Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. Each and every data processing activity requires a lawful basis (see Chapter 7). Consent provides a lawful basis (subject to the requirements of EU data protection law regarding the nature of such consent). Other lawful bases for processing are set out in Chapter 7. Without a lawful basis, the processing of personal data is unlawful, and runs the risk of incurring substantial fines (see Chapter 16).
This topic is of particular relevance to organisations that rely on the consent of data subjects as a lawful basis for any of their processing activities. Organisations that do not rely on consent are not directly affected by the requirements set out in this Chapter.
Organisations that act as controllers need to ensure that they have a lawful basis for all of their data processing activities (see Chapter 7). To the extent that any organisation relies on consent as the lawful basis for any of its processing activities, it should review any consent mechanisms it has in place, to ensure that:
Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.
The need for consent
All processing of personal data requires a lawful basis (see Chapter 7). Consent provides one such lawful basis.
In order for the processing of personal data to be lawful, the controller requires either the consent of the data subject or another lawful basis.
The GDPR makes no material change to the principle that consent may provide a lawful basis for data processing activities. However, as set out below, the GDPR makes it significantly more difficult for organisations to obtain valid consent.
Nature of valid consent
The consent of the data subject provides a lawful basis for the processing of that data subject's personal data. However, such consent must meet certain requirements in order to be deemed sufficient for the purposes of EU data protection law.
"Consent" means any freely given specific and informed indication of the data subject's wishes by which the data subject signifies agreement to the processing of his or her personal data. Such consent provides a lawful basis for the processing of personal data provided that it is "unambiguous".
Rec.32; Art.4(11), 6(1)(a), 7
"Consent" means any freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of his or her personal data. Consent must be given by a statement or a clear affirmative action.
The Directive only states that the data subject must "signify" consent. The GDPR makes it clear that consent requires a clear affirmative action by the data subject. This may make it harder for some organisations to obtain valid consent.
Consent must be "freely given"
Consent must reflect the data subject's genuine and free choice. If there is any element of compulsion, or undue pressure put upon the data subject, consent will not be valid.
Although the Directive states that consent must be freely given (see Art.2(h) considered above), it does not clarify the meaning of this phrase
Rec.32, 43; Art.7(4)
Consent will not be valid if the data subject has no genuine and free choice, or is unable to refuse or withdraw consent without detriment.
Where there is a "clear imbalance" between the controller and the data subject (e.g., between an employer and an employee), consent is presumed not to have been freely given.
When assessing whether consent is freely given, utmost account must be taken of whether the performance of a contract is made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract.
The Directive provides almost no guidance on the meaning of the phrase "freely given". Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies many of these issues, but it is important to note that the WP29's guidance, while important, is not legally binding. The GDPR makes it significantly harder for organisations to demonstrate that the data subject's consent has been freely given. In particular:
Consent must be "specific"
Blanket consent that does not specify the exact purpose of the processing is not valid consent.
"Consent" must be specific. The Directive does not explain this term further.
"Consent" must be specific. The GDPR does not explain this term further.
The WP29 has clarified (in Opinion 15/2011) that, in order to be specific, consent must be intelligible. The controller must clearly and precisely explain the scope and the consequences of the data processing. Consent cannot apply to an open-ended set of processing activities—it must be limited to a specific context. This requirement does not materially change as a result of the introduction of the GDPR.
Consent must be "informed"
In order for consent to be valid, data subjects must be provided with sufficient information to enable them to understand what they are consenting to.
Consent must be "informed". The Directive does not explain this term further.
Rec.32, 42; Art.4(11), 7(1)
Consent must be "informed". In order for consent to be informed:
The GDPR requires organisations to take significant extra steps in order to ensure that data subjects are properly informed of the purposes for which their personal data will be used. If this information is not provided in line with these requirements, any "consent" obtained may not be valid.
Method of obtaining consent
EU data protection law does not specify the method by which consent should be obtained. An organisation may use any appropriate mechanism to obtain consent.
The Directive does not provide details on the methods that can be used to obtain valid consent
Consent must take the form of an affirmative action or statement. Consent can be provided by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes. For example, depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page, by choosing technical settings in an app, or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data.
The GDPR specifically recognises the validity of a number of commonly used methods of collecting consent, and affirms the principle that any appropriate method can be used. Organisations should give careful thought to ensuring that their consent mechanisms are appropriate to the nature of the consent being sought.
Silence is not consent
Acquiescence is not the same thing as consent. The fact that a data subject says nothing when given the opportunity to object, or fails to opt-out or unsubscribe, will not amount to valid consent.
The Directive does not explicitly make the point that silence cannot be consent.
Silence, pre-ticked boxes, inactivity, failure to opt-out, or passive acquiescence do not constitute valid consent.
