‘Consent’ has been one of the lawful grounds for processing personal data even before the GDPR came into force in May 2018. However, the GDPR goes a bit further in codifying what the essential ingredients of a valid consent are. Hereafter, the blog discusses the core elements of consent under the GDPR.
1. What are the essential elements of valid consent under the GDPR?
As per Article 4(11) of the GDPR, consent must be:
- freely given;
- an unambiguous indication of the data subject’s wishes; and
- a statement or a clear affirmative action.
Each part is examined separately hereafter.
2. When is consent “freely given”?
It simply means that the data subjects’ consent to processing should not be motivated or influenced by the controller through use of tactics such as coercion, disincentives, hardship, intimidation, access to services, etc. In this regard, some specific points that the GDPR emphasizes are:
- Conditional contracts – Article 7(4) read with recital 43 of the GDPR clearly states that consent will not be said to be freely given if the performance of a contract or provision of a service is conditional to such consent. This is supported by Article 6 of the GDPR according to which if a certain data processing activity is necessary to the performance of a contract, then “performance of contract” rather than “consent” would be the lawful ground for such processing.
- Notion of power imbalance – In order to be freely given, there should not be an obvious imbalance in power between the data subjects and data controllers, such as in an employer-employee context. In the latter context therefore, ‘consent’ may indeed not qualify as a valid ground of processing personal data.
- Detriment – As per recital 42 of the GDPR the data controller is required to demonstrate that data subjects can easily refuse/withdraw consent without any detriment.
3. What does “specific” mean?
Here specificity is in relation to the purpose of processing. This means that consent must be specific to the purpose for which the consent is sought. In case of numerous purposes, separate consent must be given for each specific processing purpose. Therefore, consent must be granular. This is embodied in recital 32 of the GDPR which clarifies that “when the processing has multiple purposes, consent should be given for all of them.”
4. How is consent “informed”?
The GDPR reinforces the information rights of data subjects at several places, including in relation to consent. This is in line with the GDPR’s underlying principle of transparency. The consent must be an informed and reasoned one, for which certain minimum information must be provided to data subjects prior to obtaining consent. As per the WP29, the following minimum information must be given for obtaining valid consent:
- Data controller’s identity;
- Purpose of each processing operation for which consent is sought;
- Type of personal data collected and used;
- The existence of the right to withdraw consent;
- Information about the use of data for automated decision-making where relevant; and
- Possible risks of data transfers due to absence of safeguards under Article 46.
- As circumstances demand, the information obligations under Articles 13 and 14 of the GDPR must be complied with.
5. How should the aforementioned information be provided to data subjects?
While no clear form is prescribed by the GDPR, it mandates that the information must be presented in a manner that is intelligible and easily accessible, using clear and plain language. Further, the consent must be clearly distinguishable from other matters. Therefore, consent cannot legitimately form part of a list of other terms on a website and must be dealt with in a separate document that clearly stands out. The WP29 suggests providing the information in a layered structure, in order to ensure that it is both clear, plain and intelligible, and at the same time contains all relevant information.
6. What are the implications of the term “unambiguous indication”?
The GDPR requires that a statement or a clear affirmative action must be taken by data subjects in order to indicate consent. This means that silence, inactivity and pre-ticked boxes will not fulfill the criteria of GDPR; there must always be a deliberate and active motion or declaration in order for consent to be valid. Recital 32 of the GDPR clarifies this in detail and states that while it can be electronic, written or oral, the indication of the data subject’s acceptance must always be clear. Therefore, controllers have the liberty to develop a consent flow that suits their organization, within the parameters of the GDPR. Bearing that in mind, as per the WP29, physical motions such as swiping a bar on a screen or waving in front of a camera can qualify as clear affirmative action, thereby constituting valid consent. However, simply continuing to scroll through a website would not qualify as such, since such action is not sufficiently unambiguous.
7. What is explicit consent and how is it different from regular consent?
In certain data processing situations where the risks to data subjects’ rights are high, the GDPR requires explicit consent rather than regular consent. For instance, explicit consent is required while processing special categories of data under Article 9, or in case of international data transfers that do not meet adequate safeguards under Article 49, and in case of automated decision-making including profiling as described in Article 22 of the GDPR.
While no definition of ‘explicit consent’ is provided under the GDPR, as per WP29, the term ‘explicit’ denotes the way in which consent is expressed, leaving no room for doubt as to the data subjects’ intentions. It means that the consent must be given by an express statement, the most obvious way being a written and signed statement of consent. In the digital context, explicit consent could be obtained by filling in an electronic form, sending an email, uploading a scanned document with signature, etc. Two step verification of consent is likely to be a relatively absolute way of ensuring that the consent is explicit.
From the above discussion, one can conclude that the crux of the concept of consent under GDPR is that consent should be a genuine, informed and reasoned expression of data subjects’ decisions regarding the use of their personal data. It is based on the legislative intent of protecting the informational right to privacy of data subjects, by giving them ultimate control over their personal data.