GDPR in Focus: Consent

27 May 2020

As the GDPR marks its second anniversary, consent remains as crucial an issue as ever. This note provides an oversight of the current understanding of requirements for consent under the GDPR, in light of the recently adopted EDPB Guidelines and AG Szpunar’s Opinion in Case C‑61/19, both addressing the notion of consent.

The EDPB Guidelines of 4 May 2020

The newly adopted set of Guidelines largely align with previous 29WP Guidelines on the topic. The main changes focus especially on the requirements for obtaining and demonstrating valid consent.

Preliminarily, the EDPB notes that the requirements for consent are not an “additional obligation” but constitute preconditions for lawful processing. These conditions are applicable also in situations falling under the scope of the ePrivacy Directive.

The EDPB provides many examples enabling a practical understanding of the Guidelines.

Conditions for consent pursuant to Article 4(11) and Article 7 GDPR

“Freely given” entails a real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent, or will face negative consequences for not consenting, consent is not valid.

  • Conditionality. Bundling consent, or inability to refuse or withdraw consent without detriment, give rise to a presumption that consent is not freely given. Bundling or tying consent to the acceptance of terms or conditions that are not necessary for the performance of a contract or service is not desirable (Article 7(4) GDPR). The GDPR ensures that consent does not become directly or indirectly the counter-performance of a contract. Consent and the performance of a contract, being two different legal bases, cannot be merged and blurred.
    For example, requiring consent for activation of GPS localization as a condition for the use of a mobile app for photo editing, cannot be considered as being freely given consent.
  • Imbalance of power.  Consent will not be free if there are any elements of compulsion, pressure or inability to exercise free will. Public authorities will unlikely be able to rely on consent for processing, given the clear imbalance of power between controllers and data subjects (Recital 43 of the GDPR). This may also occur in the employment context, as the data subject may not be able to deny his/her employer consent without risking negative consequences. In these cases, as appropriate, controllers should rely on more suitable legal bases other than consent.
  • ePrivacy. Consent is not freely given on the sole argument that the data subject may choose an equivalent service offered by a different service provider. Access to services and functionalities must not be conditional on the user’s consent to storage of information, or access to information already stored in the user’s terminal equipment (cookie walls). For instance, where a website provider blocks content visibility and requires accepting cookies and related information in order to view the content, the data subject does not have a genuine choice and such consent is not freely given.
  • Granularity. When data processing pursues different purposes, valid consent entails obtaining specific consent for each purpose.
  • Detriment. The controller must be able to demonstrate that consent can be refused or withdrawn without detriment (Recital 42). For instance, there should be no costs and no clear disadvantage.

“Specific” entails a degree of user control and transparency for the data subject. This requires:

  • Purpose specification as a safeguard against function creep (i.e. a gradual widening or blurring of purposes);
  • Granularity in consent requests (see above);
  • Clear separation of information related to obtaining consent for data processing activities from information about other matters.

Note that, pursuant to the concept of purpose limitation, Article 5(1)(b) and Recital 32, consent may cover different operations, as long as these operations pursue the same purpose.

“Informed” entails providing at least the following information: (i) controller’s identity; (ii) purpose of each of the processing operation for which consent is sought; (iii) types of data that will be collected and processed; (iv) existence of the right to withdraw consent; (v) information about the use of the data for automated decision-making in accordance with Article 22(2)(c), where relevant; (vi) possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.

How to provide information? Information should meet the highest possible standards of clarity and accessibility and be provided in clear and plain language. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. Relevant information for giving consent may not be hidden in general terms and conditions. In cases of pre-formulated written declarations of consent (Article 7(2) GDPR), both for paper documents or electronic means, consent requests must be clearly distinguishable, separate and stand out from other terms and matters.

“Unambiguous” entails indication by statement or a clear affirmative action, i.e. a deliberate action to consent to the particular processing. The following do not amount to an active indication of choice and are invalid under the GDPR:

  • Pre-ticked opt-in boxes;
  • Silence or inactivity;
  • Merely proceeding with a service;
  • Blanket acceptance of general terms and conditions;
  • Optout boxes or constructions requiring the data subject to act in order to prevent agreement;
  • Scrolling, swiping through a webpage or similar actions.

On the other hand, the EDPB clarifies that actions such as swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure “eight” motion may validly express the data subject’s agreement, insofar as he or she is clearly informed, and it is apparent that the particular motion entails consenting to a specific request.

