European Union: Descriptive Deconstruction Of The Conceptual And Practical Significance Of Consent (GDPR)

Last Updated: 6 August 2018
Article by Agis Charalambous

The intricate concept of consent, its role as well as its implementation framework enhances its use as a legitimate processing base and proves to be one of the most widespread ways of enhancing the person/subject autonomy, particularly in the field of personal data. As has been the case today, because of the impossibility of committing the opinions that will be mentioned below, the significance of such an important doctrine as that of consent was not given due importance. Therefore, after the end of the grace period of two years, the new regulation will create a more stringent and safer environment for the benefit of the data subject, due to the fact that the privacy regime as it stood, would have led to serious degradation.

The requirements for obtaining and proving one of the six registered legal processing bases in accordance with Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and for the free movement of such data and the repeal of Directive 95/46 / EC (hereinafter referred to as "the Regulation"), have now been further specified and clarified.

This text will be developed in the light of the primary interpretation of the Directive 95/46 / EC (hereinafter referred to as the "Directive"), of the Working Party Opinion No 15/2011 of the Article 29 Working Party (hereafter "AG29"), and the recent revised AG29 guidelines adopted on 10 April 2018 (hereinafter referred to as the "Guidelines"). Initially, it will focus on the upgraded interpretation given to consent as a legitimate basis of treatment, and thereafter the established conditions for acquiring and proving valid consent, will be considered. Undoubtedly, however, these two issues become inseparably linked, as the legislator always seeks to broaden and establish these conditions for more ideal and effective guidance on the basis of the interpretation of the constituent elements.

The crucial role of consent has already been pre-defined by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which greatly enhances and justifies the intense efforts of a more modernized and stricter reform than the Regulation.

While it can be observed that the two definitions of consent, the Directive's and the Regulation's, are similar to their wording with some minor differences, what the Regulation essentially enshrines is, based on previous opinions, a better and more detailed explanation of the conditions for the acquisition of valid consent. These are specified in Article 7 of the Regulation to the evidence of consent acquired by the controller, to the distinct, clear, comprehensible and simple wording of the consent, of the easy provision / withdrawal and the possibility of revocation at any time and of avoiding the conditional inclusion thereof in the context of a contract, including the provision of a service.

According to the Directive, previous opinions, in particular Opinion 15/2011 of the AG29, the elements of free, specific, explicit and informed consent have been consolidated in Article 4 (11) of the Regulation, thus giving room for further development based on the binding text.

Consent, as interpreted in the draft bill proposed by the Commissioner for Personal Data Protection as the competent supervisory authority, under the Regulation, means (Translation from the text in Greek):

"any indication of will, free, specific, explicit and in full knowledge, by which the data subject expresses that he or she agrees, with a statement or with a clear positive action, that the personal data relating to him / her are going to be processed."

By contrasting this definition with that given for the harmonization of the Directive on the Processing of Personal Data (Protection of Individuals) Law of 2001 (138 (I) / 2001), one can understand that the elements of free, explicit, knowledge and indication of will remain, as the clarity element is added with further clarification on a positive action or statement referring to the phrase "unambiguous indication by means of a statement or by a clear affirmative action". The reference to an unambiguous indication is not entirely unprecedented as it is also included in Article 7 (a) of the Directive, as is the reference to the indication of will. What is distinguished, however, is the positive action or statement that gives an extra hint of difficulty. The data subject should have proceeded with deliberate action to consent to the specified processing. Consequently, in the context of specification, no general consent can be given to all forms of processing. Instead, the controller should give detailed information about each processing purpose in order for the data subject to be able to control its personal data.

However, due to what has been said above, under the element of Informed consent, the need for continuous contact with the data subject (with the exception of the elasticity shown in recital 33 on scientific research) is intensified.

Additionally, in the context of Freely Given, there is a need for a choice between different processing purposes and, in particular, when the controller is a public authority and hence in a position of superiority. In accordance with Article 5 (1) (b) and Recital 32, the consent given in this case may serve all the processing operations provided they are covered by the same purpose.

In accordance with Article 7 (1) of the Regulation, the additional burden of proof of the consent given over the processing period lies on the controller's shoulders with such mechanisms, as highlighted in the recent guidelines, at the discretion of the controller. This will become more difficult, particularly in cases where the performance of a contract, including the provision of a service, requires consent, even if it is not necessary for such execution.

