Data collection just got a little trickier
The new rules on data protection mean specific conditions on consent must be met, says Fiona Killen
IF data controllers, such as a companies or public authorities, wish to process personal data, they must meet the requirements of the Data Protection Act 1998 (DPA), including ensuring they have a legal basis for that processing. One of the legal conditions often relied upon for processing personal data under the DPA is the condition of consent, ie that an individual has agreed to the processing in question.
On 25 May 2018, the DPA will be replaced by the new EU General Data Protection Regulation (GDPR). Whilst obtaining consent under the DPA may have appeared to be relatively straightforward, the specific conditions contained in the GDPR for obtaining consent to process an individual’s personal data underline the complexities that arise in ensuring that such consent is valid. Article 4 of the GDPR requires that, for an individual to truly consent to the processing of their personal data, their agreement to that processing means: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
This definition of consent brings some new requirements, including the requirement that consent must be unambiguous and signified by a statement or by a clear affirmative action. If an indication of consent leaves any doubt as to what data processing a person has consented to, it will fall short of the requirement for unambiguous consent. Data controllers seeking consent for processing personal data for multiple purposes should therefore use layered consent mechanisms, giving individuals the opportunity to clearly indicate whether or not they consent to each purpose. The requirement for consent to be signified by a statement or a clear affirmative action means it will not be enough for data controllers to rely on silence, opt-out boxes, pre-ticked optin boxes or inaction by an individual.
Draft guidance published by the UK Information commissioner in march 2017 looked at the requirements for valid consent and consent mechanisms under the GDPR. It noted that consent mechanisms must be kept separate from other terms and conditions of service and that consent should not be used as a pre-condition for signing up to a particular service, unless such consent is necessary for delivery of that service. Individuals should be given “granular options to consent” so that they can consider whether to give consent separately to different types of processing. Consent mechanisms should specifically name the data controller and third parties who will rely on that consent as a legal condition, rather than just categories of third parties.
Because of the new data protection principle of ‘accountability’ introduced in Article 5 of the GDPR, data controllers must not only obtain valid consent, they must retain sufficient records to demonstrate what a person has consented to and how and when they consented. Data controllers must also tell individuals they can withdraw consent at any time and make it as easy to withdraw consent as to give it. In preparation for the Gd pr coming into effect in may 2018, data controllers should consider not only whether their mechanisms for giving consent are GDPR compliant, but whether their consent withdrawal mechanisms meet new requirements.
Overall, for consent to be freely given, the GDPR requires that there must be no power imbalance in the relationship between a data controller and an individual, for example, between employers and employees and between public authorities and individuals, and there must also be no adverse consequence for an individual if they refuse to give consent, otherwise the ‘consent’ will be invalid.