“Explicit” is a requirement in certain situations posing a serious data protection risk, such as the processing of special categories of data (Article 9 GDPR), data transfers to third countries or international organisations in the absence of adequate safeguards (Article 49 the GDPR), and automated individual decision-making, including profiling (Article 22 GDPR).

  • Written form: the GDPR does not require written and signed statements in all circumstances. For example, in the digital or online context, the standards may be met by filling in an electronic form, sending an email, uploading a scanned document, or using an electronic signature, as well as, in principle, use of oral statements.

Demonstrating consent. Article 7(1) GDPR sets an explicit obligation upon the controller to demonstrate a data subject’s consent. The burden of proof is thus on the controller. Upon termination of processing activities, proof of consent should not be kept for longer than strictly necessary to comply with a legal obligation, or to establish, exercise and defend legal claims (Article 17(3)(b) and (e)). For example, the controller may keep a record of consent statements received, e.g. logs and confirmation emails, to show how and when consent was obtained, and the information provided.

Time limitation. The GDPR does not provide a specific time period for the duration of consent. This depends on the context, the original scope and the expectations of the data subject. The controller must be transparent towards data subjects. In particular, where processing operations change or evolve significantly, new consent should be obtained. The EDPB recommends as a best practice to refresh consent at appropriate intervals.

Withdrawal of consent. Article 7(3) GDPR provides that consent can be withdrawn at any time, and that such action should be as easy as giving of consent. Withdrawal is thus a necessary aspect for validity of consent, which must be, in essence, a reversible decision. Giving and withdrawing consent should not necessarily amount to the same action. In the online context, if consent is obtained e.g. via a mouse-click, swipe, or keystroke, withdrawal must be equally simple. If consent is given via the use of a service-specific user interface (e.g., via a website, app, log-on account, the interface of an IoT device or by e-mail), withdrawal must be exercisable via the same interface. Data subjects withdrawing their consent should not face detriments, i.e. charges, or lowering service levels. Once consent has been withdrawn, the data controller must stop processing and cannot switch to a different legal basis to continue processing data.

Opinion in Case C‑61/19 Orange România delivered on 4 March 2020

In his Opinion on the conditions for validity of consent, AG Szpunar provides further clarifications on the concept of data subject’s consent and especially on its burden of proof.

Background of the case

The request for a preliminary ruling, originating from a Romanian Court, derived from a dispute concerning the obligations of a telecom service provider in contractual negotiations with regards to the copy and storage of ID cards of customers.

 

The service provider had been sanctioned by the Romanian DPA for collection and storage of copies of IDs without customers’ consent and had not provided evidence that customers, at the time of concluding the contract, had made an informed choice giving their consent. Within the context of a standardized contract, the customer had to state, in handwriting, that he or she refused to consent to the copy and storage of his or her ID.

The AG’s reasoning

Freely given consent

  • The requirement of an indication points to active behavior on the data subject’s part and implies a “high degree of autonomy” when choosing whether to give consent.
  • Accordingly to the ECJ’s judgment in Planet49, a preselected tick of a checkbox does not necessarily entail active consent. The same rationale can be translated to the paper documents’ context.

Informed consent

  • The data subject must be informed of all circumstances relating to data processing and its consequences, specifically, about the consequences of refusal. For instance, it needs to be clear whether refusing consent impedes the conclusion of the contract.
  • The controller not only holds the burden of proof with regards to the consent given, but also has to prove that all required conditions for valid consent are met.

AG’s Conclusion

As to the circumstances of the case, the AG opines that consent was not freely given, because the data subject was forced to deviate considerably from an otherwise standard procedure in order to express refusal. A positive action of the data subject is necessary for consent – not for refusing. Referring again to Planet49, if unticking a pre-ticked checkbox on a website constitutes a burden, then a fortiori a customer cannot reasonably be expected to refuse consent in handwriting.

AG Szpunar’s interpretation of consent appears very much in line with the (subsequent) guidance given by the EDPB and follows along the path traced in his Opinion in Planet49 and the ECJ’s judgment, continuing to stress the importance of consent. It therefore appears reasonably likely that the ECJ may follow the AG Opinion in its upcoming judgment.

