I’ve read two documents this week – one academic paper and one guide from the Information Commissioner – pointing out that just because someone chooses to participate in an activity doesn’t mean that Consent is the appropriate legal basis for processing their personal data. There might be several reasons for that…
First, if the nature of the activity for which the individual volunteers requires a longer-term commitment then frequent flips in and out – which must be provided if consent is used – may well make their participation a waste of everyone’s time. For example a research study is likely to benefit from a continuous sequence of information, not one with arbitrary gaps. Participants in a Covid-tracking programme who absorb resources by joining but then withdraw their consent to processing rather than report a positive test are likely to degrade the quality of everyone else’s statistics. Joining an activity of this kind may be a free choice but that choice ought to involve more consideration and commitment than the Consent framework, with its stress on ease of changing your mind, can really support.
Second, Consent relies on individuals making good choices. If they don’t do so, either because they have insufficient information, or because the consequences of the processing are too hard to predict, then confidence in the whole system may be put at risk. It’s often better for the data controller to take responsibility and ensure that the processing is, and continues to be, safe, at least for participants within a clearly defined range of characteristics. “Necessary” legal bases, such as public task and (particularly) legitimate interests, provide more support and guidance, and may be more appropriate for this. Both still allow a volunteer participant to change their minds if unforeseen risks emerge: formally the data controller can refuse a “right to object” if the individual’s risks are not significantly different to what was anticipated, but the law also allows them to be generous in granting opt-outs where that is appropriate.
It seems to me there might even be an argument that volunteers are psychologically more at risk of making inappropriate consent choices. If an activity is something I am passionate about, then it might be particularly important that someone else continues to keep an eye on my safety while I am doing it. In GDPR terms, the freedom whether to participate then becomes an additional safeguard for processing that already has a sound legal basis.
When GDPR was first proposed, one of the stated aims was to address “the overuse of consent”. That hasn’t always worked out, but it’s good to have situations highlighted where an alternative does indeed provide a better approach. For both data subjects and data controllers.