Chapter 10: Consent – EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide

CHAPTER 10: CONSENT

Consent is one of the key areas in achieving compliance with the GDPR. Although consent is the simplest lawful basis available for processing personal data, it is also the one most likely to generate legal difficulties for data controllers. The GDPR outlines the criteria for consent as the following:

 

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.160

Like other elements involved in preserving data subjects’ rights, the data controller is responsible for abiding by these criteria. Ensuring that data subjects consent to having their personal data processed (where this is possible) is a critical component to preserving their rights and freedoms, and adhering to the data protection principles.

However, consent is not the only available lawful basis for processing, so it’s important to understand your duties in relation to consent, the data subject’s rights in relation to it, and the processes by which both parties are satisfied.

Consent in a nutshell

Gaining consent is a simple way of ensuring that your processing is lawful (in accordance with the first privacy principle), so the Regulation has strict conditions to make sure that consent is fairly gained and not abused.

Consent must be freely given, as made clear by the Regulation, which states that “consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation”. Similarly, an employer/employee relationship would also be an imbalanced relationship, potentially rendering any consent given by the employee invalid.

When you request a data subject’s consent, you therefore need to ensure that the data subject has the genuine option of refusal, and that there will be no repercussions for refusing to consent. Organisations – and particularly public authorities – that cannot meet this requirement will need to ensure that they have a valid legal basis for the processing under local or Union law.

Consent must also be “specific”, which means the consent must specify the exact purpose of the processing. An example of specific consent might be an insurance company requesting personal data to determine levels of risk161. In this instance, the insurance company would need to inform the data subject that all of the information supplied may be used in order to calculate premiums and offer targeted services.

However, specific consent need not be requested in all situations. For example, an online retailer that requests a customer for their address should not need to state that the address will be used for the purpose of delivering the customer’s goods. This would fall under the general allowance for processing data in order to fulfil a contract. In this example, you would need to secure consent for the customer to set up their account – informing them that you will use the data to fulfil their orders, for instance – and anything that logically follows from that consent would be acceptable.

Ensuring that consent is “informed” is closely linked to it being “specific”. A data subject cannot consent to something if they have not been adequately informed. It’s your duty as a data controller to ensure that this information is clear, especially if you are using the personal data for commercial gain. Equally, the data subject must be “informed of the existence of the processing operation and its purposes”162, which links to the principles of fair and transparent processing. This means that you cannot hide another processing function behind one that you’ve obtained consent for.

Consent must be “unambiguous”. In most instances, you’ll be providing the data subject with a written form of the consent itself and all they need to do is to confirm that they understand and approve. This means that the consent as it is written must not be misleading and that it must clearly indicate that the data subject is actually giving consent for the processing.

Consent must be granted in “a statement or a clear affirmative action”. While a statement should be obvious enough – whether written or spoken by the data subject or by the controller with clear agreement from the data subject – an “affirmative action” should perhaps be clarified. An affirmative action in this context is something that the data subject does, rather than something that they achieve through inaction.

For example, offering the data subject a statement of consent in a pop-up window with a check box to indicate their consent would require an affirmative action – the data subject performs an action to indicate their consent163. The same pop-up box with a statement that will assume consent if the data subject does nothing or has the box pre-checked would not constitute an affirmative action. Using confusing phrasing (e.g. “Please uncheck the box if you do not wish to have your personal data not processed”) is likely to fall foul of the Regulation on a number of points.

Withdrawing consent

Data subjects have the right to withdraw any consent they have given, at which point the data controller must either stop processing the personal data or determine whether there are other grounds on which processing can be based.

Article 7 of the Regulation states:

 

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed whereof. It shall be as easy to withdraw consent as to give it.164

What this boils down to is that the data subject’s ability to withdraw consent is just as important as getting their consent in the first place, and should be capable of being done just as easily.

Handling withdrawal of consent is a new requirement and one that will force you to consider new methods for managing personal data. It’s also important to remember that you will need to account for data subjects who have consented to a variety of processes simultaneously. For instance, if a data subject consents to a number of different processing actions by means of a set of check boxes, they should be able to withdraw consent in a similarly simple manner. The implications of this for website and system design are significant.

