Introduction

Regarding the importance of consent as the main legal ground for processing of personal data and the fact that under new GDPR[1] there are stricter conditions over consent, we study in this article the necessary conditions, under GDPR, for a valid consent as well as some issues related to consent regarding to withdrawal of consent, to purpose of processing and to the place of consent relating to the other legal bases of processing under GDPR.

Conditions for a valid consent

Consent is one of the main legal ground of processing, under Article 6(1) (a) of GDPR. Through consent, data subject has more control regarding the process of his or her personal data, in order to mitigate or even prevent risk related to the processing. Consent is defined under Article 4 (11) of GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Some of these conditions will be developed more in detail in this article.

“Unambiguous consent”

One of the conditions of the validity of consent refers to “unambiguity of consent”. In compare to Directive 95/46[2], unambiguous consent is a new condition under GDPR. An unambiguous consent could be in any form, as long as it represents a “clear affirmative act”[3].  Recital 32 of GDPR provides some examples of unambiguous consent which is a written[4] or oral statement, including ticking a box when visiting an internet website, choosing technical settings for information society services. Recital 32 also provides the cases in which the consent is not considered as given by a clear affirmative act such as silence, pre-ticked boxes or any inactivity.

Some special form of consent could be required as an extra condition for processing of special category of data or for special processing of personal data. In this regard, “explicit” consent is required in three cases in GDPR: regarding the processing of sensitive data[5], in respect to the automatic bases decision[6] and finally regarding to transfer of personal data to third country[7]. These three cases concern high risk processing. Under Directive 95/46, “data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent”[8]

Implicit consent under GDPR?

Under Directive 95/46/EC, controllers are allowed to rely on implicit and “opt-out” consent in some circumstances. GDPR by adding the new condition of “unambiguity” requires a clear affirmative action. However, express notion of “explicit” consent under GDPR, could imply the existence of an “implicit” form of consent. Thus, the question is to see whether an implicit consent could be considered as clear affirmative act. A negative response to this question means that implicit consent could not exist under GDPR. Therefore, the requirement of explicit consent in two cases above-cited would be under the question. Otherwise, we can imagine that unambiguous consent can be either explicit or implicit, because the term “clear” doesn’t necessarily means “explicit”.

In contrast to the “explicit” form of consent, a “written” form of consent is not a requirement for any special personal data processing. However, written consent is recommended to data controllers as the burden of proof, regarding the validity of consent, is on data controller. In this regard, it is to data controller, based on the presumption of no consent or even no valid consent, to demonstrate that the data subject has given his or her consent in an expected way[9].

“Freely given consent”

Regarding to the Recital 42 GDPR, a “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” The Regulation has provided some cases in which the consent is not given freely. In this regard, when there is a “clear imbalance”[10] between the data subject and the controller, or when the consent does not allow separate consent to be given to different personal data processing operations, or even if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance the consent is not presumed to be freely given.[11]

“Informed consent”

Regarding the Rec 42 of GDPR, “for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended”. This condition is crucial in this way that it let data subject to be aware of the processing of his or her personal data and of his or her rights regarding the processing of personal data. Even if, the processing is not based on consent of data subject, this latter must be informed of the existence of processing in order to his or her other rights related to the processing of personal data.

Issues related to the consent

Withdrawal of consent

Consent must be consistent during processing of personal data. In this regard, “data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal”[12]. Data subject must be informed of this right prior to giving consent. The withdrawal must be as easy as to give consent. Consequently, after withdrawal, personal data could not be processed anymore before finding another legal base. Concerning the personal data already processed the terms and conditions of the contract based on which data subject has given his or her consent could make clear.

Consent and purpose of processing

Consent and special purposes

It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.[13]

Consent and multiple purposes or further processing

When processing of personal data has multiple purposes, consent must be given for all of them[14]. Data subject must know why his or her personal data is processing. In fact, each purpose must have a legal base of processing. As consent over processing must be “specific”[15], data controller could not ask for an open-ended consent to cover future processing.

