Domhnall Dods, regulatory solicitor and GDPR expert at Towerhouse and member of the Law Society’s Privacy Law Committee, explains the changes to rules around consent in the General Data Protection Regulation (GDPR).
One of the aspects of the GDPR which has grabbed the most attention is the changes which are being made to the use of consent as a ground for justifying the processing of personal data.
It is a widely held belief that in order to process personal data you must have consent, but this is not the case. Perhaps for this reason there have been many comments about the new rules on consent ‘crippling’ businesses that rely on processing personal data.
There are in fact six grounds which can be used to justify processing; consent is just one of those (read more about the other legal bases for processing personal data).
Consent – what has changed and why are some people concerned?
The GDPR will introduce more stringent rules around consent, meaning organisations will need to reconsider how they go about obtaining consent, or perhaps, whether they might be better looking to one of the other five grounds open to them.
Under the GDPR, consent must be freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)), otherwise it will be invalid.
“Freely given” – this means that the data subject must have a genuinely free choice about consenting. If they are unable to access a product or service, or are disadvantaged by withdrawing or refusing their consent, then there is a presumption that the consent was not freely given. Consent is also not considered to be freely given if there is a power imbalance between data controller and data subject - eg the relationship between an employer and an employee.
“Specific and informed” – this means the individual has to be given sufficient information about the identity of the controller and the purposes of the processing. Consent has to be specific to each processing activity. Where different activities are taking place, consent must be given to each separately.
A request for consent must be “clearly distinguishable” from other matters in a written document where other matters are covered, eg in terms and conditions of service. It must also be clearly presented in plain language.
One of the most important changes to be aware of is that under the GDPR, consent can only be given by an affirmative action. This will mean, for example, that the use of opt-out or pre-ticked opt-in boxes is no longer acceptable.
Consent also needs to be verifiable – data controllers must now maintain records so that the consent can be verified.
Withdrawal of Consent
This is another new concept. Article 7(3) gives data subjects the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it. Not only that, but controllers must inform data subjects of their right to withdraw before the consent is given. If consent is withdrawn, data subjects have the right to have their personal data erased and the data can no longer be used for processing.
Age of consent
There are also new protections for children – the GDPR limits the ability of children to consent to processing unless parental authority is given. The age of consent is set at 16 but Member States can set a lower age subject to a minimum of 13. The UK has said it intends to set 13 as the age of consent and this is set out in the Data Protection Bill.
Given the more stringent rules around consent, it remains to be seen whether it continues to be the legal basis of choice for those processing data. The most important thing to consider when processing data remains whether at least one legal basis for the processing has been identified.
This blog represents the personal views of the author, not of any client. It is not to be taken as legal advice.