One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. The controversy arises from the proposed stricter requirements for consent and reforms to the so called “legitimate interests” grounds.
While the “consent” and “legitimate interests” grounds are just two of a number of grounds for justifying the processing of personal data, they are the grounds that are most commonly relied upon for the purposes of the Directive. The proposals under the GDPR with regard to these data processing grounds could have serious practical implications for business.
What does the law require today?
At present, in order to validly obtain consent, businesses need to provide sufficient information to individuals about how and why they process their personal data and provide a mechanism whereby individuals can indicate their consent. In this sense, consent can be implied under the Directive and it is only in specific cases, such as the processing of sensitive personal data (i.e. data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data relating to the data subject’s health or sex life) that consent needs to be explicit.
The ‘legitimate interests’ condition provides grounds to process personal data in a situation where a business needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party to whom the information is disclosed. The legitimate interests of the business or the third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual whose data is being processed.
In a number of jurisdictions, including the UK, the “legitimate interests” condition provides a degree of data processing flexibility that might not otherwise exist. On the other hand, some DPAs have taken a more restrictive approach – for example, the Spanish data protection regulator considers that personal data should only be processed for the purposes it was collected, with very limited exceptions.
Nevertheless, the Directive offers a business-friendly approach that the legislators are now considering re-defining.
What will the General Data Protection Regulation require?
As regards consent, the Commission proposed (and the Parliament agreed) that consent should always be “explicit, freely given, specific and informed”. It also noted that consent should be obtained through a statement or “clear affirmative action”, that it could be withdrawn at any given time by the data subject, and that it would not be legally valid if there is “a significant imbalance between the position of data subject and the controller”.
The Commission’s and Parliament’s “explicit consent approach” is a radical change to that of the Directive, which only requires “explicit” consent to process sensitive data. On the other hand, the Council suggests that consent under the GDPR need not be “explicit” – it need only be “unambiguous”.
A requirement in GDPR for consent to be “explicit” (stated clearly and in detail) is very different to a requirement for it to be “unambiguous” (clear and cannot be understood wrongly). Whereas unambiguous consent would mean consent could still be implied, explicit consent would open the door to a world of never-ending tick boxes.
Additionally, and regardless of the type of consent that is finally agreed to be valid under the GDPR, the Parliament proposes that companies should be required to demonstrate that they have effectively obtained users’ consent – this proposal, if implemented, would impose a significant practical burden on businesses.
Given the likely difficulty of relying on consent, the possibility of relying on the “legitimate interests” ground will be crucial from a business perspective. However, it is unclear what form this condition will take in the final text of the GDPR.
On the one hand, the Commission and Parliament suggest individuals’ data can only be processed: (i) for a purpose to which they have consented; or (ii) for such legitimate interests of the controller or relevant third parties as individuals could reasonably expect.
On the other hand, the Council proposes a more business-orientated approach, which would allow controllers and processors alike to process data on the “legitimate interests” ground even for purposes that are incompatible with the original purposes of the processing, provided that the interests or the fundamental rights and freedoms of the individual are not overriding.
It remains to be seen what form the “legitimate interests” condition will ultimately take.
What are the practical implications?
If a business wishes to process personal data for purposes other than those for which it was collected (as specified in the relevant data protection notices), they will potentially have limited compliance options. If the approach of the Commission and Parliament is ultimately adopted, businesses that wish to undertake processing that is not compatible with the purpose for which the personal data has been collected will not be able to justify the processing by reference to the “legitimate interests” criterion.
Of course, there is the option of explicit consent but that is likely to mean serious (and expensive!) re-engineering of data collection forms, online and mobile user interfaces as well as a revaluation of terms and conditions/privacy policies etc. In some scenarios, consent may not be an option in any event, e.g. where there is a significant imbalance between the individual and the organisation that is collecting the personal data.
Given that consent is less likely to be an option for one reason or another, the proposed reforms present a serious difficulty for businesses since there are a number of scenarios in which businesses may wish to use personal data in a way that is not compatible with the purposes for which it was collected.
Further, the proposals may also give rise to legally and commercially complicated situations, for example, where the user does not consent to or withdraws his/her consent to the relevant data processing.
So, what can businesses do now?
Start auditing all their various uses of data;
- Understand the grounds on which they collect and use data; and
- Assess whether these grounds remain valid under the GDPR and, if not (or if those grounds become marginalised) have in place plans to transition to new grounds.