Descriptive deconstruction of the conceptual and practical significance of Consent (GDPR)

Posted on 16 Jul 2018, by Agis Charalambous

The intricate concept of consent, its role as well as its implementation framework enhances its use as a legitimate processing base and proves to be one of the most widespread ways of enhancing the person/subject autonomy, particularly in the field of personal data. As has been the case today, because of the impossibility of committing the opinions that will be mentioned below, the significance of such an important doctrine as that of consent was not given due importance. Therefore, after the end of the grace period of two years, the new regulation will create a more stringent and safer environment for the benefit of the data subject, due to the fact that the privacy regime as it stood, would have led to serious degradation.

The requirements for obtaining and proving one of the six registered legal processing bases in accordance with Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and for the free movement of such data and the repeal of Directive 95/46 / EC (hereinafter referred to as "the Regulation"), have now been further specified and clarified.

This text will be developed in the light of the primary interpretation of the Directive 95/46 / EC (hereinafter referred to as the "Directive"), of the Working Party Opinion No 15/2011 of the Article 29 Working Party (hereafter "AG29"), and the recent revised AG29 guidelines adopted on 10 April 2018 (hereinafter referred to as the "Guidelines"). Initially, it will focus on the upgraded interpretation given to consent as a legitimate basis of treatment, and thereafter the established conditions for acquiring and proving valid consent, will be considered. Undoubtedly, however, these two issues become inseparably linked, as the legislator always seeks to broaden and establish these conditions for more ideal and effective guidance on the basis of the interpretation of the constituent elements.

The crucial role of consent has already been pre-defined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which greatly enhances and justifies the intense efforts of a more modernized and stricter reform than the Regulation.

While it can be observed that the two definitions of consent, the Directive’s and the Regulation’s, are similar to their wording with some minor differences, what the Regulation essentially enshrines is, based on previous opinions, a better and more detailed explanation of the conditions for the acquisition of valid consent. These are specified in Article 7 of the Regulation to the evidence of consent acquired by the controller, to the distinct, clear, comprehensible and simple wording of the consent, of the easy provision / withdrawal and the possibility of revocation at any time and of avoiding the conditional inclusion thereof in the context of a contract, including the provision of a service.

According to the Directive, previous opinions, in particular Opinion 15/2011 of the AG29, the elements of free, specific, explicit and informed consent have been consolidated in Article 4 (11) of the Regulation, thus giving room for further development based on the binding text.

Consent, as interpreted in the draft bill proposed by the Commissioner for Personal Data Protection as the competent supervisory authority, under the Regulation, means (Translation from the text in Greek):

“any indication of will, free, specific, explicit and in full knowledge, by which the data subject expresses that he or she agrees, with a statement or with a clear positive action, that the personal data relating to him / her are going to be processed.”

By contrasting this definition with that given for the harmonization of the Directive on the Processing of Personal Data (Protection of Individuals) Law of 2001 (138 (I) / 2001), one can understand that the elements of free, explicit, knowledge and indication of will remain, as the clarity element is added with further clarification on a positive action or statement referring to the phrase "unambiguous indication by means of a statement or by a clear affirmative action". The reference to an unambiguous indication is not entirely unprecedented as it is also included in Article 7 (a) of the Directive, as is the reference to the indication of will. What is distinguished, however, is the positive action or statement that gives an extra hint of difficulty. The data subject should have proceeded with deliberate action to consent to the specified processing. Consequently, in the context of specification, no general consent can be given to all forms of processing. Instead, the controller should  give detailed information about each processing purpose in order for the data subject to be able to control its personal data.

However, due to what has been said above, under the element of Informed consent, the need for continuous contact with the data subject (with the exception of the elasticity shown in recital 33 on scientific research) is intensified.

Additionally, in the context of Freely Given, there is a need for a choice between different processing purposes and, in particular, when the controller is a public authority and hence in a position of superiority. In accordance with Article 5 (1) (b) and Recital 32, the consent given in this case may serve all the processing operations provided they are covered by the same purpose.

In accordance with Article 7 (1) of the Regulation, the additional burden of proof of the consent given over the processing period lies on the controller's shoulders with such mechanisms, as highlighted in the recent guidelines, at the discretion of the controller. This will become more difficult, particularly in cases where the performance of a contract, including the provision of a service, requires consent, even if it is not necessary for such execution.

