General Data Protection Regulations (GDPR): Consent
In May the new General Data Protection Regulations (GDPR) will become active, replacing things like the UK Data Protection Act of 1998. These new rulings are the most comprehensive and significant changes to Data Protection and Privacy Law for many years.
The core focus is the rights of the data subject (you and me), introducing new rules that focus on how organizations process personal data. Organizations, must demonstrate accountability for these new rules, as well as understand that it impacts all organizations no matter where they reside. If the organization processes EU Subjects personal data then it will apply.
With that said, understanding the GDPR rulings, can be a complicated and painful process. Some of the rules can be interpreted differently, and many are left without specific enforcements or often details. No-one really knows what will happen come May 25th; will there be a massive legal case; will there be nothing. Will we see GDPR Officers investigating organizations, somehow, I doubt that, but I suppose you never know.
One of the areas that can be complex to understand is around “processing of data“. GDPR requires, that if you process any personal data, that you must notify the data subject of that in some form. This is referred to the “Lawfulness of processing“. You can read about it in Article 6 of the GDPR.
If you read Article 6, there are six legal bases. They are “Consent“, “Contract“, “Legal Obligation“, “Vital Interest“, “Public Interest” and “Legitimate Interest“. Understanding these, will help you know what is expected for consent, and when this can be overruled.
In Article 4 of the GDPR, it states that “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“. This means that the data subject (you, me or even a customer), must understand exactly what they are consenting to and have freely chosen to consent to you processing their personal data. Any declaration written by you as an organization, must be in clear and plain language and easily accessible to the data subject. You must give the data subject the opportunity to consent to different types of processing. Consent can also be withdrawn at any time and the organization must respect that, and ensure this consent is upheld.
However, the understanding of how to use consent; what that means; and how to implement that can be very complicated. For example, there are times where “Legitimate Interests” can be used to process personal data, without the need for “Consent“.
A company that provides credit cards for example, would ask its customers to give consent for their personal data to be sent to credit reference agencies for credit scoring. If a customer refuses or withdraws their consent, the credit card company can still send the data to the credit reference agencies based on “Legitimate Interests“. Asking for consent would have been misleading and inappropriate, as processing was needed anyway. The company should have relied on “Legitimate Interests” from the start. To ensure fairness and transparency, the company should still tell their customers this will happen. This is very different from giving them a choice.
In Article 6 (1), it states the following:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
So, what does this really mean?
Well for most organizations, whether processing of personal data is lawful or not will come down to sub-paragraphs “a“, “b” and “f“. For Marketing companies, trying to get new customers, then sub-paragraphs “a” and “f” apply. Now here is the problem though, implementing true consent is difficult and expensive, especially given the various requirements that must be met to comply with consent. Some organizations, may simply use subparagraph “f” to justify not collecting consent. This however will not be the case for most marketing or sales organizations, so formal consent processes must be defined and enabled, meeting the subparagraph “a” requirement.
Knowing when “Legitimate Interests” can be used (subparagraph “f”) versus straight “Consent“, is down to weighing against “the interests or fundamental rights and freedoms of the data subject“. Whether data controllers can justify processing without consent based on this subparagraph, will be down to being prepared to prove “Legitimate Interests” relative to the implied general interests of data subjects.
In April 2017, the “Article 29 Data Protection Working Party“, an independent advisory body to the EC commissioned by Article 2, posted an opinion of this very subject, and stated the following:
“The Working Party also supports the principled approach chosen in the Proposed Regulation of broad prohibitions and narrow exceptions, and believes that the introduction of open-ended exceptions along the lines of Article 6 GDPR, and Article 6(f) GDPR (legitimate interest ground), should be avoided”.
The key phrase there is “…should be avoided“, so where does that leave you as an organization?
Well, for most of organizations, Recital 47 of the GDPR can help as it clarifies more details around this.
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Even with this wording, providing “Consent” is the only true way to protect the data subject, data controller and data processor from any misunderstanding. The main difference is “Legitimate Interests” is a statement of your intention, whereas “Consent” is a request from the data subject.
To help us with this, the GDPR Coalition has created various infographics and documents to guide us through the process of understanding.
More can be found here: http://gdprcoalition.ie/infographics/
The main takeaway, is to understand the GDPR rulings, and then work out where your organization fits within the “Consent” rulings, then either provide the “Consent” ability or document the “Legitimate Interests” process and details.
Another infographic that does a great job of explaining “Consent” can be found here: https://foiman.com/wp-content/uploads/2016/10/consent-under-GDPR-final.jpg, also shown below.