Insight

What Is Consent?

The eData Guide to GDPR

January 24, 2019

Under the General Data Protection Regulation, personal data in the European Union can be transferred only to jurisdictions that provide “adequate” privacy protections. One exception to this rule is where valid consent has been specifically obtained from the data subject prior to the transfer. This installment of The eData Guide to GDPR explains what consent means under the GDPR and how it must be obtained.  

Privacy is a fundamental right[1] in the European Union and personal data is controlled by the person who is the subject of the data (the data subject). In the employment context, an EU employee has the right to control the access, preservation, processing, and transmission of their personal data, including work and personal email and documents whether or not created or stored on a work computer or for business purposes. Contrast this broad protection with the treatment of data in other parts of the world, such as the United States, where employees enjoy very little expectation of privacy to information created in the course of their employment, even if “personal” in nature.

The privacy rights of data subjects in the EU also cover how and for what purpose their information can be used by a controller[2] or processor.[3] GDPR’s definition of privacy rights extends not only to protecting disclosure of personal information but also to the manner in which the data is used, where it can be stored, and whether the controller or processor may even keep the data after a request is made to delete it.[4] The data subject has the right to complete control over their personal data and anyone seeking to use that information will need consent from the data subject to do so. Moreover, the privacy protections afforded under the GDPR also extend to transfers of such data out of the EU. As noted in earlier papers, personal data may only be transferred to jurisdictions found to provide “adequate” privacy protections by the EU. In the absence of an adequacy determination, a specific exception or derogation must apply. As with processing generally, one such derogation many global organizations rely on for cross-border transfer of personal data is consent. Obtaining valid consent from the data subject is thus pivotal to compliance with GDPR.

Consent is one of the six bases under which processing of personal data is considered lawful under the GDPR.[5] When processing of data is based upon consent, the data controller must be able to demonstrate consent,[6] meaning that it is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”[7] Because consent requires a statement or clear affirmative action, consent cannot be obtained from pre-ticked checkboxes, lengthy terms and conditions full of legalese, defaults on internet sites, silence, or inactivity.[8]

1. Consent Must Be Freely Given

Consent is freely given if all of the following are true:

  1. The data subject has a choice in the matter 

    icon successA data subject has no choice in the matter when consent is part of standard terms and conditions that are not negotiated.[9] For example, if a mobile application requires agreement to use of GPS services that are not needed for the provision of application services, consent will not be freely given.[10]

     

  2. A data subject is able to refuse consent or withdraw consent[11]

    FailurePrior to obtaining consent, the data controller must inform the data subject of his or her right to withdraw consent as well as the right to be forgotten.[12] Moreover, because data subjects must be able to easily withdraw consent at any time, written consent language should provide details on how a data subject may withdraw consent.[13]

     

  3. There is no clear imbalance of power[14]

    ScalesThe relationship recommended is one that would not coerce the data subject into providing consent, such as a fear of retribution or economic detriment if the consent is denied. This could be an issue in employer-employee consent situations, where the employee might claim a power imbalance or feel there is a duty to provide consent in order to maintain their position. Employers are cautioned to make it clear to their employees that there will be no retribution or negative consequences regardless of the decision whether to consent or not.

     

  4. Performance of a contract is independent of the consent when such consent is not necessary for the provisions of goods or services that are the subject of the contract[15]

    Consent should not be a requirement for the fulfillment of a contractual relationship. For example, if a hotel chain requires a guest to consent to third-party use of their personal information for marketing or be denied the ability to make a hotel room reservation, the consent is not freely given.[16] Similarly, a wearable device used to track heart rate or blood pressure that requires consent to GPS tracking data or the wearable will not work would not be seeking freely given consent.[17]

     

  5. The consent is granular, i.e., it is very specific about what will happen to the data and allows for different data processing options when appropriate[18] 

    As is consistent throughout the language of the GDPR, any notification and therefore any consent must be based on an identification of the specific processing intended for the personal data. For example, if an airline asks its customers for consent to send marketing emails and to provide information to related travel industry companies such as hotels and car rental companies, such consent would not be valid. Ideally two separate, granular consents for the two separate purposes are needed.[19] 

2.  Consent Must Be Specific & Informed

For consent to be specific and informed, the data subject must be aware of all of the following:

  1. The identity of the controller (along with contact details)
  2. The explicit, legitimate purposes of the data processing
  3. What type of data will be gathered
  4. The legal basis for processing the data
  5. How long the data will be stored or the criteria used to determine such a timeframe
  6. With whom the data will be shared
  7. If data will be used for automated profiling
  8. Information regarding the right to lodge a complaint with a supervisory authority
  9. Whether the data will be shared outside of the EU[20]

If the processing has multiple purposes, consent must be given for all purposes.[21] However, the GDPR does recognize an exception for processing personal data for scientific research purposes, where it is “not possible to fully identify the purpose of personal data processing,” such that individuals “should be allowed to give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research.”[22] Such an exception might apply in the context of pharmaceutical or medical trials.

