Chapter 8: Consent – Unlocking the EU General Data Protection Regulation

Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

The need for consent

All processing of personal data requires a legal basis (see Chapter 7). Consent provides one such legal basis.

Rec.30; Art.7(a)

In order for the processing of personal data to be lawful, the controller required either the consent of the data subject or another legal basis.

 Rec.40; Art.6(1); WP29 Guidelines on Consent under Regulation 2016/679 (wp259)

In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another legal basis.

 The GDPR does not materially change the principle that consent may provide a legal basis for data processing activities. However, as set out below, the GDPR makes it significantly more difficult for organisations to obtain valid consent.

Nature of valid consent

The consent of the data subject provides a legal basis for the processing of that data subject's personal data. However, such consent must meet certain requirements in order to be deemed sufficient for the purposes of EU data protection law.

Art.2(h), 7(a)

"Consent" was defined under the Directive as any freely given specific and informed indication of the data subject's wishes by which the data subject signifies agreement to the processing of his or her personal data. Such consent provided a legal basis for the processing of personal data provided that it was "unambiguous".

 Rec.32; Art.4(11), 6(1)(a), 7

"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.

 The Directive only stated that the data subject must "signify" consent. The GDPR makes it clear that consent requires a clear affirmative action by the data subject. This may make it harder for some organisations to obtain valid consent than was the case under the Directive.

Consent must be "freely given"

Consent must reflect the data subject's genuine and free choice. If there is any element of compulsion, or undue pressure put upon the data subject, consent will not be valid.

N/A

Although the Directive stated that consent must be freely given (see Art.2(h) considered above), it did not clarify the meaning of this phrase.

 Rec.32, 43; Art.7(4)

Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.

Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee), consent is presumed not to have been freely given.

When assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract.

 The Directive provided almost no guidance on the meaning of the phrase "freely given". Guidance from the WP29 (particularly in Opinion 15/2011 and the Guidelines on Consent under Regulation 2016/679 (wp259)) clarified many of these issues, but it is important to note that the WP29's guidance, while important, is not legally binding. The GDPR makes it significantly harder for organisations to demonstrate that the data subject's consent has been freely given. In particular:

• organisations must ensure that data subjects have a genuine choice;
• organisations should consider whether to rely on consent as a legal basis for processing the personal data of their own employees; and
• wherever possible, organisations should avoid making the performance of a contract conditional upon the data subject's consent to the processing of personal data.

Consent must be "specific"

Blanket consent that does not specify the exact purpose of the processing is not valid consent.

Art.2(h)

"Consent" had to be specific. The Directive did not explain this term further.

 Rec.32; Art.6(1)(a)

"Consent" must be specific. The GDPR does not explain this term further.

 The WP29 has clarified (in Opinion 15/2011) that, in order to be specific, consent must be intelligible. The controller must clearly and precisely explain the scope and the consequences of the data processing. Consent cannot apply to an open-ended set of processing activities—it must be limited to a specific context. This requirement did not materially change as a result of the introduction of the GDPR and this approach is also supported by guidance from the WP29 (in particular, the Guidelines on Consent under Regulation 2016/679 (wp259)).

Consent must be "informed"

In order for consent to be valid, data subjects must be provided with sufficient information to enable them to understand what they are consenting to.

Rec.25; Art.2(h)

Consent had to be "informed". The Directive did not explain this term further.

 Rec.32, 42; Art.4(11), 7(1)

Consent must be "informed". In order for consent to be informed:

• the nature of the processing should be explained in an intelligible and easily accessible form, using clear and plain language which does not contain unfair terms; and
• the data subject should be aware at least of the identity of the controller and the purposes for which the personal data will be processed.

 The GDPR requires organisations to take significant extra steps in order to ensure that data subjects are properly informed of the purposes for which their personal data will be used. If this information is not provided in line with these requirements, any "consent" obtained may not be valid. Guidance from the WP29 (in particular, the Guidelines on Consent under Regulation 2016/679 (wp259)) elaborates on the meaning of "informed" and provides a list of the elements which must be present for consent to be considered "informed".

Method of obtaining consent

EU data protection law does not specify the method by which consent should be obtained. An organisation may use any appropriate mechanism to obtain consent.

N/A

The Directive did not provide details on the methods that could be used to obtain valid consent.

 Rec.32

Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
 

 The GDPR specifically recognises the validity of a number of commonly used methods of collecting consent, and affirms the principle that any appropriate method can be used. Organisations should give careful thought to ensuring that their consent mechanisms are appropriate to the nature of the consent being sought.