GDPR Flash News

European Union

  • Joint statement ahead of the 2nd year anniversary of the General Data Protection Regulation by Commissioners Jourová and Reynders. The statement celebrates the two-year mark of the GDPR and highlights the continuing key priority to ensure the proper and uniform implementation across the Member States, as well as developing convergence in privacy standards internationally and promoting safe data flows.
  • EDPB Twenty-eighth Plenary Session of 20 May 2020. The EDPB adopts an opinion pursuant to Article 64 GDPR on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority and decides on the publication of a register containing ‘one-stop-shop’ decisions.
  • eu files a formal complaint against Google with the Austrian Data Protection Authority. Max Schrems’ privacy NGO alleges Google’s lack of valid legal basis for tracking users via the “Android Advertising ID”. Read more about the complaint here.

The Irish Data Protection Authority submits a draft decision to other concerned Supervisory Authorities with regards to its inquiry into Twitter International Company. This decision is part of a broader probe into large tech companies conducted by the Authority, including Facebook and WhatsApp. Tech companies should therefore get ready for more intense GDPR enforcement in the coming months. Read more here.

Belgium

  • The Belgian Data Protection Authority adopts Decision 18/2020 concerning data breaches and the role of in-house DPOs. The Decision sets a strict interpretation of the notion of conflict of interest provided by article 38(6) of GDPR that may lead to rethink DPO appointment within organizations. The decision imposed a fine of 50.000 Euro on the Belgian telecom company Proximus.

The president of the Litigation Chamber of the Data Protection Authority, Hielke Hijmans stated to lEcho : “The DPO is intended to serve as a guide in these efforts. One cannot therefore be the adviser and the one who makes the decision as was the case at Proximus.

  • The Belgian Data Protection Authority decides and imposes a fine of 50.000 Euro on the use of an “invite a friend” functionality implemented by a social media platform to increase its user base. In particular, the Authority sets out the legal grounds and conditions for the admissibility of such mechanism.
  • The Belgian Data Protection Authority decides and imposes a fine of 50.000 Euro on an insurance company for lack of transparency in its privacy policy. The Litigation Chamber explicitly stressed the broader issues to be raised in connection with the complaint, namely the collection of health data by insurers from potential policyholders via their express consent (Article 9(2a) GDPR) in the context of the conclusion and execution of hospitalization insurance, and the extent to which such consent can be freely given. The Litigation Chamber is of the opinion that the national legislative framework (implementation) should be improved “in order to provide a legal basis specific to the insurance sector that allows for well-defined limits for the collection of health data in the framework of the (pre-) contractual relationship between insurer and policyholder”.
  • The Belgian Data Protection Authority published a report for the Second Anniversary of the GDPR. Over the last year (since May 2019) the Belgian DPA has received:
  • 937 data breach notifications;
  • 4,438 information requests;
  • 351 complaints;
  • 128 opinions requests on draft laws, decrees or orders; and
  • 5,416 data protection officer (“DPO”) notifications.

The Litigation Chamber has issued 59 sanctions, amongst which 9 fines have been imposed (for a total amount of 189.000 Euro). For the Chamber’s President, sanctions are not an end in themselves: “Through our decisions, we aim to develop a body of case law that will serve as a guide for organizations that process personal data. However, sanction is never a goal in itself, and we only impose sanctions when strictly necessary.

 

A 100 inspections have also been carried out by the Inspection Service of the DPA, which, according the Inspector General, is only the start: “From now on, we also intend to act more proactively, by launching large-scale investigations, for example sectoral or thematic investigations, on our own initiative.

Cookies are on the radar of the Inspection Service of the Belgian DPA: “We are also closing a major survey on the management of cookies by a series of popular sites.

  • On the matter of cookies, the Belgian Data Protection Authority updates its informative guidance on cookies. In particular, the DPA aligns with the important clarifications on consent given by the ECJ in its judgment in Planet49. As also retained in the EDPB’s guidance discussed above, the practice of so-called “cookie walls” is deemed non-compliant with GDPR standards.
  • The Belgian Data Protection Authority issues opinions on two preliminary draft Royal Decrees concerning respectively the use of tracing applications and the establishment of a database to prevent the spread of the coronavirus and, more recently, opinions on two preliminary draft of Laws concerning the same subjects, the use of tracing applications and establishment of a database to prevent the spread of the coronavirus. The Authority insists on the necessity of ensuring further safeguards and compliance with principles of data protection law to protect citizens’ fundamental rights.
  • The Brussels Markets Court annuls a Decision of Belgian Data Protection Authority concerning a fine previously imposed for the disproportionate use of electronic ID cards and the principle of data minimization.

 

 

Do not hesitate to contact us should you require further information and assistance on the issues discussed in this note, or any other data protection and privacy related matter.