On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018.
The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should be offered control and genuine choice when it comes to accepting or declining the terms of processing. The guidelines are broken down into various sections. These sections analyse the different parts of the wording of Article 4(11) of the GDPR, which defines consent, and look into whether controllers need to amend their consent forms in order to comply with the GDPR.
Article 4(11): “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The analysis is divided into the following sections:
-
Free/freely given
-
Imbalance of power
-
Conditionality
-
Granularity
-
Detriment
-
Specific
-
Informed
-
Unambiguous indication of wishes
-
Additional conditions for obtaining valid consent
-
Interaction between consent and other lawful grounds in Article 6 GDPR
-
Specific areas of concern in the GDPR
-
Consent obtained under Directive 95/46/EC
Under the granularity section, the guidance states that in order to comply with the conditions for valid consent when the processing of personal data is carried out for several purposes, each purpose will need to be separated and consent will need to be obtained for each one. The example provided is a retailer asking its customers for consent to use their data to send marketing emails and to share their details with other companies within their group. Under these circumstances, such consent is not valid as these are two separate purposes and therefore two separate consents are required.
WP29 also lists the minimum information that data subjects need to be provided with in order for consent to be ‘informed’ and therefore, valid. The guidance also states that in certain circumstances more information may be needed in order to properly inform the data subjects of the processing and allow them to make a genuine choice.
The issue of how consent should be given in order to be valid under the GDPR has been a hot topic of discussion. The guidelines state that physical motions can be considered a clear affirmative action that complies with the GDPR. Some examples of how consent may be given through electronic means and be considered valid are: swiping on a screen, waiving in front of a smart camera, and turning a smartphone around clockwise or in a figure eight motion. WP29 states that these are all possible options to indicate consent. WP29 also touches upon the fact that in an online context, one example of obtaining consent is via data subject’s Internet browser settings. This somewhat circumvents the issue of ‘click fatigue’ when users are faced with multiple consent requests and do not properly read what they are consenting to.
For organisations wondering if their current processing consents are valid, the guidelines state that data controllers must review their current work processes and records in detail to make sure that all existing consents meet the GDPR standard. Since the GDPR introduces various new requirements and raises the bar when it comes to implementing consent mechanisms it is likely that controllers will need to alter their consent mechanisms as well as rewriting their privacy policies. WP29 states that is that all presumed consents that were based on an implied form of action instead of a clear affirmative action will not be considered valid under the GDPR, an example of which is having a pre-ticked opt-in box.
The guidelines make reference to the fact that WP29 is aware that that notion of consent under the draft ePrivacy Regulation is linked to that of consent under the GDPR. They state that WP29 has provided the European legislator with guidance and recommendations in this respect. The guidelines further state that the conditions for obtaining valid consent under the GDPR are applicable in situations that fall under the scope of the e-Privacy Directive.