDPR defines ‘consent’ as:
‘any freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a statement or
by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her’.
This can be contrasted with the definition in the 1995 Data
Protection Directive:
‘any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal data
relating to him being processed.’
The two definitions are similar, and there is no major
change to the notion of consent under the GDPR. WP29 considers that ‘most of
the key elements of consent remain the same under the GDPR’, but that the GDPR
means that consent is ‘raised to a higher standard’.
The main change is that, under the GDPR, consent must be
obtained through an ‘unambiguous indication’, in the form of a ‘statement’ or a
‘clear affirmative action’. Some will undoubtedly say that this was expected
under the 1995 Directive too but, whether that’s correct or not, it is
undoubtedly the case now.
Recital 32 gives some further statutory guidance on what ‘affirmative
action’ looks like:
‘… ticking a box when visiting an internet website,
choosing technical settings for information society services or another
statement or conduct which clearly indicates in this context the data subject’s
acceptance of the proposed processing of his or her personal data.’
Notably, it also states clearly what will not be
appropriate: ‘Silence, pre-ticked boxes or inactivity should not therefore
constitute consent.’
It is against this framework that WP29 has issued its
guidance.
Consent in employment situations
The mainstay of WP29’s draft guidance remains unchanged,
taking the position that ‘[f]or the majority of … data processing at work,
the lawful basis cannot and should not be the consent’.
The reasoning too remains consistent, advising that ‘it is
unlikely that the data subject is able to deny his/her employer consent to data
processing without experiencing the fear or real risk of detrimental effects as
a result of a refusal’.
‘Unlikely’, of course, is not absolutely and, while the WP29
considers that it applies to the ‘majority’ of processing, it also considers
that, in ‘exceptional circumstances’, consent may be freely given.
Bundling of consent
WP29 re-asserts that bundling of consent is ‘highly
undesirable’, with a ‘strong presumption’ that purported consent in such a
situation is ‘not freely given’.
As with consent in an employment situation, bundling is not
prohibited as such but, in WP29’s (unchanged) view, the presumption would only
be rebutted in ‘highly exceptional’ situations.
Importantly, WP29 has included a new paragraph, indicating
that a controller cannot consider a user’s bundled consent to be valid simply
because there are competing services which a user could pick instead:
‘The WP29 considers that consent cannot be considered as
freely given if a controller argues that a choice exists between its service
that includes consenting to the use of personal data for additional purposes on
the one hand, and an equivalent service offered by a different controller on
the other hand. In such a case, the freedom of choice would be made dependent
on what other market players do and whether an individual data subject would
find the other controller’s services genuinely equivalent.’
Granularity of consent
The core principle remains unchanged; if a controller has
conflated several purposes for processing and has not attempted to seek
separate consent for each purpose, there is a lack of freedom, potentially
vitiating consent. However, the example from the draft guidance has been
extended:
‘Within the same consent request a retailer asks its
customers for consent to use their data to send them marketing by email and
also to share their details with other companies within their group. This
consent is not granular as there is no separate consents for these two separate
purposes, therefore the consent will not be valid.’
WP29 has now added that ‘[i]n this case, a specific consent
should be collected to send the contact details to commercial partners. Such
specific consent will be deemed valid for each partner, whose identity has been
provided to the data subject at the time of the collection of his or her
consent, insofar as it is sent to them for the same purpose (in this example: a
marketing purpose).’
Detriment
Recital 42 provides that ‘[c]onsent should not be regarded
as freely given if the data subject has no genuine or free choice or is unable
to refuse or withdraw consent without detriment.’
The mainstay of the WP29’s position on detriment has not
changed, but WP29 has added a number of examples.
Failure to permit an app to access a device’s accelerometer
for purposes unconnected with the provision of the app, which results in the
(unnecessary) limiting of the app’s functionality, is an ‘example of detriment’,
but losing out on personalised advertisements (the horror) due to withdrawing
consent for the collection of data necessary for that personalisation is not ‘detriment’. More interesting is example 10:
‘A fashion magazine offers readers access to buy new make-up
products before the official launch.
The products will shortly be made available for sale, but
readers of this magazine are offered an exclusive preview of these products. In
order to enjoy this benefit, people must give their postal address and agree to
subscription on the mailing list of the magazine. The postal address is
necessary for shipping and the mailing list is used for sending commercial
offers for products such as cosmetics or t-shirts year round.
The company explains that the data on the mailing list will
only be used for sending merchandise and paper advertising by the magazine
itself and is not to be shared with any other organisation.
In case the reader does not want to disclose their address
for this reason, there is no detriment, as the products will be available to
them anyway.’
The inability to obtain an ‘exclusive preview’ of cosmetics
does not, it seems, amount to ‘detriment’ in the eyes of WP29, because the data
subjects would, at some point in the future, be able to buy the products
anyway. I am sure that the next few months and years will see controllers
seeing just how far this example can be stretched, and how much incentive a
controller can give to encourage a data subject’s consent, before it trips over
the line.
Consent and website usage
When visiting a website which wishes to deploy unnecessary
cookies, one is often faced with a phrase akin to ‘by continuing to browse this
site, you are consenting to our use of cookies’. Some will say they are merely
taking a pragmatic approach to comply with the ePrivacy Directive’s
requirements, and others might say that this continuation of activity is indeed
an indication of consent, for the purposes of the Data Protection Directive.
WP29 has added an additional sentence to its draft guidance,
stating explicitly that:
‘merely continuing the ordinary use of a website is not
conduct from which one can infer an indication of wishes by the data subject to
signify his or her agreement to a proposed processing operation’.
So those looking to deploy unnecessary cookies will need to find
another way of obtaining consent if they are to comply with the framework.
What about ‘explicit consent’?
Although the standard of general consent under the GDPR
increases, when compared with that of the Directive, there remains a notion of ‘explicit
consent’. Where consent is to be used as the basis for the processing of
special categories of data, it is this ‘explicit consent’ which is required.
The ICO currently advises that ‘Explicit consent must be
expressly confirmed in words, rather than by any other positive action’ (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/).
This guidance does not appear to have any basis in the GDPR
itself, and is contradicted by WP29’s guidance:
‘A data controller may also
obtain explicit consent from a visitor to its website by offering an explicit
consent screen that contains Yes and No check boxes, provided that the text
clearly indicates the consent, for instance “I, hereby, consent to the
processing of my data”.’
In terms of capturing explicit consent over the phone, WP29
has included a new paragraph, stating that:
‘[a]n organisation may also obtain
explicit consent through a telephone conversation, provided that the
information about the choice is fair, intelligible and clear, and it asks for a
specific confirmation from the data subject (e.g. pressing a button or
providing oral confirmation).’
Perhaps we will see the ICO revisit its guidance in the
light of the WP29’s publication.
Unsurprisingly, WP29 warns — fairly — that consent is not a
panacea and that, ‘if a controller chooses to rely on consent for any part of
the processing, they must be prepared to respect that choice and stop that part
of the processing if an individual withdraws consent’. Moreover, ‘the
controller cannot swap from consent to other lawful bases. For example, it is
not allowed to retrospectively utilise the legitimate interest basis in order
to justify processing, where problems have been encountered with the validity
of consent’.
Children and consent
Although the general principle remains that, where a controller
intends to obtain consent from a child, its language must be sufficient simple
and clear, WP29 now also requires that ‘If it is the parent that is supposed to
consent, then a set of information may be required that allows adults to make
an informed decision’.
WP29 has changed its position on whether re-capturing
consent is required when a child turns 16. In the draft guidance, it required a
controller to ‘send out messages to users periodically to remind them that
consent for children will expire once they turn 16 and must be reaffirmed by
the data subject personally’. Now, it is of the view that:
‘[a]fter reaching
the age of digital consent, the child will have the possibility to withdraw the
consent himself, in line with Article 7(3). In accordance with the principles
of fairness and accountability, the controller must inform the child about this
possibility’.
However — and the big change:
‘if the child does not take any
action, consent given by a holder of parental responsibility … given prior to
the age of digital consent, will remain a valid ground for processing’.
‘Re-consenting’ and the GDPR.
In a statement which is likely to irk privacy experts who
consider that ‘re-consenting’ is not required, WP29 notes at the end of the
guidance that ‘[i]f a controller finds that the consent previously obtained
under the old legislation will not meet the standard of GDPR consent, then
controllers must undertake action to comply with these standards, for example
by refreshing consent in a GDPR-compliant way.’
Neil Brown runs decoded:Legal, a telecoms, technology and
Internet law firm.