Place of consent regarding the other legal bases of processing:

Consent is a notion used in other fields of law in particular contract law. There is an overlap between the conditions of validity of consent under two field of law, i.e. contract law and data protection law. Directive 95/46 does not address the general conditions of the validity of consent in a civil law context while not excluding them.[16] This approach toward the civil law context is more significant in GDPR, with its stricter consent regime.

Consent is used in Directive 95/46 and in GDPR both as a general ground for lawfulness[17] and as a specific ground in some specific contexts[18]. Moreover, under Article 8(2) of the Charter of Fundamental Rights of European Union, “personal data can be processed on the bases of consent or other legal bases”. The fact that consent is expressly mentioned under this Article of the Charter, implies that consent is an essential aspect of the fundamental right to the protection of personal data. Besides that, the order in which the legal grounds are cited under Article 7 is relevant but the consent is not always the more appropriate ground. However, even if consent is an important legal base, the other five legal grounds[19] following consent are sometimes more relevant. Thus, just in the case that consent is correctly used, it is a tool giving the data subject control over the processing of his data[20]. Consent should not be seen as an exemption from the other data protection principles, but as a safeguard. It is primarily a ground for lawfulness, and it does not waive the application of other principles.[21]

Conclusion

When processing of personal data is based on consent, data subject has much more control over his or her personal data, “before” and “during” the processing of personal data. Before the processing via an informed consent he or she is aware of what will happen to personal data and why it will happen (purpose of processing). During the processing, data subject has, in one hand, the right to withdraw his or her consent at any time of processing. In other hand, he or she can enjoy his or her rights under Chapter III of GDPR, i.e. the right to transparency, to access and to information concerning personal data, to rectification and erasure of personal data, to restriction of processing, to data portability and finally the right to object. Although, these rights could be restricted in a proportional way in order to safeguard national security, defense and public security[22], data subjects could enjoy more easily their right while processing is based on their consent. Otherwise, the other legal bases[23], could challenge it to make a balance between different interests especially of data subject and data controller. However, when the processing is based on consent, exercise of data subject’s right is not free from the balance need, but, it would be at least less challenging[24].

Could it be interpreted in a way that consent is not a safe legal ground for data controller, even if it is really a protective legal base for data subject? The response to this question depends on the context of processing which could encourage data subjects to exercise their rights in order to protect their personal data. Indeed, if processing doesn’t make a risk for data subjects and could keep their confidence, there would be of less concern for data controller. Moreover, the processing in which data subject has an interest is less likely to be challenged by them.

[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[3] Rec 32 GDPR.

[4] “(..) including by electronic means (..)”: Rec 32 GDPR.

[5] Rec. 51, Art 9(2) (a) GDPR.

[6] Rec. 71, Art 22(2) (3) GDPR.

[7] Rec. 111, Art 49 (1) (a) GDPR.

[8] Rec. 33 Dir. 95/46.

[9] Art 7(1) GDPR.

[10] Where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation, Rec 43.

[11] Rec. 43; Art 7(4) GDPR.

[12] Art 7 (3); Art (13) (2) (3); art 14 (2) (d) GDPR.

[13] Rec. 33 GDPR.

[14] Rec. 32 GDPR.

[15] Art 4(11) GDPR.

[16] G29 Opinion 15/2011 on the definition of consent, 13 July 2011, n° 01197/11/EN, p.6.

[17] Art 7 Dir. 95/46; Art 6 GDPR.

[18] Art 8.2(a), Art 26.1(a), Dir. 95/46; Rec. 51, Art 9(2), Rec. 71, Art 22(2) (3), Rec. 111, Art 49 (1) (a) GDPR.

[19] G29 Opinion 15/2011 on the definition of consent, 13 July 2011, n° 01197/11/EN, p6:“Five other grounds following consent require a “necessity” test which strictly limits the context in which they can apply”.

[20] G29 Opinion 15/2011 on the definition of consent, 13 July 2011, n° 01197/11/EN, p6.

[21] Idem, p7.

[22] Art 23 (1) (a-c) GDPR.

[23] Art 6(1) (b-f) GDPR.

[24] The main approach of Directive 95/46 and GDPR is to make a balance between in one hand the free flow of information and in other hand the right to protection of personal data: Art 1 Directive 95/46; Art 1 GDPR.