“Consent” in the General Data Protection Regulation
The concept of “consent” has long been an area of uncertainty in data protection circles. In this blog DPP’s Phil Brining explores how the new Regulation handles consent.
“Consent” is a concept in the Data Protection Act linked to the first principle of fair and lawful processing and in my experience wasn’t particularly the subject of hot debate until mass digital marketing became the preferred choice of communication and PECR (the Privacy and Electronic Communications Regulations) came along. Consent was often and actually still is mixed up in many minds with email opt-ins and opt-outs. Confusion often reigns regarding the use of implied or explicit consent in various circumstances and remains an area of legal uncertainty. It appears to be perfectly acceptable to acquire consent implicitly where the processing is not intrusive and even in circumstances where explicit consent should be obtained, many data controllers take a commercial view and work with implied consent reasoning that the potential loss in revenue from moving from implied to explicit is a greater threat than the compliance risk and potential sanctions.
Greater legal certainty
The General Data Protection Regulation does a pretty good job of cutting through all of this and providing greater legal certainty – far more black and white rather than grey. The bad news is that some folk won’t like the black bits but in general my view is that applying the GDPR rules will be a whole lot easier than under DPA and PECR. For example the Regulation provides a definition of consent (where DPA contains no such definition) as, “”the data subject’s consent” means any freely given specific, informed and explicit indication …. By which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” So this means that clicking a “Continue” button on a web page or app will still constitute a clear affirmative action and therefore consent as defined in the GDPR. But before you go skipping down the street rejoicing – hold-up there! GDPR within its articles adds qualifications, constraints and further obligations on data controllers.
For instance the 6 data protection principles contain phrases placing further obligations on data controllers in relation to consent such as Article 5(f) [DPP #6] which requires a data controller to, “ensure and demonstrate for each processing operation the compliance with the provisions of the [this] Regulation.”
Consent remains one of the six grounds for lawfulness of processing (Article 6(a)) but does not provide a legal basis for processing where there is a significant imbalance between the position of the data subject and controller. Employer and employee for example?
There are elements of consent within the Regulation that are unclear – but reading the entire text it is clear that we will all have to start thinking in a new and different way about the issue of consent particularly as Article 7 states that the controller “shall bear the burden of proof for the data subject’s consent to the processing of their personal data for specified purposes” (Article 7(1)). It is my view that data controllers will need a strategy for consent management including the control over the various touch points and mechanism(s), improved meta data around consent acquisition, controlled approval and use of privacy statements, and probably a consent management centre for managing which processing operations each data subject has consented to and for how long.
Consent for under 13s has to be obtained or authorised by a child’s parent or custodian (Article 8(1)). Presumably a teacher would qualify as a custodian under certain circumstances? But how will you ensure that you have obtained parental approval? How will you validate this… and don’t forget that the burden of proof falls on you!?
Moving on Article 14 sets out the information that must be provided to the data subject in order for consent to be valid and the processing to be lawful. GDPR is more prescriptive than the DPA in many respects including this area. Most of the information that needs to be provided to data subjects is probably as you would expect and as set out in the ICO’s good practice guide on privacy statements. However GDPR obliges controllers to also inform data subjects of, “the period for which personal data will be stored”, (Article 14(c) and, “the purposes of the processing for which personal data are intended … including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1)” (Article 14(b). These two additions to privacy statements are something of a change but nothing too dramatic provided you are in proper control of your information assets and in any event it is an approach that we have been encouraging for many years. Why not be clear about your legitimate interests? Seems perfectly reasonable to me.
Another particularly interesting section in Article 14 is paragraph 3. This requires the data controller to inform the data subject in addition to all of the information in Article 14(1) (such as identify of the controller, name of DPO, the period for which data will be stored etc.) the source of the personal data where it has not been collected from the data subject. Presumably this would include friends and family type schemes as well as bought-in data. There are a few narrow exemptions including legacy data (Article 14(5(a))) and it is possible for controllers to argue that such a communication is impossible or involves disproportionate effort (Article 14(5(d))). But if a controller is able to suitably demonstrate disproportionate effort they are bound to comply with Article 14(6) requiring the controller, “to provide appropriate measures to protect the data subject’s legitimate interests.” So it would seem that data controllers have an obligation (subject to a few exceptions) to communicate with data subjects either at the point of data capture or shortly thereafter including data acquired from sources other than the data subject themselves. Again this is not a business-crippling blow but does require careful planning, management and control. And again it seems perfectly reasonable given the cost and ease of mass digital communication to require data controllers to, for example, communicate with the members of a bought-in list of say 500,000 people as to the fact that they are now processing the list members’ data because XYZ Limited sold them the list.
Hopefully you can see that the spirit of the Regulation is putting more onus on data controllers to be very responsible and respectful of and with their data subjects’ personal data. The prescriptive nature of the Regulation leaves little wriggle room and given that failure to comply with Article 14 is grounds for a fine of up to €500,000 or 1% of annual worldwide turnover (the middle ranking tier of fines), it is something that needs to be done correctly.
Processing without consent
There’s a bit more to “consent” contained within GDPR and it is still possible to process data without consent by relying on the legitimate interests grounds (Article 6(f)) but the GDPR requires data controllers to balance their legitimate interests against the interests and rights of data subjects – and to document this thought process. Again this approach is contained in the ICO’s official guidance but has not been a legal requirement until now. In some limited circumstances data controllers actually have to request approval for their proposed data processing operations (Article 34) and the ICO is empowered to deny approval and prohibit the proposed processing (Article 34(3)).
I said in my first GDPR blog that I liked the Regulation and that it is easy to read and understand and I hope that you can recognise the seismic shift that it presents to which I have previously referred. It is now the job of the data controller to consider to a far greater extent if not actively look after the legitimate interests of data subjects. And the requirement to keep records, employ a DPO, have a DP audit regime etc. etc. are the tools by which GDPR will achieve its aim. In the short term we need to map consent flows, test CRM metadata, double check privacy statements, put in place measures to know in a more granular fashion where our data originated, and implement a sophisticated range of policy and process controls.
Data Protection People will be running a regular Blog to encourage discussion, consideration, and understanding about the changes but please contact us if you have any questions.
Phil Brining 18th January 2016