Alternatives to consent

Article 6 sets out all the available lawful bases for processing personal data, the first of which is consent. The others are:

  1. If the processing is necessary to fulfil a contract that the data subject is party to, or to take steps at the data subject’s request prior to entering a contract. This would include gathering basic data about the data subject before the contract is established, or processing the personal data in order to meet the requirements of the contract. It does not extend to processing that does not fulfil the purposes of the contract. Most of the processing carried out within an employer-employee relationship is likely to be lawful on this basis.
  2. If the processing is necessary in order for the controller to comply with a legal obligation. This may relate to banks processing information about their customers in order to provide relevant reports to tax authorities or public bodies providing annual reports, and so on. In all such cases, refer to the specific law that outlines the information required. An employer’s processing of tax information in relation to its employees is likely to be lawful on this basis.
  3. If the processing is necessary to protect someone’s vital interests. This may be for security reasons or protection of economic interests. For instance, processing personal data on everyone within a specific area in order to establish appropriate measures to prevent crime. Processing information about an employee’s next of kin may be lawful on this basis.
  4. If the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller. This condition primarily relates to public authorities such as the police, border authorities, tax bodies and their agents. In these instances, the authorities are permitted to process personal data for the purposes of protecting public interests.
  5. If the processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where those interests are overridden by the interests, rights or freedoms of the data subject, especially if the subject is a child165. These legitimate interests include scientific or historical research purposes. In these cases, the Regulation recognises that it is extremely difficult to secure consent for such purposes and that such processing is generally a net benefit to society. Should the research prove detrimental to an identifiable data subject or class of subjects, however, this lawful basis will not apply.

 

‘Legitimate interests’ are ‘the specific purposes for which personal data are processed [and which] should be explicit and legitimate and determined at the time of the collection of the personal data’166.

 

The GDPR recitals also say that legitimate interests include (Recital 40) the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract. Legitimate interests can also exist where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Recital 48 allows that the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

Recital 48 allows that controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.

Recital 49 recognises that ‘the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.’

Practicalities of consent

Managing consent entails a number of practical considerations, including methods of collecting consent, processes for handling review and withdrawal of consent and means of demonstrating compliance.

The burden of proving consent is firmly on the data controller. As the Regulation says, “where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation”167.

With that in mind, you’ll need to determine how to obtain proof. The obvious solution is to keep a record of all consent for each data subject. For data stored in a database, this should be relatively straightforward – you could even record when consent was given so that it can be reconciled against the data collected and the individual processes.

The actual manner of collecting consent also needs to be considered. Many organisations already have methods in place in accordance with the DPD, but the increased scope for which consent applies, as well as the more stringent requirements, mean that this should be re-examined, even if only to confirm that it still complies.

Generally speaking, there are three ways in which consent can be gained: online using a form, on physical paper, or orally via a telephone or equivalent. In the first instance, the data subject will be presented with a statement explaining what data will be collected and what it will be used for, with some method of approving the consent. On physical paper, the method might be the same – a prepared statement that the data subject signs off and hands over to the data controller. The final option is slightly different; consent could be given in a literal recording, but this may be cumbersome (because file sizes or recording media are too large), or the data subject could express their consent orally, which is then marked into a physical or digital form on the subject’s behalf by the other person on the call.

Regardless of the method you use to collect consent, you should ensure that it is readily accessible and readily editable to account for data subjects withdrawing their consent.

You should carefully review your existing processes for handling withdrawal of consent. Data subjects must be able to withdraw consent as easily as they provide it. In fact, because withdrawal of consent is so closely entwined with the data subject’s rights, in some cases withdrawing consent may actually need to be easier than giving consent if your existing method is quite difficult. It may be that your primary business doesn’t involve data processing, so you’ve never made much of an effort to make it streamlined and easy to obtain, and now you’ll need to rework how you manage consent to ensure that data subjects can exercise their rights.

For organisations with a more ordinary business model, there should be simple ways of allowing data subjects to review and withdraw their consent. Using a set of online tools or a “dashboard” that allows the data subjects to see an overview of all relevant processing, change their consent on the fly, and even update or correct their personal data, would solve a great number of issues under the GDPR.

Furthermore, an integrated solution like this will highlight to your data subjects how their personal data relates to the processing and provide them with control over how their personal data is used, thereby improving your approach to transparency and, in turn, your reputation.

You will need to ensure that whatever process or policy you choose in relation to withdrawal of consent is documented and that you can measure how well this is being implemented.

