The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
The first message is that consent is only one of six legal bases for processing personal data: “consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment” (Page 4). Where any part of that requirement cannot be met, data controllers must look at the other five possibilities.
In particular, consent will rarely be appropriate where there is an imbalance of power between the data subject and the data controller. For example public authorities will often have difficulty satisfying the requirements for consent, as individuals have little choice whether or not to use their services. Employers, too, will generally have too much power for employees to give free consent. Neither case is an absolute ban, however: the guidance mentions examples of subscribing to e-mail updates about roadworks or having photographs included in a school magazine, where the organisation may be able to establish that refusal of consent does, indeed, involve no significant adverse consequences.
Commercial organisations also need to take care when using consent: “the two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred”. If the personal information is necessary to perform the contract then that, not consent, is the correct basis. Where organisations request additional data that are not directly linked to the contract then free consent is required: this may be demonstrated, for example, by providing two versions of the service, one with additional data and one without, provided these are “genuinely equivalent, including no further costs” (page 10).
The Working Party consider that the greatest changes, most likely to require a change in process, are the need for consent to be indicated by a positive action (no pre-ticked boxes or “consent by silence”) and the requirement for organisations to be able to demonstrate that this was done. The latter is likely to involve keeping records of what information was shown to the individual, and what workflow resulted in their consent being obtained. In terms of systems, the biggest change are the need to make withdrawing consent as easy as obtaining it (if you gave consent with a mouse click, you can’t be required to withdraw it by a phone call) and, where consented data are used for several different purposes, providing individual consent to each one.
As with the Information Commissioner’s draft guidance from last February there’s a strong hint here that data controllers should be moving from consent to other bases where these are more appropriate. The Working Party adds an interesting twist: that continuing processing while changing its legal basis may be lawful as part of the change from Directive to Regulation, but not thereafter.