GDPR: watchdogs give businesses 'one off' to continue data processing by moving away from invalid consents

The Article 29 Working Party, which is a committee made up of representatives from national data protection authorities from across the EU, said businesses should review the consent that they have obtained under existing data protection laws to check that it will remain valid under the General Data Protection Regulation (GDPR), which will apply from 25 May 2018.

It said "the concept of consent … has evolved".

"It is important for controllers to review current work processes and records in detail, before 25 May 2018, to be sure existing consents meet the GDPR standard," the watchdog said. "In practice, the GDPR raises the bar with regard to implementing consent mechanisms and introduces several new requirements that require controllers to alter consent mechanisms, rather than rewriting privacy policies alone."

The Working Party said that where previous consents are no longer valid, businesses may be able to rely on "a different lawful basis" for continuing the data processing under the GDPR. However, it called this opportunity a "one off situation" and that businesses will not be able to "swap between one lawful basis and another" after the GDPR begins to apply.

According to draft guidance on consent under the GDPR that the Working Party has opened a consultation on, businesses should not require consumers to give their consent to the collection and use of their personal data as a condition for being provided with services.

The Working Party said "the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract" under the GDPR.

Consent is one of six lawful bases for processing personal data under the GDPR.

Although explicit consent is required in some circumstances under the GDPR, in general, for consent from a data subject to be considered valid, it will need to be freely given, specific and informed. It must also be an unambiguous indication of the data subject's wishes that is stipulated by a statement or by a clear affirmative action.

Processing personal data is also permitted in cases where it is necessary to enter into or perform a contract. In its draft guidance, the Working Party said the consent and contract bases for data processing "cannot be merged and blurred".

"As data protection law is aiming at the protection of fundamental rights, an individual’s control over their personal data is essential and there is a strong presumption that consent to the processing of personal data that is unnecessary, cannot be seen as a mandatory consideration in exchange for the performance of a contract or the provision of a service," the watchdog said. "Hence, whenever a request for consent is tied to the performance of a contract by the controller, a data subject that does not wish to make his/her personal data available for processing by the controller runs the risk to be denied services they have requested."

"In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid," it said.

The Working Party's draft guidance, which is open to consultation until 23 January 2018, also said businesses will not be able to rely on obtaining consent to data processing for one purpose as consent for other data processing for other purposes, under the GDPR. It stressed the importance of granularity in consent mechanisms.

"If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom," the Working Party said. "This granularity is closely related to the need of consent to be specific.... When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose."

The Working Party also said that public bodies will be "unlikely" to be able to rely on consent as a basis for processing personal data because "there is often a clear imbalance of power in the relationship between the controller and the data subject". The imbalance of power means that consent could not be deemed to be 'freely given', it said.

However, the Working Party provided examples of some circumstances in which public bodies might be able to rely on consent for data processing operations.

Likewise, although an imbalance of power exists in an employer-employee context, employers may be able to rely on consent in "exceptional circumstances, when it will have no adverse consequences at all whether or not [employees] give consent", it said.

Consent will not always be the best mechanism for businesses to rely on for processing personal data under the GDPR, the watchdog said. It urged businesses to consider whether it is more appropriate to rely on alternative lawful basis for processing the information under the new Regulation.

"Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment," it said. "When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful."

The Working Party also issued separate draft guidance on transparency under the GDPR.

Further guidance from the UK's Information Commissioner's Office (ICO) on the topic of consent under the GDPR is expected to be issued to complement the Working Party's guidance. The ICO consulted on draft guidance earlier this year.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said the draft guidance from the ICO contained a "clear message" to businesses to "consider whether they could or should rely on an alternative to consent to process personal data".