“Consent” is one of the legitimate bases or legal grounds included in Article 6 of the EU General Data Protection Regulation (GDPR). The definition of consent is included in Article 4.11 of the GDPR as follows:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
However, in addition to this definition, the GDPR refers to numerous requirements and specific features of this figure which represent important novelties. In this way, these features will be analysed throughout this article in an attempt to clarify (i) what conditions must be met to obtain consent properly, and (ii) what difficulties it entails with respect to other legal grounds.
According to the definition above, the requirements that the consent must meet in order to be considered validly obtained are the following:
– Freely given. In practice, this is probably the most difficult requirement. This means that if the person concerned feels obliged to give consent or that they may suffer negative consequences if he or she does not do so, then consent cannot be considered valid (as determined by the Article 29 WP both in its Opinion 15/2011 and in the Guidelines on consent under Regulation 2016/679). This, for example, implies that various data protection authorities in the European Union do not accept the consent given by employees to their employer as it can never be considered “freely given.”
– Specific. The consent must be specific as to the exact purpose or purposes for which the subject’s data will be used. In fact, recital 32 of the GDPR states that where the processing has several purposes, consent must be given for each of them individually. This means that it would not be valid to obtain a “general consent” covering all data processing activities, but they should be separated by purposes, although those activities with the same purpose may be grouped together.
– Informed. It is necessary to provide certain information to the interested party at the time of obtaining his consent for it to be valid. Specifically, the Article 29 WP states that information should be provided on (i) the identity of the data controller (ii) purposes (iii) type of data processed (iv) existence of the right to withdraw consent (v) existence of automated decisions and (vi) if applicable, risks of transfers without adequacy decisions and adequate safeguards (pages 14 and 15 of the Guidelines on Consent). This would be without prejudice to the general duty to inform already contained in Articles 13 and 14 of the GDPR.
– Unambiguous. While the unambiguous term was already included in the text of the 1995 Directive, the concept has been broadened in the GDPR. This implies that consent must be given by means of a statement (oral or written) or a clear affirmative action. According to Recital 32 of the GDPR this could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Furthermore, according to the aforementioned Recital 32, silence, pre-ticked boxes or inaction are not valid formulas to obtain unambiguous consent.
Does this mean that consent according to the GDPR must always be explicit? There are quite a few who claim that the General Data Protection Regulations establish a general rule of “explicit consent,” but this is not true, except in the case of special categories of data (and international data transfers) as we will see below. However, since a clear affirmative action is required, it is not easy to find different formulas for obtaining it, but this does not mean that they do not exist.
Explicit consent for special categories of data
Article 9 GDPR states the following special categories of personal data: ethnic or racial origin, political opinions, religious or philosophical convictions, trade union membership, genetic data, biometric data, health data and data relating to the life or sexual orientation of a natural person. In this case, the legal grounds contained in Article 6 would not be applicable, and Article 9 GDPR itself would establish different situations in which such processing would be lawful (in this case “exceptions,” and the rule of thumb here is the prohibition to process these categories of data).
In this sense, Article 9 GDPR sets “explicit consent” as the first possible means of processing these special categories of data. As can be seen, in this case the GDPR expressly includes the word “explicit,” which is not mentioned in Article 6 or in any of the recitals relating to consent. The above denotes that there are two different types of consent in the GDPR: the general consent of Articles 6.1 and 7 and the explicit consent of Article 9.2.a, necessary for processing special categories of data.
Then, what would be the difference between general consent and this explicit consent in Article 9? As commented, we cannot consider that “normal” consent leaves much room to be creative, but in absolute terms, Article 9 leaves none. Thus, it seems that only an explicit statement by the individual will get you absolute consent. However, it could be by both written or verbal means (although in the case of a verbal statement it will be more difficult to keep evidence of its occurrence). Additionally, the action of clicking a checkbox accompanied by the written statement (“I accept the processing of my data for…”) would be a valid consent as well.
Conclusion: Is consent the best legitimate basis?
Consent is undoubtedly the legitimate basis offering the best guarantees to the data subject, but it is not necessarily the one that provides the greatest legal certainty to the data controller in practice. Some of the problems related to consent are as follows:
-It is hard to adequately obtain it. The fact that a clear affirmative action is requested means that there are no excessive possibilities outside the scope of explicit consent. Let us also remember that in January 2019 the CNIL (French data protection authority) imposed a fine on Google for, among other issues, failing to adequately obtain consent (which reflects the fact that, precisely because it is difficult to obtain, it is also easy to inadvertently commit an infringement).
-It can always be withdrawn. As we have commented, consent must be free and this means that the interested party has the right to withdraw consent at any time and without prejudice. This means that the data controller would be exposed to losing the legitimate basis for data processing at any time and that, therefore, it they must cease engaging in the practice.
-It is necessary to keep evidence. Article 7 of the GDPR states that the controller must be able to prove that he obtained the consent of the data subject. Therefore, when we rely on this legitimate basis we are obliged to keep evidence of having obtained consent, with the corresponding complications that this could entail in practice.
In conclusion, although obtaining consent is good practice, I would recommend that any organization analyse whether any data processing activity they are performing might be covered by any of the other legal grounds included in Article 6 before attempting to obtain consent. There are cases where it is impossible to fit certain processing activities into any of the other Article 6 legal grounds and, when such cases arise, only obtaining consent could legitimize the processing. However, the complexity and lack of certainty associated with this legitimate basis means that, if an organisation is able to rely on other legal grounds for as many processing activities as possible, this will probably be more beneficial for them in the long term.