While some have viewed the General Data Protection Regulation‘s approach to consent as merely adjusting the existing regime, the Information Commissioner’s draft guidance suggests a more fundamental change: “a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”. In this it continues a long-standing view from the UK Commissioner that consent should probably be the last of the six available justifications to be considered, unlike other European countries where law or practice appear to consider it first. Indeed there’s even a hint that consent should be reserved for an entirely different kind of data processing: that which isn’t “necessary” but is done as a voluntary collaboration between data subject and data controller. As Chris Pounder has pointed out, where consent is used the data subject, not the data controller, must be in control.
Where processing is necessary, one of the other five justifications (contract, legal duty, vital interests, public function, legitimate interests) should be used. The guidance notes that one of the others must be used if “you would still process the data without consent”. If an attempt to withdraw consent results in “we need to carry on processing” then the original consent was almost certainly invalid, and the misinformation when it was obtained is likely to make any other basis doubtful as well. Any situation where the data controller is “in a position of power” over the data subject is likely to render consent unreliable – employers and those exercising public authority need to look particularly carefully at the guidance on ensuring that consent is genuinely free.
That leaves consent to be used “when no other lawful basis applies”, though it’s clear that consent cannot cover all such circumstances. If no other basis applies and you can’t meet the requirements of consent, then it is likely that your processing has no legal basis and is therefore unlawful. Instead, consent should reflect a positive relationship between data controller and data subject, building trust to “encourage [data subjects] to trust you with more useful data”. In that kind of relationship, meeting the requirements for valid consent should not be hard: if it is, then you should check whether this is really the right approach.
The guidance notes that the Regulation “sets high standards for consent” though it appears that when used properly, those standards should be a relatively natural result of the relationship. The guidance hints strongly that many current uses of “consent” are unlikely to meet those standards. Data controllers should review how they actually use personal data and fix any forms, notices, documents and processes to reflect the true legal basis. Where existing lists are found to have been gathered using a lower standard of consent, these are likely to need refreshing. Given the widespread use of consent under current data protection law, and the high fines for misusing it under the Regulation, this should probably be a high priority for action before May 2018.