Depending on the performance of the contract and not only, but also in accordance with recital 42, the data subject should be able to proceed with selection without any possibility of coercion or other significant adverse effects in the case of withdrawal or non-consent such as fraud, intimidation and coercion. This should also be reasonably expected as a result of the correct application of Article 7 (2) of the Regulation, where the request for consent must be presented in a comprehensible, easily accessible form, clear and plain wording and without any unfair terms in the case provided in a written declaration.

Furthermore, the guidelines point to the need for a direct and objective link between the proposed treatment and the conventional purpose. This is also linked to the Minimization Principle as the collection and processing of personal data should be necessary for the performance of the contract, in the case where the processing of the residence address of the subject is necessary for sending goods purchased over the internet. In the case in which the processing is actually necessary for the performance of the contract, Article 7 (4) is not applicable and the legal basis of consent will not be the ideal one for exploitation, except where there is a choice of consenting between an equivalent service offer from the same controller. This ensures free choice without causing the subject to look for an equivalent service from different providers.

However, the necessity of collecting and processing the data on the basis of its processing purposes is not limited only to a contract, but according to Recital 39, it is subject to universal application in particular in the subsequent storage and conservation period to be limited to the minimum and to the extent necessary for that purpose (storage limitation).

The constituent elements of consent remain interrelated and have a continuous influence on each other, as is emphasized by AG29 eg. the need to provide more and more detailed information is not only aimed at satisfying the element of free consent, but also in terms of the specificity and knowledge under the supervision of the Transparency Principle as explained in recital 58. However, under no circumstances should the obligation to comply with the processing Principles as set out in Article 5 of the Regulation be subsumed or detracted from.

Referring to Article 7 (3) of the Regulation, what remains to complete the general framework for valid consent is the ease of provision / withdrawal and the ability to withdraw it at any time. Article 7 (3) essentially codifies previous opinions, and imposes a stricter line on the means of withdrawal and prior notice to the subject of that right. The guidelines, by naming the withdrawal as one of the two additional conditions, reject a common mechanism such as one-touch consent and withdrawal by telephone during the opening hours of that e-shop. The rejection lies to the fact of disproportionate provisioning and withdrawal, as one of the most significant problems of apparent simplicity for obtaining valid consent. However, the right of erasure remains on the basis of Article 17 (1) (b) and (3) after withdrawal of consent. Nevertheless, what makes it difficult for a controller to do so is the obligation to constantly check the suitability / necessity of data processing, even without any request for removal/erasure from the subject.

As correctly observed by AG29, requirements for valid consent are not considered as an "additional obligation" but probably as a prerequisite for lawful processing. However, the question of whether they can be perceived as such is still questioned as a large proportion of data usage is based on this legitimate basis, although the specifications of the Regulation had been announced in previous opinions, the full force of the Regulation imposes a form of additional liability to the data controller due to the much higher penalties / fines.

However, data controllers are not automatically forced to carry out a complete renewal of the processes based on the legal basis for consent obtained under the Directive provided they verify their compliance with international data protection standards.

Implied consent that has been provided, but without any record and proof, will be deemed to be inferior to the criteria for obtaining a valid consent under the Regulation and therefore invalid. Additionally, on the basis of the most widespread form of consent to the online world, any attempt to automation and preselection (see Pre-ticked selection Boxes) will be void, as well as selecting the exclusion (see Boxes of Exclusion) provided that it is based on implied consent. In a nutshell, the Regulation does not only seek to reassess the privacy policies, but also to reform the mechanisms for obtaining valid consent.

In conclusion, the above changes and clarifications on the constituent elements under the conditions of valid consent can be summarized in the following substantive acts, in line with the UK Information Commissioner's (ICO)1 guidelines of 2 March 2017.

  1. Unbundled - Consent must be kept separate from other terms and conditions and must not be a prerequisite for the signing up to a service unless it is necessary for that service.
  2. Active Opt-in - Pre-ticked opt-in boxes are invalid (opt-out tick boxes are not banned per se under the Regulation, but they are essentially the same as pre-ticked boxes which are banned so should not be used).
  3. Granular - Provide options to consent to different types of processing where appropriate.
  4. Named - Name the controller and any third party based on consensus.
  5. Documented - Keep records of what data subjects have consented to, what they were told, and when and how they consented.
  6. Easy to withdraw - Inform data subjects that their consent may be withdrawn at any time and provide information on how to do so (which must be easy to action).
  7. No imbalance in the relationship - Consent will not be freely given if there is an imbalance in the relationship between the data subject and the controller.

Footnotes

1 Consultation: GDPR consent guidance

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions