WP29 Issues New Guidelines on Consent
On 12 December 2017, the Article 29 Working Party finally published its long-awaited draft guidelines on consent under the GDPR. They confirm that the GDPR codifies for the most part the previous WP29 guidance and general good practice on the topic (including opinion 15/2011.) This means that aspects of these draft guidelines may resonate with organisations already familiar with the previous guidance.
The WP29 also gives guidance and best practice recommendations for newer requirements, such as on how to demonstrate or withdraw consent. Importantly, the WP29 expressly states that if consent is not validly obtained, the data processing activity will be unlawful, and the controller will be considered in breach of article 6 GDPR (lack of legal basis).
The content of the draft guidelines can be summarized as follows.
1. Conditions for valid consent
Imbalance of Power: Apart for some new examples, the draft guidelines do not provide much new information on this aspect, as they simply confirm that an imbalance of power between the individual and the controller (e.g., a public authority or an employer) means that the consent will, as a rule, not be free, except in exceptional circumstances.
Conditionality: The draft guidelines give some highly anticipated guidance on how to interpret article 7(4) GDPR (which states that, when assessing if consent is freely given, “utmost account” need to be taken of whether the performance of a contract/service is conditional on consenting to a data processing that is not necessary for that contract/service). The WP29 confirms that bundling consent in such a way is “highly undesirable,” but it also confirms that this only creates a presumption of invalid consent. In exceptional circumstances, the controller could still be able to establish that consent is free, despite it being tied to performance of a contract/service. This would be the case if, for example, individuals were offered an alternative service that does not involve data processing beyond what is necessary for the service, provided that it is genuinely equivalent to the other service (the one that is bundled with a consent for data processing).
Granularity: The WP29 also stresses the importance of asking individuals for separate consent when separate processing activities are at stake. Granularity is key to ensure that consent is freely given.
The WP29 indicates that “specific” consent requires specific and limited purposes that are clearly defined in advance, separate consents for each distinct purpose (granularity is key to meet this requirement as well), and a tailored information for each consent request.
The WP29 also expressly warns controllers against the phenomenon known as “function creep,” e.g. gradual, behind the scenes, widening or blurring of the purpose to which the individual has initially consented to, which is illegal.
What Needs to be Communicated: According to the WP29, individuals should be informed (at least) of the identity of the controller(s) (but not the processors), the purpose(s) of the processing, the type of data collected, the existence of the right to withdraw (and as a good practice, how to exercise that right), the risk of transferring data to third countries when no adequacy decision or appropriate safeguards cover such transfer (if applicable), and about solely automated processing (if applicable).
Communicating the Information: The WP29 reiterates the need to ensure that the consent request is clearly understandable, for example, by avoiding legal jargon and adapting the terminology to the audience. As to how to achieve this in practice, one of the WP29 examples mentions the use of a test panel to evaluate and score consent wordings based on their level of clarity and understandability. The WP29 also states that consent information should not be hidden in terms and conditions, but instead should either clearly stand out from the document or be communicated in a separate one. In the digital context, organisations should consider using layered notices and granular information.
Unambiguous Indication of Wishes
The GDPR recitals already contained practical examples of “clear affirmative acts,” but the draft guidelines now provide additional ones in particular in the online context. Physical motions such as swiping a screen, waiving in front of a smart camera, or turning a smartphone around would, according to the WP29, all satisfy the requirement, so long as it is clear for individuals that making that move signifies agreement.
The WP29 also raises concerns about “click fatigue,” e.g. the phenomenon by which, when consent is sought too many times, the actual warning effect of the consent mechanism diminishes, but defers to the controllers the task of developing ways to tackle this problem (the WP29 mentions browser settings as a possible solution).
2. Explicit consent
Definition: The WP29 recognises that the GDPR imposes a higher standard for “regular consent” than under the Directive, but also confirms that additional efforts need to be made when “explicit consent” is required (e.g. for sensitive data, automated individual decision making, and data transfers). The draft guidelines provide that “explicit” refers to the way consent is presented to individuals and requires and express statement.
In Practice: While the WP29 recognises that the most common way of collecting explicit consent is by a written and signed statement from the individual, it also confirms that other ways exist, such as sending an email, uploading a scanned copy of a written statement, or using a digital signature.
The WP29 also recommends using a two-stage verification process as a way to make sure that a valid explicit consent is obtained (e.g. asking the individual to respond to an email stating “I agree,” and then sending him a second verification link by email or SMS to confirm agreement, also known as double opt-in).
