9 March 2017
The Information Commissioner’s Office (‘ICO’) released, on 2 March 2017, guidance on consent under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) for public consultation (‘the Guidance’). According to the ICO, the Guidance will assist organisations in deciding when to rely on consent for data processing and when to look for alternatives. In addition, the ICO explained what constitutes valid consent, and how to obtain and manage consent in a way that complies with the GDPR through the provision of a checklist within the Guidance.
William Long, Partner at Sidley Austin, told DataGuidance, “The Guidance is extremely helpful and one of the most significant topics the ICO could have addressed first, but it will be a wake-up call for organisations in a GDPR world. They are going to have to adopt a completely different mindset and seriously consider their whole approach to consent, how they obtain it and whether it will be appropriate. The detailed requirements may cause a change in some industries where there has been a reliance on consent. Although there may be occasions where consent will be appropriate, if they do go down the consent route and the Guidance remains unchanged following the consultation, then it’s not just about updating policies; they will have a host of requirements to consider. What seems clear from the Guidance is that there is no consent at the moment which complies with GDPR standards.”
The Guidance stresses that organisations will need to review consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. In this regard, the Guidance states, ‘You are not required to automatically “repaper” or refresh all existing Data Protection Act 1998 (‘the DPA’) consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard.’ In addition, the Guidance highlights that consent is only an appropriate basis to rely on if organisations can offer individuals ‘real choice and control’ over how their data is used, and want to build trust and engagement. Should organisations feel that ‘genuine choice’ cannot be offered, the Guidance advises that organisations consider using an alternative basis.
Once you familiarise yourself with all of the standards that need to be met to achieve a valid GDPR consent, you are left wondering why anyone would bother when simpler, less onerous processing grounds exist
“One of the goals of the GDPR was to [give] the individual more [control] in terms of making decisions about how their data will be used, and the Guidance provides a lot of useful advice on what a valid GDPR consent looks like and how it should be obtained,” said Phil Lee, Partner at Fieldfisher. “However, once you familiarise yourself with all of the standards that need to be met to achieve a valid GDPR consent, you are left wondering why anyone would bother when simpler, less onerous processing grounds exist. One critical element of the Guidance is its acknowledgement that the GDPR does still enable the concept of ‘implied consent.’ While the GDPR clearly tightens the screws on what constitutes a valid implied consent, website operators everywhere will be breathing a huge sigh of relief that they are not going to be forced to adopt affirmative cookie opt-in buttons on their websites.”
A key change highlighted by the Guidance is in relation to the provisions under Articles 7(2) and 7(4) of the GDPR, which state that the request for consent should be presented in a manner which is clearly distinguishable from the other matters and that when assessing whether consent is freely given, utmost account should be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Recital 43 further notes that consent is presumed not to be freely given if it does not allow separate consent to be given to different data processing operations, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such this not being necessary for such performance.
Organisations will need to develop sophisticated systems that can process these different elements and which provide an effective audit trail of how and when consent is given, for example, in the online environment, a timestamp on when an individual gave consent
Long commented, “The question [concerns] obtaining consent for different processing activities. Consents are sometimes bundled and applied in a fairly binary way. The Guidance indicates that you will need to obtain granular options to consent and to provide ways for individuals to consent to some uses of their data but not all of them. Not all systems operate like that, and as a result, organisations will need to develop sophisticated systems that can process these different elements and which provide an effective audit trail of how and when consent is given, for example, in the online environment, a timestamp on when an individual gave consent. In addition, the systems will have to have in place withdrawal mechanisms, as the right to withdraw consent provides that it shall be as easy to withdraw as to give consent. How do you put in place different mechanisms to deal with this? Further guidance would be helpful around some of these practical issues.”
Finally, the Guidance reminds organisations that explicit consent is one of nine legal bases that can be utilised to overcome the prima facie prohibition on the processing of sensitive personal data, and that Article 9(4) provides the ability for Member States to add further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.
Heledd Lloyd-Jones, Associate at Bird & Bird noted, “Given the changes in requirements, my main recommendation for organisations is to identify alternative grounds for processing wherever possible to minimise the burden of having to obtain and manage consent. As the Guidance suggests that seeking consent where another processing basis is available is likely to be unfair, this will also avoid the risk of unfairness. However, until there is greater clarity about the additional processing grounds that will be available in due course for sensitive personal data as a result of the introduction of national legislation, this may be easier said than done […] It is anticipated that these new grounds will be introduced perhaps to duplicate the conditions that can currently be relied on under existing rules, for example, under Schedule 3 of the DPA and associated sensitive data orders. However, the timetable for this is very uncertain. In the meantime, organisations will be doing their best to put in place complex mechanisms for the active management of consent that they may not need to rely on in the long term, or which may need significant revision once new processing conditions become available under domestic law […] This highlights the urgent need for greater clarity about what further processing conditions will be introduced by national legislation and when these will come into effect.”
The consultation is open until 31 March 2017 and the ICO advised that it intends to issue a call for evidence to get a better sense of what technical solutions are available or are being developed for obtaining and managing consent. It further noted that the Article 29 Working Party intends to produce guidelines on this topic later this year.
Alexis Kateifides | Privacy Analyst