The Working Party on the Protection of Individuals with regard to the Processing of Personal Data ("Working Party") which is established as per the Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 ("EU Directive") updated their opinion on consent under General Data Protection Regulation ("GDPR") which will be effective on May 28, 2018.
The GDPR evolved the concept of consent under the EU Directive and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector ("E-privacy Directive) by providing further clarification and specification of the requirements for obtaining and demonstrating valid consent. The Working Party's opinion of November 28, 2017 mainly focuses on this evolution and sheds more light onto EU Directive - GDPR - Turkish Data Protection Law ("Law No. 6698") triangle. Law No. 6698 is based on the EU Directive, whereas its consent related provision for processing personal data is adopted from the GDPR. Hence the updated opinion answers most of the questions raised by Turkish companies during their compliance processes.
II. Elements of Valid Consent
Article 4(11) of the GDPR defines consent as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
According to this provision, the consent of the data subject means any (i) freely given, (ii) specific, (iii) informed and (iv) unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
(i) The Consent Must be Freely Given
Working Party in their opinion stated that consent will not be considered as "free" if the data subject is unable to refuse his or her consent and it can only be valid if the data subject is able to exercise a real choice. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. Working Party also mentioned that the imbalance between the data subject and the controller (which mostly occurs in the events where the data controller is a public authority or where the data subject is an employee) is also taken into consideration by the GDPR.
The Article 7(4) of the GDPR plays an important role while determining whether consent is freely given or not. According to this article, when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. By regulating this provision GDPR aims to narrow the term "the performance of a contract". The Working party states that there needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract (e.g. processing the address of the data subject in order to deliver the goods which were purchased online).
The Working Party also mentions the terms "granularity" while determining the existence of freely given consent. In cases where a service involves multiple processing operations for more than one purpose, the data subjects should be free to choose which purpose they accept. Therefore, several consents may be warranted for each purpose. In other words, consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of these purposes.
For example, a company asks from its customers to give their consent to send them their campaigns and promotions by e-mail messages and also to share their personal data with other companies within their group at the same time. According to the GDPR, this consent cannot be considered as granular since there are no separate consents for these two separate purposes. Therefore, the consent will not be valid.
According to the GDPR, the data controller also needs to demonstrate that the data subject is free to refuse or withdraw consent without detriment and it should be able to prove that the data subject has a free or genuine choice on giving consent.
(ii) The Consent Must be Specific:
According to the Working Party, to comply with the element "specific" which is stated in the definition of "consent" under the GDPR, the data controller must apply the following:
a. If a data controller processes data based on consent and intends to process the data for a new purpose, the data controller needs to obtain a new consent from the data subject for the new processing purpose. The original consent will not legitimize new purposes for processing.
b. If the data controller seeks consent for various different purposes, it should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes.
c. The data controllers should provide specific information regarding each separate consent request about the data in order to make data subjects aware of the impact of the different choices that they have.
(iii) The Data Subject Must be Informed:
According to the Working Party, it is essential to provide information to data subjects before obtaining their consent since it will enable them to make informed decisions, understand what they are giving consent to, and exercise their rights regarding their consent. The Working Party listed the minimum information required for obtaining valid consent in terms of GDPR. These are:
a. the identity of the data controller,
b. the purpose of each of the processing operations for which consent is sought,
c. the type of data which will be collected and used by the data controller,
d. the existence of the right to withdraw consent,
e. information about the use of the data for decisions based solely on automated processing,
f. if the consent relates to data transfers, information about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards
Even though most of the information listed above were also included in the EU Directive, the GDPR expands the information that should be provided with the data subject by stating that the data controller should also inform the data subject that he/she can withdraw his/her consent. This requirement was not included in the EU Directive.
Similar to the EU Directive, the GDPR also does not require a certain form or shape of such information. Hence, the valid information may be provided in various ways (e.g. written, orally, via audio or video messages). However the GDPR also brings higher standards for the clarity and accessibility of the information. Accordingly the Working Party stated that the data controller should use clear and plain language which can be easily understood by an average person. The Working Party does not allow long illegible privacy policies or statements full of legal jargon.
(iv) Unambiguous Indication of the Data Subject's Wishes
The Working Party exemplifies Article 7 (2) of the GDPR which addresses pre-formulated written declarations of consent. According to the Working Party, when consent is requested as part of a contract, the request for consent should be clearly distinguishable from the other matters. Also, if consent is requested by electronic means, the consent request has to be separate and distinct; it cannot simply be a paragraph within terms and conditions. This is especially of importance for e-commerce websites, along with many other online platforms and other real and legal persons processing personal data. That means no more incorporating data protection clauses into Terms & Conditions or into employment contracts. The principle of being "clearly distinguishable" is also linked with being "freely given". For instance, if consent is indistinguishable and incorporated into an agreement along with many other provisions, the data subject cannot consent freely and separately but sign the agreement as a whole.
The EU Directive described consent as an "indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed". The GDPR expands this definition, by clarifying that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action which means that the data subject must have taken a deliberate action to consent to the particular processing.
The GDPR also brings new requirements for the data controllers regarding the explicit consent they obtain. According to Article 7 of the GDPR, the data controller is obliged to demonstrate the data subject's consent. The same provision also states that data controller must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time.
III. Reflections of Article 29 Working Party's Updated Opinion to Turkish Personal Data Legislation
Law No. 6698 is based on the EU Directive which is currently in force. The obligations of data controllers and the rights of the data subjects set forth under the Law No. 6698 are basically in line with the provisions under the EU Directive. Having said that, the Law No. 6698 requires "explicit consent" of the data subjects for any kind of personal data processing, not only for sensitive personal data, which is in line with the GDPR. Accordingly, the Working Party's updated opinion for the GDPR may also guide Turkish businesses in terms of structuring their processes.
For instance, according to the GDPR, the data controller must be able to demonstrate that valid consent was obtained. Also, mechanisms for data subjects to withdraw their consent must be available and easy to apply, and the data controller must provide information on how to withdraw consent. The Law No. 6698 also brings similar obligations to the data controllers.
The Law No. 6698 is a separate and independent local regulation. However, it is likely that the Turkish Data Protection Board, which is the main authority on data protection related matter, would take the opinion of Working Party as a basis while evaluating the convenience of the consent, as the Law No. 6698 is mainly based on the EU legislation and the implementation in the EU is currently the primary source. Turkish Data Protection Board has already published its guideline document on consents, and stated that umbrella consents will be invalid, which is in parallel with the "specific consent" principle in the EU. We expect that the opinion of the Turkish Data Protection Board takes shape in time by also taking into account the implementation in the EU. Data controllers may benefit from the Working Party's updated opinion for clarity on explicit consent and assess whether their current flow for consent needs updates.