Dec 142017

Article 29 Working Party Releases GDPR Guidance on Consent and Transparency

William RM Long, Denise Kara and Francesca Blythe
, , ,

On 28 November 2017, the Article 29 Working Party (the “WP29”) published detailed draft guidelines on consent under the EU General Data Protection Regulation (the “GDPR”), which is to come into effect on 25 May 2018. The draft guidance has been submitted for public consultation for a six week period before being adopted.

The WP29 guidance on consent (“Consent Guidelines”) provides an analysis of the notion of consent under the GDPR as well as practical guidance for organisations on the requirements to obtain and demonstrate valid consent under the GDPR.

The Notion of Consent under the GDPR

Under the GDPR, consent is one of six legal bases to process personal data. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The Requirements for Valid Consent

According to the Consent Guidelines, the key elements for valid consent are as follows:

  • Unambiguous: consent requires a statement from the individual or a clear affirmative act (i.e. it must always be given through an active motion or declaration). Silence, inactivity and the use of pre-ticked opt-in boxes are invalid. Consent cannot be obtained through the same motion as agreeing to a contract or accepting general terms and conditions of a service (e.g. scrolling down or swiping through terms and conditions which include declarations of consent). Importantly, the Consent Guidelines state that an organisation cannot swap between lawful bases (e.g. an organisation cannot retrospectively rely on the legitimate interests’ ground where it encounters issues obtaining valid consent).
  • Imbalance of power: Consent will not usually be appropriate where there is an imbalance of power between the individual and the organisation relying on consent (e.g. as between an employer and an employee), as in such circumstances, consent may not be considered freely given. The Consent Guidelines acknowledge that there may be instances where an employer can rely on consent as a lawful basis for processing employee personal data (e.g. consent from an employee to be filmed in the office as part of a marketing initiative assuming where consent is not given the employee is not penalised in any way).
  • Conditionality: Requests for consent to the processing of personal data should not be “bundled up” with the acceptance of terms or conditions or tied to the provision of a contract or service, unless necessary for the performance of that contract or service (e.g. processing credit card details in order to facilitate payment). What is considered “necessary” must be interpreted strictly.
  • Specific and Granular: Companies need to obtain separate consents from individuals for each specific purpose for which that company intends to process their personal data (e.g. one consent for direct marketing and a separate consent for sharing their personal data with other group companies).
  • Withdrawal of Consent: Individuals must be able to withdraw their consent at any time and without suffering any detriment (e.g. without incurring any cost and/or a downgrade in service).
  • Informed: Consent must be informed and must be accompanied by at least the following information: (i) the identity of the controller(s); (ii) the purposes for which consent is being sought; (iii) the type of data processed; (iv) the right to withdraw consent; (v) information about the use of data for decisions based solely on automated processing (including profiling); and (vi) any international transfers of personal data. The Consent Guidelines acknowledge that valid “informed” consent can exist, even when not all of the required information (as set out in Articles 13 and 14) are mentioned in the consent form assuming this information is provided elsewhere (e.g. in the Online Privacy Policy).
  • Clear and Distinguishable: When seeking consent, clear and plain language should be used which is appropriate to the audience. Where consent is being requested as part of a contract the request for consent should be clearly distinguishable from the other matters (i.e. it cannot simply be a paragraph in the middle of some terms and conditions).

Explicit Consent?

Where organisations are required to obtain ”explicit” consent (e.g. for processing sensitive personal data such as, health data), the individual must give an express statement of consent (e.g. in a written statement, by sending an email or via a two-stage verification process). The Consent Guidelines acknowledge that in theory, the use of oral statements can also be sufficient although, it may be difficult to prove all elements of valid explicit consent have been met.

Demonstrating Compliance?

Under Article 7(1) of the GDPR, companies are obliged to demonstrate and prove that valid consent was obtained from individuals. The Consent Guidelines recommend that companies keep records of how and when consent was given and the specific information given to them at the time of obtaining consent in order to demonstrate compliance.

Duration

There is no specific time limit in the GDPR for the validity of a consent and according to the Consent Guidelines, it will depend on the context, the scope of the original consent and the expectations of the individual who gave consent.

Withdrawal Mechanism

Organisations must ensure that consent can be withdrawn as easily as it was given and at any time. The Consent Guidelines provide an example of where the withdrawal mechanism offered is not sufficient where consent is given online by clicking yes or no but to withdraw consent the individual must call a customer helpline. However, the Consent Guidelines acknowledge that the GDPR does not say that giving and withdrawing consent must always be done through the same action.

All data processing operations that were based on consent and took place before the withdrawal of consent remain lawful. According to the Consent Guidelines, if there is no other lawful basis for justifying the processing (e.g. further storage) of the data, the data should be deleted or anonymised. In cases where consent is withdrawn and the organisation wants to continue to process the personal data on another lawful basis, the organisation “cannot silently migrate from consent to this other lawful basis”.

William RM Long

London

wlong@sidley.com

Denise Kara

London

dkara@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).