Children

Children – anyone under 16 years of age168 – are unable to consent to the processing of personal data for information society services, and so consent must be sought from the person who holds parental responsibility over the child. The Regulation explains that this is because “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”169.

This applies only to information society services, and only where consent is ordinarily necessary. If your processing is lawful under other grounds, then you still do not need to secure consent from the child. Of course, “information society services” are “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”170, which is to say that children cannot consent to commercial contracts over the Internet.

While this may provide quite a lot of wiggle room for organisations, such as those that provide services in person, it does mean that many businesses will need to ensure they have processes in place to confirm the age of the customer when collecting data online. The process you use to ensure that all consent is valid will need to take the age of the data subject into account, especially if you provide services that are likely to be of interest to children. This provision is likely going to be very difficult to implement effectively.

The simplest solution is to not collect any personal data, but this is unlikely to be a useful option for many organisations. Large public organisations have in the past developed guidelines for securing parental consent, including the BBC in the UK, which provided examples of how the level of consent necessary was identified and the methods used to secure it171.

Extant methods for securing parental consent offer a good basis to work from, but you should consult the supervisory authority if you have any concerns about how to secure parental consent. The BBC’s example methods range from informal for data processing that is likely to be appropriate for children of all ages and pose negligible risks to the child’s rights and freedoms, through to more thorough vetting methods when the processing involves more data or greater risk, and include:

  • simple wording asking a child to ask their parent for consent;
  • requiring the use of a clickable box to confirm that consent has been obtained before the child can proceed;
  • requiring parental consent via email (e.g. a parent confirms in an email with an address different from their child that they are happy for their child to upload a picture of themselves to the BBC site);
  • requiring verifiable parental consent e.g. a signed letter or logged personal telephone call from a parent or guardian.172

When explaining the nature of the processing to a child, even though consent will formally be given by an adult, you must use simpler, clearer language. The Regulation states: “any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand”173.

You will also need to ensure that withdrawal of consent is in place and that it is as simple to withdraw consent as it is to give consent. There are no special requirements relating to the withdrawal of parental consent beyond those of withdrawing ordinary consent.

Special categories of personal data

Processing special categories174 of personal data is prohibited under the GDPR except under specific conditions. The first of these conditions is that there is already a lawful basis for processing the personal information. The second is that one of the specific Article 9 conditions must also be met, and the first of these is the explicit consent of the data subject to the specific processing. As such, you will need to ensure that consent for any processing of special categories of personal data is very clearly documented. You should also ensure that your description of the processing itself is, if anything, even clearer than for other processing activities, as misuse of these categories of personal data can be extraordinarily damaging to the data subject.

Other conditions that allow the processing of special categories of personal data are generally based on the protection of the public good, or on the protection of the data subject and other natural persons. These exemptions will ordinarily be used by public authorities and their agents.

Data relating to criminal convictions and offences

The final category of personal data is data that relates to criminal convictions and offences, and there are no rules in place for consenting to processing of this type of data. There is, however, the requirement that such processing “shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects”175.

If any of your existing processing activities rely on this type of data, you will need to ensure that you are operating under an official capacity. There is no room in the Regulation for private or commercial processing of this data.

________________________

160 GDPR, Article 4, Clause 11.

161 This would also likely constitute profiling, so there may be additional concerns beyond that of consent.

162 GDPR, Recital 60.

163 In fact, the Regulation actually specifies this as an acceptable method of getting consent in Recital 32: “[Consent] could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data”.

164 GDPR, Article 7, Clause 3.

165 GDPR, Article 6, Clause 1.

166 GDPR Recital 39.

167 GDPR, Recital 42.

168 Note that the GDPR allows Member States to individually determine the age of consent, and that it could vary between 13 and 16. Organisations operating across member state borders will have to be aware of this and specifically deal with possible differences in the formal age of consent, and the evidence of compliance they need to obtain.

169 GDPR, Recital 38.

170 Directive 2015/1535/EU, Article 1, Clause 1 b.

171 www.bbc.co.uk/editorialguidelines/guidance/children-young-people-online/part2.

172 Ibid.

173 GDPR, Recital 58.

174 GDPR, Article 9, Clause 1, where this is defined as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, [and] genetic data, biometric data […] data concerning health or data concerning a natural person’s sex life or sexual orientation”.

175 GDPR, Article 10.