21 May 2018
Consent is no longer the 'catch all' it once was to legitimise processing of personal data.
With the GDPR coming into effect on 25 May, guidance is coming thick and fast. One of the most difficult concepts for organisations to deal with is the enhanced version of consent. Under existing EU data protection law, consent is often used as a 'catch all' for data controllers. The new improved GDPR definition of consent makes it much harder to achieve so it is no longer an easy default lawful basis for processing personal data. This is made all the more complicated by the fact that you have to pick one lawful basis for a processing operation before the processing begins and if you pick consent, you cannot change to another lawful basis if consent is subsequently withdrawn.
As if that weren't enough, in addition to the significant amounts of information you have to give individuals to achieve valid consent, you also have to do it in such a way that they can easily understand it and this can conflict with the transparency principle if you get the balance wrong (see more about guidance on the transparency principle).
How GDPR consent fits in with ePrivacy requirements (both current and proposed), is another issue that businesses are grappling with as they get ready for 25 May and beyond.
Following on from the Article 29 Working Party's (WP29) final guidance on consent, the UK's ICO has also finalised its own guidance on the use of consent under the GDPR and updated its GDPR guide to incorporate it (pp25-60). Both sets of guidance are broadly unchanged since the drafts but there are a few areas of addition and clarification.
Organisations which have historically relied on consent need to assess whether that consent is still valid for GDPR purposes. If it is not, there is a one-off opportunity to change the lawful basis for the processing. The ICO guidance, together with the WP29 guidance, should help clarify whether consent is the best lawful basis going forward, and when to use it for a new processing operation.
The most notable changes to the ICO guidance cover:
If consent is withdrawn, data processing for the purpose for which consent was obtained must stop. The relevant data may be processed for a different purpose where a different lawful basis was relied upon (and the individual should have been informed of that at the time consent was obtained). The data controller cannot, however, change the lawful basis of the processing for that purpose (for example to legitimate interests). When consent is used as a lawful basis for processing, this gives the individual a sense of control over the use of their data. To continue to process the data for the same purpose after consent is withdrawn would make that sense illusory and this would be unfair.
If you rely on consent obtained by a third party, you must be specifically named in the consent request. Categories of third-party organisations in a consent request will not be enough to obtain valid consent under the GDPR.
Processors do not need to be named in consent requests but there are separate requirements under the transparency principle around disclosing details of processors.
Conversely, a third party can consent on behalf of an individual in theory, but it will be hard to demonstrate that the individual was fully informed and their consent was freely given.
This has been fleshed out in the final version of the guidance to make it clear that even where you decide to rely on a lawful basis other than consent from 25 May 2018 (which is permitted as a one-off according to Article 29 Working Party guidance), you should remember that processing must still be fair and transparent. This means that you should take all reasonable steps to tell individuals you are relying on a new lawful basis and explain what that basis is. Where possible, individuals should be given the chance to opt out to minimise their loss of control.
The ePrivacy Regulation has not been finalised. PECR will continue to apply in the interim but from 25 May 2018, PECR consent will be the same as GDPR consent. The ICO's consent guidance says that where consent is needed under ePrivacy laws, in practice, consent is also the appropriate lawful basis under the GDPR. This makes sense given PECR consent and GDPR consent are the same. If, however, ePrivacy laws don't require consent, another lawful basis may be used, such as legitimate interests. Similarly, for cookies, consent will need to be GDPR consent but an alternative lawful basis may be available for any associated processing of personal data.
This section has been expanded. The ICO clarifies that to process special (sensitive) data, a lawful basis must be identified under Article 6 together with a separate condition for processing special category data under Article 9 (as supplemented by Schedule 1 of the Data Protection Bill). Where explicit consent is relied on, it must still be freely given and the processing must be necessary for the service being provided. Where the processing of special category data is genuinely necessary to provide a service to the individual, you may still be able to rely on consent as the condition for processing that special data where no other Article 9 condition applies.
There may be situations where it will be possible for a public authority to obtain freely given consent despite the fact that it is in a position of power so there is a risk of imbalance. Public authorities are, however, restricted in their ability to use legitimate interests as a lawful basis for processing. The 'public task' basis is likely to be the most suitable where the processing is to perform the authority's official functions as set out in UK law.
Rules about consent requests are separate from transparency obligations which apply regardless of which lawful basis is being relied upon for processing. These two requirements are not always complementary as those grappling with drafting privacy policies will know. The ICO says that although Recital 32 suggests that electronic consents should not be unduly disruptive to users, this does not override the need for consent requests to be clear and specific.
Explicit consent must be confirmed in words. Individuals do not have to use their own words but they must indicate their clear agreement. Explicit consent can be obtained orally but a record must be kept of the script.
In a change from the draft, the final guidance says that parental consent will not automatically expire when the child reaches the age at which they consent. Consents naturally degrade with time but in the instance of parental consent, the consent should be refreshed more regularly.
This section has been extended to bring it in line with Article 29 Working Party guidance. The ICO reminds controllers that GDPR consent should not be confused with any other legal or ethical obligation to get consent from people participating in research.
Jo Joyce looks at legitimate interests and purpose limitation provisions in the Data Protection and Digital Information Bill.
by Jo Joyce