Article 6 of Regulation 2016/679, the General Data Protection Regulation (hereafter: GDPR). sets the conditions for a lawful personal data processing and describes the six and only six, lawful bases for personal data processing, only one of which is consent.
It is important to note that one of these six bases must be established prior to processing for each specific purpose. Generally, consent can only be considered a lawful and appropriate basis for personal data processing, if a data subject is offered control and is offered a real choice with regard to accepting the terms offered.
More exactly Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her .”
Breaking that down into its constituent parts we get:
1. freely given,
3. informed and
4. unambiguous indication
Free / freely given
The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. Without a valid basis for processing, the data controller could be in breach of the regulations.
To understand the term “free” more fully it is worth look at Power, Conditionality, Granularity & Detriment. As these four terms were highlighted in the guidelines from the Article 29 Working Party
Where there is an imbalance of power between the data subject and controller, consent can be tricky grounds to rely on. For example it is unlikely that public authorities can rely on consent for processing as whenever the controller is a public authority, there is often a clear imbalance of power in the relationship between the controller and the data subject. Similarly making consent to data processing a condition of employment would be difficult for an employer to rely on.
To assess whether consent is freely given, or if there is conditionality involved we need to consider, Article 7(4) GDPR. Where Article 7(4) GDPR frowns upon the “bundling” of consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service.
A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes. In a given case, several consents may be warranted to start offering a service, pursuant to the GDPR.
The controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment (recital 42). For example, the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent.
In summary free means free, when it comes to giving consent. Accordingly, consent will not be considered to be free if the data subject is unable to refuse because of his/her circumstance, or because of a need to use the service or because it was too difficult to withdraw consent.
Consent can be granted for one or more purposes. A data subject may provide an address, so they can pass a credit check, but that is not the same as consenting to receive marketing through the post.
Article 6(1)(a) confirms that the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a choice in relation to each of them.26 The requirement that consent must be ‘specific’ aims to ensure a degree of user control and transparency for the data subject.
The documents from Working Party 29 mandate at least the following information is required for meet the test of specificity:
(i) the controller’s identity, 30 (ii) the purpose of each of the processing operations for which consent is sought,31 (iii) what (type of) data will be collected and used, 32 (iv) the existence of the right to withdraw consent,33 (v) information about the use of the data for automated decision-making in accordance with Article 22 (2)(c)34 where relevant, and (vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.35
When seeking consent, controllers should ensure that they use clear and plain language in all cases. This means a message should be easily understandable for the average person and not only for lawyers. Controllers cannot use long privacy policies that are difficult to understand or statements full of legal jargon. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form.
A controller must assess what kind of audience it is that provides personal data to their organisation. For example, in case the targeted audience includes data subjects that are underage, the controller is expected to make sure information is understandable for minors.
The GDPR is clear that consent requires a statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. Not objecting is no longer considered a suitable test. It must be obvious that the data subject has actively consented to the particular processing.
A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing. Consent can be collected through a written or oral statement, including by electronic means.
A controller must also beware that consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service. Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data.
The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes’).
When producing some kind of consent form it can be difficult for the author to be dispassionate about his or her own work. It is worth getting an outsider to review it and make sure it passes these criteria above.