If data controllers, such as a companies or public authorities, wish to process personal data, they must meet the requirements of the Data Protection Act 1998 (DPA), including ensuring they have a legal basis for that processing.
One of the legal conditions often relied upon for processing personal data under the DPA is the condition of consent, ie that an individual has agreed to the processing in question.
On 25 May 2018, the DPA will be replaced by the new EU General Data Protection Regulation (GDPR). Whilst obtaining consent under the DPA may have appeared to be relatively straightforward, the specific conditions contained in the GDPR for obtaining consent to process an individual’s personal data underline the complexities that arise in ensuring that such consent is valid. Article 4 of the GDPR requires that, for an individual to truly consent to the processing of their personal data, their agreement to that processing means: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Processing personal data without valid consent under the new EU General Data Protection Regulation may incur more substantial penalties than at present.
This definition of consent brings some new requirements, including the requirement that consent must be unambiguous and signified by a statement or by a clear affirmative action. If an indication of consent leaves any doubt as to what data processing a person has consented to, it will fall short of the requirement for unambiguous consent. Data controllers seeking consent for processing personal data for multiple purposes should therefore use layered consent mechanisms, giving individuals the opportunity to clearly indicate whether or not they consent to each purpose. The requirement for consent to be signified by a statement or a clear affirmative action means it will not be enough for data controllers to rely on silence, opt-out boxes, pre-ticked opt-in boxes or inaction by an individual.
Draft guidance published by the UK Information Commissioner in March 2017 looked at the requirements for valid consent and consent mechanisms under the GDPR. It noted that consent mechanisms must be kept separate from other terms and conditions of service and that consent should not be used as a pre-condition for signing up to a particular service, unless such consent is necessary for delivery of that service. Individuals should be given “granular options to consent” so that they can consider whether to give consent separately to different types of processing. Consent mechanisms should specifically name the data controller and third parties who will rely on that consent as a legal condition, rather than just categories of third parties.
Because of the new data protection principle of ‘accountability’ introduced in Article 5 of the GDPR, data controllers must not only obtain valid consent, they must retain sufficient records to demonstrate what a person has consented to and how and when they consented. Data controllers must also tell individuals they can withdraw consent at any time and make it as easy to withdraw consent as to give it. In preparation for the GDPR coming into effect in May 2018, data controllers should consider not only whether their mechanisms for giving consent are GDPR compliant, but whether their consent withdrawal mechanisms meet new requirements.
Overall, for consent to be freely given, the GDPR requires that there must be no power imbalance in the relationship between a data controller and an individual, for example, between employers and employees and between public authorities and individuals, and there must also be no adverse consequence for an individual if they refuse to give consent, otherwise the ‘consent’ will be invalid.
Many data controllers will already be processing a large amount of personal data, relying on consent in order to meet a legal condition under the DPA. In preparation for the GDPR, data controllers should not only review their mechanisms for giving and withdrawing consent, but also review their records of consents for processing, where they intend to carry on such processing under the GDPR. If existing consents meet the requirements of the GDPR, data controllers can continue to rely upon them for the purposes of processing and do not need to go back to individuals to obtain a GDPR-compliant consent.
However, if current consents do not meet GDPR requirements come May 2018, data controllers must either find another legal condition in the GDPR for that processing, obtain new GDPR-compliant consents or cease the processing of the personal data in question. If data controllers continue to process personal data without valid consent and without meeting any other legal condition, they run the risk of breaching trust, suffering reputational damage and incurring financial penalties under a more substantial fine structure than currently exists under the DPA.