GDPR On Consent
The EU General Data Protection Regulation, affectionately known as GDPR, will kick in on May 25, 2018--just days away. Anyone interacting digitally with EU citizens--or collecting data from EU citizens is responsible to steward that data as per the regulations set down by GDPR. For more information on who is affected by GDPR and the key terms of the regulation, see our earlier article. One of the major issues that data collectors must approach is the issue of consent and gaining consent from EU citizens to collect and steward their personal information.
Definition of Consent Under GDPR
What constitutes consent has changed considerably under the GDPR provision, creating a higher standard for data collectors to meet when asking for information. The previous definition of consent under the European Data Protection Directive allowed for a patchwork of consent interpretations across member states of the EU. The new definition, outlined below, is meant to provide uniformity and bring a clearer definition to consent and how it is obtained, while raising the standard to protect the privacy of EU citizens.
Consent is defined by the GDPR in Article 4 (11) as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This definition extends the requirements for consent, requiring that consent be “unambiguous”, “freely given”, “specific”, “informed” and a “statement or clear affirmative action”. These are the main divergences from the previous Privacy Directive, and this article will focus on the difference and what needs to be done for the new standard to be met.
Consent Must be “Unambiguous”
Unambiguous consent means that there is no question about the purpose of the data collection. When collecting consent, data collectors must be clear about who is collecting the data and what it they are going to do with it. In many instances, this is relatively straightforward--if you are collecting email addresses to send a newsletter, and the individual provides their email to receive the newsletter; that is fairly unambiguous. However, if you are collecting emails for a prize drawing and also intend to send promotional materials, you must be clear about exactly how the email address provided will be used. And if you are collecting data for a variety of purposes, collecting “unambiguous” consent can get more complicated.
Consent Given with “Statement or Clear Affirmative Action”
Consent must be collected with a “statement or clear affirmative action.” This means there must be an action taken by the individual providing consent that shows a positive indication--they are actually making a move to affirmatively provide consent. What this translates into on the screen is making sure that consent is not given by inaction or silence--a visitor to a website must check a box or choose technical settings for online services, for example. A website relying on inaction--or pre-ticked boxes-- does not satisfy the “clear affirmative action” standard set down in the regulation.
Consent under GDPR must be “Freely Given”
Under GDPR, consent must be “freely given.” This means that there should be a way to withdraw consent quickly and easily, and there should be no detriment to refusing or withdrawing consent. Consent should be set apart from the conditions of any contract or service. Complications can arise when there is a disparate relationship between the two parties--when one party giving consent has less power than the party using the data; for example, when the party collecting the data is a public body, or perhaps the employer and employee relationship.
“Specific” & “Informed” Consent
Additional requirements of consent under the GDPR is that it must be “specific” and “informed.” In terms of being “specific”; consent must be obtained for what the data is going to be used for--and if it is going to be used for multiple processes, those must be outlined and consented for individually. Along similar lines, under “Informed” consent, the data subject should be aware of the identity of the data controller--so where his or her data is going, and what is going to be done with it. Additionally, it should be made crystal clear to the data subject that consent can be withdrawn at any point.
Additional Guidelines on Consent under GDPR
Obtaining consent must be done in a way that is easy to understand and in clear and plain language, and when consent is collected through electronic means; it must be unobtrusive. Along those lines, simply obtaining the consent is not enough to satisfy the requirements of the GDPR; the data controller must be able to prove that consent was obtained and appropriate records must be kept.
The GDPR takes the privacy of EU citizens very seriously, and demands high standards on obtaining consent. Data Controllers must put all of their cards on the table before consumers can completely consent to their data being used by the controller. It pays to be clear and up-front on these issues.
Our next installment will cover the rules regarding data breach notification under the GDPR.