Silence is not consent

Acquiescence is not the same thing as consent. The fact that a data subject says nothing when given the opportunity to object, or fails to opt-out or unsubscribe, will not amount to valid consent.

N/A

The Directive did not explicitly make the point that silence cannot be consent.

 Rec. 32

Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.

 The Directive did not specifically state that silence and inactivity cannot amount to consent. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarified this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear. This is also reflected in the WP29 Guidelines on Consent under Regulation 2016/679 (wp259). Organisations should ensure that they do not rely on silence or inactivity as consent.

​​​​Consent must be distinguishable from other matters

A data subject's consent to the processing of his or her personal data should not be tied to other matters.

N/A

The Directive did not explicitly discuss the need to separate consent from other matters.

 Art.7(2)

If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If the data subject is asked to consent to something that is inconsistent with the requirements of the GDPR, that consent will not be binding.

 The Directive did not specifically address the requirement to separate consent from other matters. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarified this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear, emphasising its importance by stating that consent language that is inconsistent with the requirements of the GDPR is non-binding. Organisations should ensure that consent to the processing of personal data is always clearly distinguished from other matters (e.g., consent is not wrapped up as part of a wider set of terms and conditions). The need for consent to be separate from other matters and not "bundled" with terms and conditions is emphasised in the WP29 Guidelines on Consent under Regulation 2016/679 (wp259).

The controller must be able to demonstrate consent

There is clearly potential for disagreements as to whether or not a data subject actually consented to the processing of his or her personal data.

N/A

The Directive did not directly address the obligation of controllers to maintain evidence of consent obtained from data subjects.

 Rec.42; Art.7(1)

Where any processing activity is performed on the basis of consent, the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects.

 Although it has always been advisable for controllers to retain evidence of consent, the Directive did not specifically require controllers to do so. The GDPR places the burden of proof squarely on the controller, which may result in increased costs and administrative burdens for some organisations. The WP29 Guidelines on Consent under Regulation 2016/679 (wp259) clarify this requirement and emphasises that being able to demonstrate consent should not lead to excessive amounts of additional processing.

Right of data subjects to withdraw consent

Consent, by its nature, must be capable of being withdrawn. If the controller does not permit the data subject to withdraw consent then it is unlikely that the consent is valid. However, the right of data subjects to withdraw consent is not retrospective (i.e., data subjects cannot withdraw consent to processing that has already happened).

N/A

The Directive did not specifically address the issue of withdrawal of consent.

 Rec.42, 65; Art.7(3)

Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.

 Although the Directive did not expressly state that there is a right to withdraw consent, this right was implied from the nature of consent, and has generally been enforced by DPAs. The GDPR formalises this right, but also obliges organisations to make it easy for individuals to withdraw consent, which may require businesses to create new systems and procedures to satisfy this requirement. The WP29 Guidelines on Consent under Regulation 2016/679 (wp259) clarify this requirement and emphasise that once consent is withdrawn, organisations cannot silently migrate to another legal basis to continue processing the relevant personal data. It is also stressed that withdrawal of consent should be without detriment to the individual.

Consent can provide a lawful data transfer mechanism

If the data subject has consented to the transfer of his or her personal data to a jurisdiction outside the EEA, that consent provides a lawful data transfer mechanism (see Chapter 13).

Rec.58

Cross-Border Data Transfers could lawfully be made on the basis of the data subject's consent.

 Rec.111; Art.49(1)(a), (3)

In the absence of other safeguards, transfers may take place if the data subject has explicitly consented to the transfer, having previously been informed of its possible risks. This does not apply to public authorities in the exercise of their powers.

 The GDPR does not materially change the principle that consent may provide a lawful data transfer mechanism, but it explicitly names it as a legal basis for Cross-Border Data Transfers.

Impact of the GDPR on existing consent

The GDPR imposes new requirements in relation to consent. Any existing consents that are valid under the Directive, but do not satisfy the requirements of the GDPR, will have to be re-obtained.

N/A

The Directive did not address this issue.

 Rec.171

Where an organisation has already collected consent from data subjects (prior to the GDPR Effective Date) it is not necessary to collect that consent a second time in consequence of the GDPR, provided that the initial consent was compliant with the requirements of the GDPR.

 In some cases, organisations may be able to rely on consents collected under the Directive. However, in many cases, historic consents will not be compliant with the requirements of the GDPR, and in such cases it will be necessary to collect fresh consents. For some organisations, this will be an onerous task.