UK Information Privacy Commissioner releases comprehensive guide for lawful basis for processing data under the General Data Protection Regulation
May 14, 2018 |
The issue of consent is very significant under all data protection acts, not least the Australian Privacy Act 1988. The UK Information Commissioner has released its guidance on consent. While it is directly applicable to the obligations under the General Data Protection Regulation (the GDPR) the contents will be of use in the Australian context. Issues relating to consent are common across jurisdictions and the UK Information Commissioner’s guidances are generally much more comprehensive than the Australian Commissioner’s. The guidance relating to consent is no exception.
The ICO guidance highlight:
- new record-keeping duties that require organisations to document the consent they obtain,
- rules that require consent requests to be displayed clearly and prominently to data subjects.
- new rights that data subjects will have to withdraw their consent at any time,
- rules that prohibit businesses from requiring consumers’ consent as a condition of a contract.
- that organisations that rely on consent will be responsible for respecting rights of individuals that the GDPR ties to that basis of processing, such as individuals’ qualified right to require the erasure of data about them and the right to data portability.
- that consent will not always be ‘the most appropriate or easiest’ legal basis on which to rely on for processing personal data.
- organisations may need to consider alternatives to consent where the law permits data processing without the need for consent.”
The very general summary provides:
Is this a big change?
The basic concept of consent, and its main role as one potential lawful basis (or condition) for processing, is not new. The definition and role of consent remains similar to that under the Data Protection Act 1998 (the 1998 Act). However, the GDPR builds on the 1998 Act standard of consent in several areas. It contains much more detail and codifies existing European guidance and good practice.
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for consent mechanisms. You need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent.
The changes reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.
What’s different about the standard of consent?
The definition of consent in Article 4(11) of the GDPR is similar to the old Data Protection Directive definition, but adds some detail on how consent must be given:
DP Directive definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” |
GDPR definition:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” |
So the key elements of the consent definition remain – it must be freely given, specific, informed, and there must be an indication signifying agreement. However, the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action.
However, this definition is only the starting point for the GDPR standard of consent. Several new provisions on consent contain more detailed requirements. In particular, Article 7 sets out various conditions for consent, with specific provisions on keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract. Recitals 32, 42 and 43 also give more specific guidance on the various elements of the definition.
In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (‘granular’) choices upfront and ongoing control over their consent.
What else is new?
There are also specific new provisions on children’s consent for online services, and consent for scientific research purposes.
Consent can also legitimise processing that has been restricted. Explicit consent can legitimise automated decision-making, including profiling.
If you rely on consent, this will also affect individuals’ rights. People will generally have stronger rights when processing is based on consent – for example, the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability.
The GDPR also brings in new accountability and transparency requirements. In particular, you must now inform people upfront about your lawful basis for processing their personal data. You need to tell people clearly what you do with their consent, and whether you do anything else on a different lawful basis. If you know you will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, you need to tell them this from the start.
What are the key changes to make in practice?
You need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
- Granular: give distinct options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any other third party controllers who will be relying on the consent. If you are relying on consent obtained by someone else, ensure that you were specifically named in the consent request – categories of third-party organisations will not be enough to give valid consent under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible.
See ‘How do we obtain, record and manage consent?’ and the consent checklist for more detail.