Under the Regulation a data subject’s consent to lawfully processing their personal data should be given explicitly by an appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. It will also make clear that the data subject must provide their consent through a "statement or by a clear affirmative action".
This new definition of consent may impact how consent is obtained and evidenced, whether it is given in a written document or in accessing online services through a web site, as well as the methods used by data controllers to inform data subjects of the purposes of data processing. The new requirements point to more specific information having to be delivered and delivered in a more obvious manner to individuals.
Also in relation to notices and prior information to be provided to data subjects by data controllers, the Regulation includes, under Article 14, a list of information that data controllers must provide to data subjects when their personal data is collected. This list of information is more extensive than that set out in the current Data Protection Directive (95/46/EC) and these new requirements as to provision of information to data subjects will need to be reviewed and considered as against existing privacy notices and consents.
Data Subjects’ Consent
The existing Data Protection Directive (95/46/EC), in Article 2, defines data subject consent as:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
Although the definition appears reasonably clear, it is considered as “too general”, and in practice has resulted in different interpretations in the laws and by the data protection authorities of Member States.
As a result, and because the definition as drafted, does not offer sufficient guarantees for data subjects, the Article 29 Working Party Group produced an opinion (dated 13 July 2011, WP187), identifying the key requirements for obtaining a lawful consent from a data subject in order to process their data:
- Form: Although there are no restrictions on the form that consent can take, in order for the consent be valid, it should be an indication by which data subject signifies his agreement.
- Real choice: consent will only be valid if the data subject is able to exercise a real choice and there is no risk of significant negative consequences if he/she does not consent.
- Specific: the consent should be given for a specific purpose, and
- Informed: the consent must be given as part of an informed decision made by the data subject, therefore the data controller must provide sufficient information to enable the data subject to make an informed decision.
In light of the WP187 opinion, the Regulation tries to clarify the concept of consent and solve these interpretation issues that have arisen through the years by adding a new perspective to the general concept of consent as well as by introducing “conditions for consent” to be valid (Article 7) and the conditions for gathering consent from children in relation to online services (Article 8).
Changes in detail
New General Concept:
Under Article 4 of the Regulation "consent" means:
- “a freely given, specific, and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
A reference to the consent also needing to be “explicit” (even just for normal personal data as opposed to sensitive personal data) was dropped in preference for the reference to consent being “unambiguous” and the reference to indication of consent through affirmative action.
Ways to lawfully gather data subjects’ consent:
Under Article 7, the Regulation introduces some guidelines to be followed by the data controller when seeking a lawful consent from the data subject but before setting these out it is worth highlighting that consent may not always be required. There may be another basis on which data can be processed (eg performance of contract) The conditions applicable to obtaining consent are:
1. The data controller will have the burden of proving that the data subject has given their consent to the processing and has to be able to demonstrate that the consent met the requirements described above.
If the consent is obtained in the course of a data subject engaging in another transaction (eg buying goods/services) the data controller will need to be sure that the data subject is aware that they have given consent to data collection and processing and to what extent consent is being given. The requirement to give consent will have to be presented in a manner which is clearly distinguishable from the other acknowledgments or agreements required from the data subject.
For example, website operators will have to ensure that, if consent is required in relation to data collection/processing, consent is collected in such a way that they obtain a (specific and clear ) consent from their users that allows them to comply with their legal obligation while, at the same time, not interrupting or otherwise affecting the user’s online experience. Hence clicking on a tick-box online seems to be a good alternative to making a statement of consent. They will also have to ensure that website privacy policies reflect the new consent requirements as well as the notice requirements described below.
2. The data subject has the right to withdraw his/her consent at any time and must be told about this right.
Note that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal nor will it affect the lawfulness of processing of data based on other grounds.
3. Consent will not provide a legal basis for data processing, where there is a significant imbalance between the position of the data subject and the controller and this imbalance makes it unlikely that consent was given freely (Recital 34). In addition, "utmost account" must be given to whether the performance of a contract is made conditional on consent to data processing that is not necessary to perform the contacts (Article 7).
Recital 34 and Article 7 sets out a point of interpretation that has been adopted by a number of Member States’ data protection authorities for some time. The imbalance of power is felt to particularly exist in relation to the employee/employer relationship and a number of Member States’ data protection authorities take the view that consent cannot be validly obtained in the context of an employee/employer relationship. Article 82 there is provision for Member States to pass their own laws related to data processing in the employment context and this may include additional rules relating to consents and notices.
Obtaining consent from children online:
Under Article 8 of the Regulation, when offering online services directly to a chid below the age of 16 years (or as low as 13 years if provided by Member State law, his/her consent for processing his/her personal data will only be lawful if it is given or authorised by the child's parent or guardian. In addition, data controllers will have to make reasonable efforts to verify that the consent has been given by the parent or guardian taking into consideration the available technology.
Notices and information to be provided by controllers to data subjects
A list of information which must be provided to the data subject is entitled is set out in Article 14.
This list of information to be provided by data controllers to data subjects is more extensive than was set out in the Data Protection Directive (95/46/EC) and the requirements are more prescriptive. The following table summarises the requirements:
What information should be provided? (Article 14/14a)
- Data controller’s identity and contact details (including of his representative and data protection officer).
- The purpose(s) for which data is processed, including the legal basis for the processing (and if that is the “legitimate interests” of the data controller what those “legitimate interests” are)
- Existence of the data subjects' rights to access, to rectify, to erasure, to object to processing or to obtain the data as well as the right to data portability.
- Right to withdraw consent.
- Recipient or categories of recipients to whom the data will be disclosed.
- Intention to transfer the data subject's personal data to a country outside the EU or international organisation and information about the level of protection for data afforded by any of those.
- Right for data subjects to lodge a complaint with the national data protection authority and its contacts details.
- If the data processing is a statutory/contractual requirement, whether the data subject is obliged to provide the data on that basis and the possible consequences of failure to provide the data.
- Information about the existence of profiling undertaken based on data and its effects.
- Any further information which is necessary to guarantee fair processing having regard to any relevant code of conduct or relevant guidance (specifying any high risk processing activities).
- If not obtained from the data subject, the source of the data unless the personal data originates from publicly available sources.
How should the information be provided?
- The information must be provided in an intelligible and easily accessible form.
- Using clear and plain language.
- In writing and, where appropriate, electronically.
When should the information be given? (Article 14/14a)
- If the data is collected from the data subject at the time it is obtained.
- If the data is not collected from the data subject:
- at the time it is collected, or within a reasonable period after collection and, in any event, within 1 month
- if a communication with the data subject is envisaged, at the time of the first communication with the data subject
- if a transfer to another recipient is envisaged, at the time of the first transfer.
Data subject consent under the Regulation is still focused on the key elements that shaped the concept under the Data Protection Directive (95/46/EC) (i) freely given, (ii) prior information, and (iii) essentially revocable by the data subject at any time.
However, the above requirements, taken together, will require data controllers to revisit all of their data processing notices, consents and privacy policies to ensure that the consents and notices are unambiguous and deliver the additional information required. In addition, in relation to situations where there is an imbalance of power between the data controller and the individual other justifications for processing will have to be found. This is most likely to be problematic in the employer/employee relationship but as is currently the case in a number of EU Member States.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.