3. Demonstrating Consent
Overall, the draft guidelines give some discretion to controllers on how to maintain evidence of consents, but warn them that their chosen mechanism should not lead to excessive amounts of additional data processing.
What Needs to be Recorded: The WP29 recommends that consent records contain information about how consent was obtained, when it was obtained, and what information was provided to the individual at the time. For instance, in the online context, a controller could retain information about the session in which consent was obtained. Merely keeping a record of the configuration of the website would not be sufficient.
When to Delete Records: The obligation to demonstrate consent exists for as long as the data processing activity lasts. Once the processing activity has ended, the WP29 states that the proofs of consent should only be kept to the extent necessary to comply with a legal obligation or for legal claims. Once no longer necessary for these purposes, the proofs of consent should be deleted.
4. Renewing Consent
While the GDPR remains silent on this aspect, the WP29 considers that consent will only last for a certain amount of time, depending on the context and the individuals’ expectations.
Of course, when a new processing takes place, or when an aspect of a current processing changes, the controller would have to seek new consent to cover this new/updated processing. But even in the absence of any change, the WP29 recommends, as a best practice, to refresh consents at regular intervals.
5. Withdrawing consent
Means of Withdrawal: The WP29 here clarifies a point of discussion by stating that the GDPR only requires that the means to withdraw consent be “as easy as” the one used to consent. It does not require that the means to consent and to withdraw be the same ones. In practice, however, the means may have to be the same in some circumstances (e.g. when consent is collected via a user interface, individuals should be able to withdraw consent through that same user interface).
Effect of Withdrawal: the WP29 emphasises on the fact that once consent is withdrawn, the controller must stop the processing and either delete or anonymise the data (unless another legal basis justifies the processing of the data). The controllers cannot continue the same processing activity once the consent has been withdrawn by silently migrating to another legal basis.
6. Children’s Consent
On children’s consent, the WP29 seems to have adopted a quite reasonable position, giving practical guidance and examples that take into account the early stage of the technology when it comes to age and identity verification mechanisms.
For instance, the WP29 confirms that indicating on a website that it is not directed to individuals under 18 years old would be sufficient to avoid article 8 (in the absence of contradictory evidence).
The WP29 also adopts a risk-based approach, asking for age and parental authority verification mechanisms to be proportionate to the risks associated to the processing. For instance, in low-risk situations, the controller could simply ask the children to confirm their year of birth, while parental authority verification could simply be done via email. In high-risk situations, more complex mechanisms should be used, such as trusted third party.
Whichever technique the controller wishes to use, it must however always prioritise means that collect the least amount of data (data minimisation,) and keep its processes and technology developments under constant review.
7. Scientific Research Exception
Recital 33 introduces a more flexible approach when consent is sought in the context of scientific research as it allows consent for “areas” of research. While researchers may have seen this recital with an optimistic eye, the WP29 position may curb their enthusiasm. The draft guidelines indeed provide that this exception will be subject to strict interpretation and to a high degree of scrutiny. Besides, when this exception applies, researchers remain obliged to regularly inform individuals of the development of their purposes as they get clarified in the course of the research.
8. Relationship With Other Article 6 Legal Bases
The WP29 clarifies in these draft guidelines that a processing activity cannot be justified by multiple legal bases. It is therefore crucial for controllers to clearly identify which legal basis is the most appropriate for their processing activities in advance. In relation to consent, this means that the old practice consisting in collecting consent while at the same time relying on a second legal basis as a “backup” (in case consent would not be valid or would be withdraw,) is no longer acceptable.
9. Pre-GDPR Consents
The WP29 reiterates the content of recital 171, namely that only pre-GDPR consents that are in line with the new GDPR requirements and that can be demonstrated need not to be renewed. In other instances, the controller should first reassess which legal basis is the most appropriate to justify the processing, and, if consent remains the first choice, then renew it in line with the new requirements.
10. Relationship with ePrivacy Consent
Lastly, the draft guidelines also confirm that the GDPR consent requirements will apply to ePrivacy consent as of 25 May.
Interestingly, the WP29 refers in these guidelines to the ePrivacy Directive “in case the ePrivacy Regulation would not (yet) be in force as from 25 May 2018,” which implies that the objective to have the new ePrivacy legal framework finalised by the same date as the entry into effect of the GDPR remains on the table. Whether or not this can be done remains to be seen.
The draft guidelines are open for consultation until 23 January 2018.
How OneTrust Helps
OneTrust offers a Consent Management module that works in tandem with the complete privacy management software platform. Email email@example.com to learn more about OneTrust’s Universal Consent and Enterprise Management tool, and stay ahead of GDPR and ePrivacy regulations.