Depending on the performance of the contract and not only, but also in accordance with recital 42, the data subject should be able to proceed with selection without any possibility of coercion or other significant adverse effects in the case of withdrawal or non-consent such as fraud, intimidation and coercion. This should also be reasonably expected as a result of the correct application of Article 7 (2) of the Regulation, where the request for consent must be presented in a comprehensible, easily accessible form, clear and plain wording and without any unfair terms in the case provided in a written declaration.

Furthermore, the guidelines point to the need for a direct and objective link between the proposed treatment and the conventional purpose. This is also linked to the Minimization Principle as the collection and processing of personal data should be necessary for the performance of the contract, in the case where the processing of the residence address of the subject is necessary for sending goods purchased over the internet. In the case in which the processing is actually necessary for the performance of the contract, Article 7 (4) is not applicable and the legal basis of consent will not be the ideal one for exploitation, except where there is a choice of consenting between an equivalent service offer from the same controller. This ensures free choice without causing the subject to look for an equivalent service from different providers.

However, the necessity of collecting and processing the data on the basis of its processing purposes is not limited only to a contract, but according to Recital 39, it is subject to universal application in particular in the subsequent storage and conservation period to be  limited to the minimum and to the extent necessary for that purpose (storage limitation).

The constituent elements of consent remain interrelated and have a continuous influence on each other, as is emphasized by AG29 eg. the need to provide more and more detailed information is not only aimed at satisfying the element of free consent, but also in terms of the specificity and knowledge under the supervision of the Transparency Principle as explained in recital 58. However, under no circumstances should the obligation to comply with the processing Principles as set out in Article 5 of the Regulation be subsumed or detracted from.

Referring to Article 7 (3) of the Regulation, what remains to complete the general framework for valid consent is the ease of provision / withdrawal and the ability to withdraw it at any time. Article 7 (3) essentially codifies previous opinions, and imposes a stricter line on the means of withdrawal and prior notice to the subject of that right. The guidelines, by naming the withdrawal as one of the two additional conditions, reject a common mechanism such as one-touch consent and withdrawal by telephone during the opening hours of that e-shop. The rejection lies to the fact of disproportionate provisioning and withdrawal, as one of the most significant problems of apparent simplicity for obtaining valid consent. However, the right of erasure remains on the basis of Article 17 (1) (b) and (3) after withdrawal of consent. Nevertheless, what makes it difficult for a controller to do so is the obligation to constantly check the suitability / necessity of data processing, even without any request for removal/erasure from the subject.

As correctly observed by AG29, requirements for valid consent are not considered as an "additional obligation" but probably as a prerequisite for lawful processing. However, the question of whether they can be perceived as such is still questioned as a large proportion of data usage is based on this legitimate basis, although the specifications of the Regulation had been announced in previous opinions, the full force of the Regulation imposes a form of additional liability to the data controller due to the much higher penalties / fines.

However, data controllers are not automatically forced to carry out a complete renewal of the processes based on the legal basis for consent obtained under the Directive provided they verify their compliance with international data protection standards.

Implied consent that has been provided, but without any record and proof, will be deemed to be inferior to the criteria for obtaining a valid consent under the Regulation and therefore invalid. Additionally, on the basis of the most widespread form of consent to the online world, any attempt to automation and preselection (see Pre-ticked selection Boxes) will be void, as well as selecting the exclusion (see Boxes of Exclusion) provided that it is based on implied consent. In a nutshell, the Regulation does not only seek to reassess the privacy policies, but also to reform the mechanisms for obtaining valid consent.

In conclusion, the above changes and clarifications on the constituent elements under the conditions of valid consent can be summarized in the following substantive acts, in line with the UK Information Commissioner's (ICO)[1] guidelines of 2 March 2017.

  1. Unbundled - Consent must be kept separate from other terms and conditions and must not be a prerequisite for the signing  up to a service unless it is necessary for that service. 
  1. Active Opt-in - Pre-ticked opt-in boxes are invalid (opt-out tick boxes are not banned per se under the Regulation, but they are essentially the same as pre-ticked boxes which are banned so should not be used).
  1. Granular - Provide options to consent to different types of processing where appropriate.
  1. Named - Name the controller and any third party based on consensus.
  1. Documented - Keep records of what data subjects have consented to, what they were told, and when and how they consented.
  1. Easy to withdraw - Inform data subjects that their consent may be withdrawn at any time and provide information on how to do so (which must be easy to action).
  1. No imbalance in the relationship - Consent will not be freely given if there is an imbalance in the relationship between the data subject and the controller.

 [1]   Consultation: GDPR consent guidance

For any further information please contact Agis Charalambous, Associate of Michael Kyprianou and Co. LLC by email at agis.charlambous@kyprianou.com or by phone at +357 22 447777.