The Information Commissioner (ICO) has published for consultation draft guidance on its interpretation of "consent" under the General Data Protection Regulation (GDPR). The consultation is open until 31 March 2017.
Consent is one of the grounds for lawfully processing personal data under the current Data Protection Act. However, it is an concept that frequently confuses people. For example, many organisations appear to ask for consent when they already have a lawful basis for processing. An individual does not need to "consent" to a fair processing notice if the notice does not set out any processing that relies upon consent. Yet the very act of asking for consent when it is not required could mislead the individual into thinking that they can prevent the processing by withdrawing the consent.
Consent can also be particularly problematic when it is arguable that the individual is not in a position to freely give consent (for example, in an employer/employee relationship).
Under the GDPR, the concept of consent is being strengthened, with a number of new rules, requiring organisations to provide more transparency.
The ICO's draft guidance seeks to help organisations better understand the concept of consent by bringing together the extended requirements for consent under the GDPR with some practical examples of when the ICO considers that consent is or is not valid. The consultation seeks feedback on whether the guidance is clear and easy to understand and includes the right level of detail.
What's changing under the GDPR?
The GDPR introduces a number of new requirements in relation to consent. In addition to the existing requirement that consent is freely given, specific and informed, consent must now be "unambiguous" and given "by a statement or clear affirmative action." The GDPR also goes on to set out a number of other requirements.
Key changes include:
- Unbundled - consent should be set out separately from the acceptance of other terms and conditions requests
- Active opt-in - organisations must use unticked boxes or similar. Pre-ticked boxes or requirements to opt out will be invalid
- Granular - separate consent should be sought for different types of processing
- Named - each party relying on the consent needs to be clearly identified. The ICO's view is that "even precisely defined categories of third party organisations" will not be sufficient
- Documented - organisations need to keep records showing what an individual was told, what they consented to and when and how consent was given
- Easy to withdraw - it must be as easy to withdraw consent as it is to give it. Individuals need to be told that they have the right to withdraw consent.
- No imbalance - the GDPR states that organisations cannot rely upon consent where there is an imbalance in the relationship. Consent may be particularly difficult for public authorities and employers.
The draft guidance provides a detailed overview of the ICO's expectations in relation to each of these points.
Do I need to "re-paper" my existing consents?
In all likelihood, yes.
The ICO's view is that there is no express requirement for organisations to seek fresh consent from individuals upon the GDPR coming into force, provided that the organisation is comfortable that the consent it has obtained complies with the requirements of the GDPR. If it does not, then fresh consent will be required.
The biggest issue here is likely to be that many organisations simply don't hold detailed enough records to show that they have obtained GDPR-compliant consent from individuals. Given the stronger rules introduced by the GDPR (in particular in relation to things like granularity and transparency), it is likely that many organisations will need to ensure that they refresh their consents in advance of May 2018.
What the draft guidance doesn't cover is how that repapering exercise should be carried out. Hopefully the finalised version will provide some guidance on that process.
What about sensitive personal data?
The GDPR requires that consent for processing sensitive personal data is "explicit." Explicit consent is also one of the gateways to carrying out automated decision making.
Given the new rules on consent generally, the ICO's high level guide to the GDPR acknowledged that it was "not clear" what more was required where consent must be explicit.
The ICO's guidance attempts to explain the difference between ordinary consent and explicit consent. For the latter, the ICO's view is that explicit consent cannot be implied from a person's actions. There must be a clear, affirmative, statement - for example, ticking a box next to a clear statement such as "I consent to..."
In contrast, the ICO's view is that consent can be implied for non-sensitive personal data provided that there is some clear and unambiguous act (for example, leaving a business card to enter a prize draw or entering an email address above a statement saying that the email address will be used to provide details of special offers, which the guidance says is "arguably still implied rather than explicit").
It remains to be seen whether this area of the guidance is further refined. Meantime, organisations that need explicit consent for processing should ensure that consent is based on a clear statement.
Is there anything else to be aware of?
Consent needs to provide individuals with a genuine choice. The ICO's view is that consent cannot be a precondition of a service. If it is, then the individual's consent is unlikely to be freely given. Instead, look at other grounds for processing - for example, that the processing is necessary for the performance of a contract, or it is in the organisation's legitimate interests.
As noted above, consent is not available where there is an imbalance between the organisation and the individual, with the GDPR making specific reference to public authorities. Public authorities will also be losing the ability to rely upon the legitimate interests test, which means that they will need to think very carefully about the lawful basis for their processing.
Special rules apply in relation consent from children to use information society services (ie websites and apps). If consent is required, then it will need to be provided by a parent or guardian if the child is under 16 (or 13, if the UK opts to apply a lower age). The ICO will be issuing further guidance on age verification and parental authorisation.
Finally, consent needs to be kept under review. It should not be viewed as a one off activity. In certain situations, it may be necessary to seek fresh consent, depending on the scope of the consent and the individual's expectations.
Next steps
Whilst the ICO's guidance has been published in draft form, it is unlikely to change much before it is finalised.
Organisations should therefore start looking at their existing consents and work out whether consent is the most appropriate basis for the processing, whether the consents need to be refreshed and, if so, what form the new consent takes and how the "re-papering" exercise is carried out. This will require organisations to look not just at their electronic consents, but also at their historic, paper-based consents. That is no small task.
If you would like to discuss the ICO's draft guidance or how your organisation should prepare for the GDPR, please visit our GDPR Hub or get in touch.
Contributor
Partner