General Data Protection Regulation (GDPR) Series, Part 3 – GDPR Consent and Fair Processing

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part 3 of this GDPR Series is brought to you by Graf von Westphalen. Other blog entries in this series will be brought to you by the law firms of Mills & Reeve (UK), FIDAL (France) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).

Consent as a lawful basis for data-processing
Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in the Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR, however, the new Regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data.

Pre-requisites for valid consent – Fair processing notices
First, the GDPR requires that any consent of the data subject regarding the use of its personal data must be “freely given, specific, informed and unambiguous” and, in comparison to the Directive, it puts additional hurdles in front of the controller seeking consent: The consent must be specific to the respective data-processing action and therefore needs to be « clearly distinguishable » from any other matters that may be covered in the same document, Article 7 (2). And Article 7 (4) and Recital 43 make it clear that a consent is not given freely if the performance of a contract or provision of the service is made conditional upon such consent, or if there is « a clear imbalance between the data subject and the controller ». Further, Article 7 (3) requires that the data subject is given the right to withdraw its consent at any time and as easily as giving it, and the right to have their personal data erased and so removed from further processing, Article 17.

Second, these requirements come with the strict obligation of the controller to fully inform the data subject on the relevant issues and their rights before the consent is given. As already required under the Directive, the individual must be informed about the categories of personal data to be processed, the purposes and term of processing, the identity of the controller and any possible recipients of the data. The lack of transparent, complete and timely information would make the consent invalid.

Third, the GDPR requires the data subject to signal its consent by “a statement or clear affirmative action”. Thus, where under the Directive 95/46/EC controllers could rely on implicit or “opt-out” consent, the GDPR requires that the consent must be expressed “by a statement or by a clear affirmative action”, see Article 4 (11). As long as the individual’s consent is clearly indicated, such action might consist of “choosing technical settings for information society services” or “another statement or conduct”, including, e.g., ticking a box on a website, see Recital 32 of the Regulation. But, silence, inactivity, or pre-ticked boxes will no longer serve as valid consent by the data subject.

Where explicit consent is one of the possible grounds for compliance
The GDPR extends the definition of special categories of personal data that are particularly sensitive “in relation to fundamental rights and freedoms” of the individual and require “specific protection”, see Article 9. Besides those already mentioned under the existing Directive, like information on racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, the GDPR in Article 4 also includes genetic data, biometric data, and data on the individual’s sexual orientation. The processing of those sensitive data in each case requires “explicit” consent, probably excluding consent by the individual’s conduct or use of technical settings.

The same will apply under the GDPR with regard to consent required from children. Article 8 sets out the default position that children may only give consent in relation to online services without parental authorization from the age of 16. However, the Regulation allows member states to deviate from that rule, as long as the minimum age is not below 13 years. Explicit consent may also be required where the controller plans to make decisions about the data subject based solely on automated processing, including profiling (Article 22) or where the personal data is transferred to countries which do not provide a level of protection assessed as adequate (Article 49).

Burden of proof and administrative penalties
It goes without saying that the controller bears the burden of proof that the above requirements for a valid consent are complied with, and this may itself result in increased costs and administrative burdens for the controller. And the maximum fines for violations of these requirements range from €10 million to €20 million, or 4% of global turnover if greater.

What has to be done to be compliant
The changes from Directive 95/46/EC to GDPR discussed in this article will mostly affect organisations that rely on the data subject’s consent as a lawful basis. (In many situations, of course, it will be more appropriate to rely on one of the alternative grounds for processing, such as legitimate interests.) They will have to thoroughly review the consent mechanisms they have in place to ensure that the information duties are fully complied with by valid fair processing notices, that the consent mechanisms are appropriate to the nature of the consent being sought, that consent is clearly “opt-in” and freely given even where the data subject is in a state of dependency, e.g. with employees, and that the consent can be withdrawn easily. Note that until detailed guidance is issued by the grouping of data regulators, WP29, it is unclear how far consent will be available at all within an employer/employee or similar relationship. Finally, consent given in the past might well not be compliant with the new requirements and the controller may therefore need to seek new consents, potentially resulting in considerable work load.