On November 28, 2017, the Article 29 Working Party ("WP29"), the group representing national data protection authorities in the European Union, adopted a draft of the "Guidelines on consent under Regulation 2016/679" (the "Guidelines"). The draft is open for comments until January 23, 2018.
The Guidelines build on the WP29 "Opinion on the definition of consent" (the "Opinion"), which was adopted in July 2011. The Opinion assessed the notion of consent under Directive 95/46 (the "Data Protection Directive"). The new draft of the Guidelines reflects the evolution of the concept of consent under the General Data Protection Regulation ("GDPR").
Under the GDPR, higher standards apply for obtaining a valid consent. The GDPR requires consent to be freely given, specific, informed and unambiguous. In addition, consent must be based on a clear affirmative action, and individuals must be able to withdraw it at any time.
The Guidelines provide an overview of the crucial elements of consent under the GDPR, which are:
- Consent is only one of the legal grounds for conducting data processing activities under the GDPR. On this basis, before starting a processing operation, organizations should always determine whether consent constitutes the appropriate legal ground.
- Consent is an appropriate legal basis only when data subjects are offered real control over their personal data. In particular, data subjects must be free to accept or decline the terms offered without any detriment (e.g., without incurring any negative consequence).
- Consent is not considered to be freely given when the relationship between the organization processing the personal data and the data subjects has an "imbalance of powers." The WP29 points out that although this is often the case when the data processing activities are carried out by public authorities or by employers in relation to their employees’ data, an assessment of the circumstances of each specific situation must be conducted. In particular, even in those cases, organizations could still rely on consent when there is no risk of negative consequences for the data subject if he/her denies it.
- In order for consent to be freely given, it should not be bundled with the acceptance of other terms and conditions. Similarly, a request for consent to process personal data that are not necessary to perform a contract or service should not be tied to the provision of that contract or service. In that regard, the WP29 points out that the processing of personal data for which consent is requested cannot become the "counter-performance" of a contract. In order for consent to be valid, the data subjects should have the option to have the contract performed or the service delivered even if they deny consent to use the additional data in question.
- Under the GDPR, consent must be specific. The WP29 states that in order to comply with this requirement, organizations should (a) identify a specific, explicit and legitimate purpose; (b) apply granularity in consent requests (meaning that users should be allowed to give specific consent for specific purposes); and (c) ensure that information provided for the purpose of obtaining consent is clearly distinguished from information related to other matters.
- The GDPR requires consent to be informed. The Guidelines provide a list of information to be communicated to data subjects in order for them to make informed decisions. These should include, at a minimum, (a) the controller's identity; (b) the purpose of the processing operations; (c) the type of personal data collected; (d) the existence of the right to withdraw consent; (e) whether personal data will be used for decisions based solely on automated decision-making (e.g., profiling); and (f) in case of consent required for the transfer of data outside the European Economic Area, what are the risks and the appropriate safeguards put in place to address them. The WP29 also specifies that when data obtained upon consent will be used by joint controllers or when the personal data are will be transferred to other controllers or processors that will rely on the original consent for their processing activities, the name of all organizations should be included in the information provided.
- Organizations are free to choose the format in which they provide information to data subjects (e.g., written or oral statements, audios, video messages). When determining how to communicate the information, organizations should start by identifying the targeted audience. The Guidelines clearly state that, regardless of the format used, organizations should avoid "illegible privacy policies" or "statements full of legal jargon." In order to provide information that is complete and precise while also understandable, the Guidelines recommend using layered and granular information.
- The Guidelines specify that when relying on consent, organizations should comply with two different sets of information requirements: (a) providing the information needed to obtain consent and (b) providing information notices on the data processing activities. The WP29 clarifies that although these are two different GDPR requirements, they can be addressed with an integrated approach.
- The GDPR requires that withdrawing consent be as easy as requiring consent. However, the WP29 states that this does not mean that the withdrawal should be done using the same forms as those used for giving consent.
What about Legacy Situations?
In the Guidelines, it is assumed that such legacy processing operations, those based on consent granted before the entry into force of the GDPR, comply with the requirement of the Data Protection Directive. However, the WP29 makes clear that, for these legacy operations, organizations are not required to completely refresh all existing consent relations. Consent obtained before the GDPR is valid in so far as it is in line with the conditions laid down in the GDPR. Consequently, organizations should make sure that existing consents meet the GDPR standards. If this is not the case, consent will have to be renewed (or processing conducted based on other grounds). If you have not done so yet, it is time to screen your existing practices to determine what steps you may need to take for compliance.