Detailed guidance on consent under GDPR
At the beginning of May 2020, the European Data Protection Board (formerly the Article 29 Working Party) issued new guidelines on obtaining and proving consent with personal data processing from data subjects, supplementing the existing Article 29 Working Party opinions on consent, which remain relevant to the extent that they are consistent with the General Data Protection Regulation (GDPR).
Consent is one of the six possible legal bases for personal data processing. Under the GDPR, consent is understood to be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to them.
The EDPB emphasises that consent that is really freely given may not be conditional on the provision of access to contractual performance. Consent that cannot be treated as freely given is, e.g., a mobile app for photo editing requiring for its proper functioning that users activate their GPS tracking device and give their consent with personal data processing for marketing purposes. GPS tracking and personal data processing for marketing purposes are not essential functions for the operation of the given application. Similarly, consent may not be included in general terms and conditions whose wording cannot generally be affected by the customer in any way.
Personal data processing is possible only based on a data subject’s unambiguous expression of will indicating that the data subject agrees with processing to a given extent. Such an expression of will can be demonstrated by ticking the ‘I agree’ box or by swiping a bar on a touch screen if it is clear that the motion in question signifies agreement to a specific request. The EDPB also draws attention to the fact that e.g. the scrolling down through a website cannot be considered as giving consent, since such an activity would be hard to distinguish from a user’s regular activities. Furthermore, in such a case, it would be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it, which is one of the requirements stipulated by the GDPR.
The EDPB also points out that consent must be properly informed, i.e. the data subject must be aware of the scope and the purpose for which processing will be carried out as well as of the manner in which the subject may withdraw their consent. GDPR does not prescribe a specific form to fulfil this information duty, so it may involve oral or written notifications, or audio or audio-visual messages. Personal data controllers must ensure that the provided information be comprehensible for an average individual and not just lawyers. The EDPB explicitly states that the information should be free of any legal jargon.
The EDPB also dealt with the imbalance of powers in personal data processing. It does not recommend processing personal data based on consent e.g. in the context of labour-law/employment relationships, as employers can hardly prove that consent has been given by employees freely and without fear that their refusal may have repercussions. The EDPB summarises that processing based on consent is not unfeasible in such cases, but is very problematic and should thus occur only in exceptional cases.
The guidance also discusses other specific cases, such as when it is necessary to obtain explicit consent, the issue of processing of the personal data of minors, or processing for research purposes.