The concept of ‘consent’ should be a fairly self-explanatory one. It is not a unique idea; in fact, consent simply signifies the “meeting of minds” and has forever been one of the core principles of contract law. However, recent times have witnessed unsettling discussions surrounding ‘consent’ spanning across divergent areas of the socio-legal spectrum. In this blog post our focus is however limited to ‘consent’ in the paradigm of EU data protection law.
‘Consent’ has been one of the lawful grounds for processing personal data even before the GDPR came into force in May 2018. However, the GDPR goes a bit further in codifying what the essential ingredients of a valid consent are. Hereafter, the blog discusses the core elements of consent under the GDPR.
As per Article 4(11) of the GDPR, consent must be:
Each part is examined separately hereafter.
It simply means that the data subjects’ consent to processing should not be motivated or influenced by the controller through use of tactics such as coercion, disincentives, hardship, intimidation, access to services, etc. In this regard, some specific points that the GDPR emphasizes are:
A recent incident exemplifying an Article 7(4) situation is that of Washington Post’s use of cookies on its website. Washington Post obliged readers to consent to third party tracking and targeted advertising or obtain a premium subscription by paying a certain fee. On 19th of November 2018 ICO warned the Washington Post that its approach to obtaining user consent was violative of Article 7(4) of the GDPR, since it did not allow the readers to give consent freely by making access to their services conditional to such consent, when the data processing was in fact not necessary to provide those services. For more details on cookies, please see our blogpost on cookies.
Here specificity is in relation to the purpose of processing. This means that consent must be specific to the purpose for which the consent is sought. In case of numerous purposes, separate consent must be given for each specific processing purpose. Therefore, consent must be granular. This is embodied in recital 32 of the GDPR which clarifies that “when the processing has multiple purposes, consent should be given for all of them.”
The GDPR reinforces the information rights of data subjects at several places, including in relation to consent. This is in line with the GDPR’s underlying principle of transparency. The consent must be an informed and reasoned one, for which certain minimum information must be provided to data subjects prior to obtaining consent. As per the WP29, the following minimum information must be given for obtaining valid consent:
While no clear form is prescribed by the GDPR, it mandates that the information must be presented in a manner that is intelligible and easily accessible, using clear and plain language. Further, the consent must be clearly distinguishable from other matters. Therefore, consent cannot legitimately form part of a list of other terms on a website and must be dealt with in a separate document that clearly stands out. The WP29 suggests providing the information in a layered structure, in order to ensure that it is both clear, plain and intelligible, and at the same time contains all relevant information.
The GDPR requires that a statement or a clear affirmative action must be taken by data subjects in order to indicate consent. This means that silence, inactivity and pre-ticked boxes will not fulfill the criteria of GDPR; there must always be a deliberate and active motion or declaration in order for consent to be valid. Recital 32 of the GDPR clarifies this in detail and states that while it can be electronic, written or oral, the indication of the data subject’s acceptance must always be clear. Therefore, controllers have the liberty to develop a consent flow that suits their organization, within the parameters of the GDPR. Bearing that in mind, as per the WP29, physical motions such as swiping a bar on a screen or waving in front of a camera can qualify as clear affirmative action, thereby constituting valid consent. However, simply continuing to scroll through a website would not qualify as such, since such action is not sufficiently unambiguous.
In certain data processing situations where the risks to data subjects’ rights are high, the GDPR requires explicit consent rather than regular consent. For instance, explicit consent is required while processing special categories of data under Article 9, or in case of international data transfers that do not meet adequate safeguards under Article 49, and in case of automated decision-making including profiling as described in Article 22 of the GDPR.
While no definition of ‘explicit consent’ is provided under the GDPR, as per WP29, the term ‘explicit’ denotes the way in which consent is expressed, leaving no room for doubt as to the data subjects’ intentions. It means that the consent must be given by an express statement, the most obvious way being a written and signed statement of consent. In the digital context, explicit consent could be obtained by filling in an electronic form, sending an email, uploading a scanned document with signature, etc. Two step verification of consent is likely to be a relatively absolute way of ensuring that the consent is explicit.
From the above discussion, one can conclude that the crux of the concept of consent under GDPR is that consent should be a genuine, informed and reasoned expression of data subjects’ decisions regarding the use of their personal data. It is based on the legislative intent of protecting the informational right to privacy of data subjects, by giving them ultimate control over their personal data.
Further reads