Are you using the correct condition for processing data? Updated guidance on Consent.
Updated advice concerning guidelines 05/2020 V1.0 under Regulation 2016/679
Guidance published on the 4th May 2020
Updated guidance on the use of Consent - European Data Protection Board
This advice update is solely focused on the guidance issued on the 4th May by the European Data Protection Board (EDPB). The board is comprised of representatives from each EU country making their guidance and opinion of the upmost importance. Much of the guidance remains unchanged and therefore in line with our current practices. However, in our opinion, there are a number of important aspects of consent that are now less open to interpretation.
The European Data Protection Board (EDPB) have in the last few days, updated their guidance on the use of consent as a conditionfor processing data. I have highlighted the most important aspet here and attached the full document for your consideration.
The document is a reaffirming statement of the use of consent and removes almost all doubt about when and how consent should be used including detail of subsequent processing activities should consent be withdrawn. There are several sections that may be of concern relating to older data. Unfortunately, this guidance removes much of the pragmatic approach we may have applied in the past, replacing it with a series of stricter and more inflexible interpretations. On the basis of this guidance, we may need to plan to make some changes in the processing methods and consider other conditions that may prove to be more applicable in certain circumstances.
1. Clarification of ‘scrolling’. When individuals scroll through a website or pages of a website, the EDPB have clarified that the act of navigation is not affirmative action and therefore cannot constitute consent. In the past, some have argued that the pressing of a button in some settings may constitute an affirmative action. The guidance says it does not.
2. (13) It is important that consent is not bundled up with other agreements such as the terms of a contract. It must be distinctly separate and obviously so. This is further explained below.
3. (16-24) it is vital that there is not an imbalance of power, the organisation v the data subject. One of the examples in the guidance considers the power the employer may have over the employee and how this may manifest itself by having a detrimental effect on the employee if consent is denied. For example, collecting health information about Coronavirus. In many instances, the guidance clearly states that should an imbalance be found to be the case, consent will be invalid and any processing that may have occurred may be a breach of the law.
4. (26-27) If you use contracts or agreements to deliver the provision of a service you will not be able to use consent as the primary condition. There are a number of references to this in the document that may contradict themselves. But our interpretation of this is that if a service or product is provided due to a contractual arrangement or an agreement, then ‘contractual obligation’ is the condition to be used and not consent. The guidance goes on to say that should you wish to process further data than that strictly required to fulfil the contract, you may do so using consent.
5. (55-58)Consent must be specific to the purpose of the processing. There should be no ‘creep’ in the purpose. You may seek consent for other purposes, explaining these clearly, but this must be separate to the original consent gathered. The process of gathering additional consent/s must include a new ‘notice’ explaining the purpose for extending the consent.
6. (64) details the minimum information that should be given to the data subject in order to ensure consent is informed.
7. Where consent is gathered to share data with other controllers, the controllers should be identified along with information detailed in (64) above.
8. (87-88). Click fatigue means that we are all too frequently presented with many requests for consent. For example, Cookies. Therefore, we do not read the information that is given to us. The guidance puts the burden of responsibility on the data controller to remedy such problems and ensure that the data subject is informed.
9. (91-98) Where you rely upon explicit consent to process special category data it must be to a higher standard than ‘regular’ consent. It is suggested that the subject must ‘expressly confirm consent’. One good idea here is to have a two-stage consent process for explicit consent, perhaps only one for regular consent.
10. (99). When providing a service by way of a contract which may involve special category data, and where an exception under art.9(2)(b-j) does not apply, explicit consent is the only condition available, the contractual obligation would be insufficient.
10. (99). When providing a service by way of a contract which may involve special category data, and where an exception under art.9(2)(b-j) does not apply, explicit consent is the only condition available, contractual obligation would be insufficient.
11. (120) it is not possible to migrate from consent to another condition if consent was the primary condition for gathering the data. The example given is retrospectively applying Legitimate Interest. This would be a breach of data protection law.
12. Where consent is relied upon, it must be an absolute right to be able to withdraw that consent. This can make processing very difficult and where an alternative condition should be sourced.
13. Where consent is withdrawn, the data identifying the individual in question must be immediately deleted. In some instances, there might be a legal obligation to keep the data and if so, you may apply your data retention provision to it. But this point focuses the mind on finding alternatives conditions. Consent can be difficult to manage and may not always be the best approach.
14. Demonstrating how and when consent was gathered. The guidance states that you must be able to demonstrate three aspects of the consent you reply upon;
a. How the data subject consented;
b. When the data subject consented;
c. The information you gave the data subject at the time and how it was delivered.
If it is not possible to demonstrate this consent will need to be refreshed and, or consent will not be GDPR valid.