In a recent ruling, CNIL, France’s data protection agency, levied a substantial fine[23] for violating GDPR regulations for, among other things, not obtaining proper consent for the various uses made of the private information of its users[24]. The regulators stated that the consent provided by users of the internet search engine was not “sufficiently informed” nor was consent “specific” or “unambiguous.” Initially the regulators felt that the true processing and various ways data would be used was not easy to find within the terms of service or in any combined location within the user documentation. The data subject would not be able to truly know all of the various ways their data would be used, let alone consent in an informed way to that use. Furthermore, the regulators stated that the language of the requested consent did not provide adequate specificity for the data subject to consent to each use of data. Simply stating that the subject agrees with the terms of service and that they approve of processing is not sufficient.

3. Consent Must Be Unambiguous

Consent must be clear and concise, using “plain language” to be valid.[25] Consent cannot come from lengthy documents filled with legalese, such as a checkbox after a 13-page “terms and conditions.”[26] Thus, any form declaration of consent should be intelligible, in an easily accessible form, and must distinguish consent from other matters if the consent is contained in a written declaration that concerns other matters or issues.[27] Such distinguishing might take the form of using bold typeface, larger typeface, contrasting color, or other conspicuous font to draw the reader’s attention to the consent language.

4. Explicit Consent for Sensitive Data

If certain sensitive data is being processed—race, ethnicity, political opinions, religion or philosophical beliefs, trade union membership, biometric data, data concerning health, data concerning a natural person’s sex life, or sexual orientation—the data subject must give “explicit consent” to the processing of this sensitive information.[28] The data subject may be asked to sign or authorize a detailed authorization for processing this information that would spell out the reasons for the processing, the means in which the data will be protected, and the duration for which the consent is valid.[29]

5. Revocation of Consent

Data subjects have the legal right to withdraw their consent at any time. If consent is withdrawn, the organization must be prepared to remove the data from its intended processing. Any processing that was done prior to the withdrawal of consent will still be valid if the other conditions of consent were also satisfied. Controllers and processors should provide the data subject notification of their right to withdraw consent when seeking consent initially. The mechanism for revoking consent must be equal in format or ease as the request for consent. If the request for consent is made at the beginning of an engagement through a website or app, clicking a box for example, withdrawing that consent should be designed in a similar fashion with a consistent interface.[30]

Contacts

If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
Jennifer Mott Williams
Vincent M. Catanzaro



[1] GDPR Recital 1.

[2] GDPR Art. 4 (7) defines a Controller as a “legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

[3] GDPR Art. 4 (8) defines a Processor as a “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

[4] GDPR Chapter 3. Rights of the data subject.

[5] See Art. 6 (1).

[6] See Art. 7(1).

[7] GDPR Art. 4(11).

[8] See GDPR Recital 32.

[9] See Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679, Adopted 10 April 2018.

[10] See id.

[11] See GDPR Recital 42 and Art. 7(3); accord GDPR Recital 65 (discussing the right to be forgotten).

[12] See GDPR Art 7(3) & Art. 13(2)(b)&(c).

[13] See The European Commission, “It’s your data – take control” (noting “it must be as easy to withdraw consent as it is to give it”).

[14] See Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679 (imbalance of power includes cases where there is “any element of compulsion, pressure or inability to exercise free will”).

[15] See GDPR Recital 43.

[16] Accord Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679.

[17] Accord Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679.

[18] See GDPR Recital 43.

[19] See Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679.

[20] See GDPR Recital 42, 60, 63; Art. 13(2)(a)-(f).

[21] See GDPR Recital 32.

[22] See GDPR Recital 33.

[23] € 50,000,000

[24] Deliberation No. SAN-2019-001 of 21 January 2019.

[25] See GDPR Recital 32 and Art. 7(2).

[26] See GDPR Recital 32.

[27] See GDPR Recital 42 and Art. 7(2).

[28] See GDPR Art. 9.

[29] See Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679.

[30] See Art. 29 Data Protection Working Party Guidelines on Consent Under Regulation 2016/679.