The Directive does not specifically state that silence and inactivity cannot amount to consent. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear. Organisations should ensure that they do not rely on silence or inactivity as consent.
Consent must be distinguishable from other matters
A data subject's consent to the processing of his or her personal data should not be tied to other matters.
The Directive does not explicitly discuss the need to separate consent from other matters.
If consent is given in the context of a written declaration which also concerns other matters, the request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. If the data subject is asked to consent to something that is inconsistent with the requirements of the GDPR, that consent will not be binding.
The Directive does not specifically address the requirement to separate consent from other matters. Subsequent guidance from the WP29 (particularly in Opinion 15/2011) clarifies this point. To the extent that there had been any doubt, the GDPR makes the point extremely clear, emphasising its importance by stating that consent language that is inconsistent with the requirements of the GDPR is non-binding. Organisations should ensure that consent to the processing of personal data is always clearly distinguished from other matters (e.g., consent is not wrapped up as part of a wider set of terms and conditions).
The controller must be able to demonstrate consent
There is clearly potential for disagreements as to whether or not a data subject actually consented to the processing of his or her personal data.
The Directive does not directly address the obligation of controllers to maintain evidence of consent obtained from data subjects.
Where any processing activity is performed on the basis of consent, the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects.
Although it has always been advisable for controllers to retain evidence of consent, the Directive does not specifically require controllers to do so. The GDPR places the burden of proof squarely on the controller, which may result in increased costs and administrative burdens for some organisations.
Right of data subjects to withdraw consent
Consent, by its nature, must be capable of being withdrawn. If the controller does not permit the data subject to withdraw consent then it is unlikely that the consent is valid. However, the right of data subjects to withdraw consent is not retrospective (i.e., data subjects cannot withdraw consent to processing that has already happened).
The Directive does not specifically address the issue of withdrawal of consent.
Rec.42, 65; Art.7(3)
Data subjects have the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.
Although the Directive does not expressly state that there is a right to withdraw consent, this right is implied from the nature of consent, and has generally been enforced by DPAs. The GDPR formalises this right, but also obliges organisations to make it easy for individuals to withdraw consent, which may require businesses to create new systems and procedures to satisfy this requirement.
Consent can provide a lawful data transfer mechanism
If the data subject has consented to the transfer of his or her personal data to a jurisdiction outside the EEA, that consent provides a lawful data transfer mechanism (see Chapter 13).
Cross-Border Data Transfers may lawfully be made on the basis of the data subject's consent.
Rec.111; Art.49(1)(a), (3)
In the absence of other safeguards, transfers may take place if the data subject has explicitly consented to the transfer, having previously been informed of its possible risks. This does not apply to public authorities in the exercise of their powers.
The GDPR makes no material change to the principle that consent may provide a lawful data transfer mechanism, but it explicitly names it as a legal basis for Cross-Border Data Transfers.
Impact of the GDPR on existing consent
The GDPR imposes new requirements in relation to consent. Any existing consents that are valid under the Directive, but do not satisfy the requirements of the GDPR, will have to be re-obtained.
The Directive does not address this issue.
Where an organisation has already collected consent from data subjects (prior to the GDPR Effective Date) it is not necessary to collect that consent a second time in consequence of the GDPR, provided that the initial consent was compliant with the requirements of the GDPR.
In some cases, organisations may be able to rely on existing consents collected under the Directive. However, in many cases, historic consents will not be compliant with the requirements of the GDPR, and in such cases it will be necessary to collect fresh consents. For some organisations, this will be an onerous task.
The requirement that consent must be 'informed' is intended to ensure that data subjects understand the risks associated with the processing of their personal data. The information to be provided to data subjects should include:
Under the GDPR, consent must be provided in the form of a clear, affirmative action of the data subject. The first point to make is that consent generally cannot be obtained from a third party (i.e., one individual cannot normally consent to the processing of another individual's data), although there are some minor exceptions (particularly in the case of parents providing consent in relation to their children).
Second, the consent itself must be something that the data subject has said or done to indicate that they agree to the processing of their personal data. This agreement can take any appropriate form (e.g., a signature, a tick-box, a verbal consent, etc.), but it must be affirmative in nature—mere silence, passive acquiescence or failure to opt-out does not constitute valid consent under the GDPR.
Data subjects have the right to refuse to consent, and the right to withdraw any consent they have given. Following any such refusal or withdrawal of consent, organisations should be wary of proceeding with the proposed data processing activity. If, following withdrawal of consent, the organisation continues to process the data subject's personal data in reliance on another lawful basis (see Chapter 7) then that further processing may call into question the validity of the consent (and any similar consent provided by other data subjects).