The Magic of Christmas…I mean Consent!

Every child wakes up with an extra little twinkle in their eye on Christmas morning. Whether that twinkle comes on the 24^th of December when the Christ Child visits in Southern Germany or on the 25^th when Santa leaves goodies for all the good girls and boys throughout the US. The magic of Christmas is something that can be felt all around the world.

Just like Christmas seems to change our dreary winters into times of joy and love, consent in the world of data protection seems to bring with it a little magic. But just like at Christmas, presents get returned and the dreary winter weather continues after the holidays, consent can be retracted, invalidated or inapplicable in certain situations.

Consent – the magic solution for all processing problems?

When thinking about all the restrictions that the GDPR brings along with it, controllers sometimes get a little twinkle in their eye when they believe consent will solve all the issues that come along with processing personal data. Some think that obtaining consent means that you can process any personal data you would like in any way that you would like. However, this is not the case. Art. 6 para. 1 lit. a GDPR states, that processing should be lawful if a data subject gives consent to the processing of his or her personal data for one or more specific purposes. In order to use this article as the legal basis for processing we first have to look at what consent is, as defined by the GDPR.

Art. 4 (11) GDPR defines consent as “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Using this definition and other commentary on consent, here are the requirements for valid consent, as I see them laid out in the GDPR. Consent must be:

1. Voluntary – consent must be based on the individual’s free choice. (Recital 32)
2. Specific – consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity (Guidelines 05/2020 on consent under Regulation 2016/679).
3. Informed – the data subject must be informed in advance and comprehensively of the type and extent of the intended data processing. The data subject must be able to weigh the consequences of granting or not granting consent. (Recital 42)
4. Provable – the data controller must prove that the data subject has consented to the processing of his/her personal data (Recital 42), and
5. Revocable – the data subject may withdraw his/her consent at any time for the future. He/she must be informed of this beforehand. Withdrawal of consent must be as simple as granting it (Art. 7 GDPR).

Sometimes these requirements are not fully met by those wishing to use consent as the legal basis for processing personal data. These situations are like those of little children who instead of receiving gifts in their Christmas stockings receive a lump of coal in its place.

Voluntary

One example of such a situation is in the employment relationship. Here many times I hear controllers say, “we can just ask employees to consent to the processing”. However, the relationship between an employee and an employer often makes a voluntary consent impossible. Unless there is a very clear option to decline consent without receiving a negative impact, consent from an employee is invalid. In response to the question “Can my employer require me to give my consent to use my personal data?” the European Commission stated:

“The employer-employee situation is generally considered as an imbalanced relationship in which the employer wields more power than the employee. Since consent has to be freely given, and in light of the imbalanced relationship, your employer in most cases can’t rely on your consent to use your data.”

A controller must always make sure that the data subject understands that they have the option of saying no.

Specific

Specific consent is also a tricky requirement to fulfill since the purpose cannot be changed altered or enlarged after the consent has been received, unless there is a special regulation providing for such exceptions. The British data protection authority, the ICO, states on their website that the purpose of the processing must be explained in a very granular way, making it possible for the data subjects to consent to different purposes, so long as this does not become confusing. Daniel J. Solove wrote an article called Murky Consent where he stated, “The GDPR demands granular and specific consent to each specific purpose of processing yet also wants a simple and concise way to obtain consent – akin to wanting its cake and eating it too.” It is difficult to find a balance between providing all the required information and being understandable when making consent specific.

To go even further the ICO also commented regarding the further use of data for purposes beyond those specifically stated in the consent:

“Even if your new purpose is considered ‘compatible’ with your original purpose, this does not override the need for consent to be specific. If you were relying on consent you therefore need to either get fresh specific consent, or else identify a new lawful basis for the new purpose.”

Informed

The next hurdle seems very similar to the last, providing information regarding the specific, explicit and legitimate purpose to the data subject. In my view I look at being specific and informed as two pieces to the same puzzle. Above the comments made by the ICO and others refer not only to the specific nature of the consent but how this information can be provided to the data subjects. Keeping it simple, just like my Christmas list takes some magic. I always start out attempting to keep the list to something you wear, something you want, something you read and something you need and end up with what feels like a million presents per kid, each one falling within the above stated categories and too important to leave out of our Christmas festivities. Information provided to data subjects must be simple, but the technology and processing of personal data is confusing and sometimes very technical. Information provided to data subjects should also be concise, but when there are multiple purposes for processing the data each purpose must be explained.

Provable

Once you have provided data subjects with information regarding the specific purpose of the processing and allowed them to freely choose if they consent to the processing you can move onto the next element of consent, provability. This morning my family woke up and my youngest looked up at our elf on the shelf (this morning sitting on our blanket ladder in the living room) and said, “he isn’t real”, and my first thought was “Prove it!”. Naturally I did not say this to my 3-year-old, but this is what the authorities will say if a controller says, “we obtained consent for the processing”. There are many different ways to obtain consent, some are easy to prove and others are a little more difficult. Consent management is a real thing and should not be taken lightly, if you cannot prove that consent was provided it cannot be the legal basis for processing.

Revocable

Last but not least, just like the day after Christmas is filled with gift returns, consent must be revocable. This year, I cannot lie, I did a large amount of Christmas shopping in November, but only those gifts which could be bought online. In a store you normally only have a 30-day return window, here in Germany I have even experienced a 7-day return policy. Some online shops on the other hand allow you to return your gifts up to January 31^st. Just like this easy and laid-back return policy, consent must be easily withdrawn. Data subjects must be able to withdraw their consent in a way that is just as easy as providing it. Information on how to withdraw consent must be provided, just like my store receipts must provide me with information regarding the return policy for my purchase, prior to processing.

Conclusion

We seem to grow out of the magic of Christmas as we grow older, but I feel like with a little effort we can still enjoy the holiday season. This is also true with consent, the more you deal with data privacy the more you lose that magical feeling around consent, but if all the pieces for valid consent are present and each one is properly addressed then consent brings with it a little magic when it comes to processing personal data.