Consent will be part of the first attacks of data activist Max Schrems under the GDPR.[1] And most “old” consent forms will be invalid from 25th May on. That derives from a narrow interpretation of recital 171 GDPR by the Art. 29 WP[2]. This interpretation requires that consent shall be fully compliant with the GDPR.[3] And GDPR raises the bar significantly in comparison to Directive 95/46. I will focus on three aspects:
- Consent shall not be conditional. Conditional means that the provision of a service shall not be dependent on a consent for data processing that is not necessary for the performance of the service.[4]
- Consent shall be given in a separate way for any single purpose[5].
- Consent shall be given separately for any data processing operation unless a consent, which covers several data processing operations, is exceptionally appropriate in the individual case.[6]
As consequence, the controllers have to ask for a new consent if the additional conditions of the GDPR are not fully met or the controllers have to stop the relevant data processing.[7] The only exception to the strict compliance is, the information requirement of Article 13 and 14 GDPR. If not all information now necessary under Article 13 and 14 GDPR were provided to the consumer in the past an old consent may still be valid following the interpretation of Art. 29 WP.
- Consent shall not be conditional
To check whether a consent is conditional, it is essential to identify which personal data is necessary to provide the service to the customer. Following the statement of the Art. 29 WP, any data which is adequate for the provision of a service shall be based on the performance of a contract according to Article 6 (1) (b) GDPR and not on consent.[8] E.g., for a contract of a car insurance to process the contact data of a customer, the type of the car and any damage of the car shall be based on the performance of the contract. The location data and the driving behaviour of the customer, which is stored by the board computer, would be useful for the insurance company to estimate the likelihood of an accident. But this data is not required as genuinely necessary for the performance of the insurance contract and is therefore not necessary in a legal sense.[9] As consequence, a consent is required for the storage of the location data and the driving behaviour. But the insurance company can not combine the consent with the formation of the contract in that way, that contract will not be formed if the customer refuses to give his consent. In that case the consent would not be regarded as freely given.
- Consent shall be given in a separate way for any single purpose
The Art. 29 WP has provided an example for the separation of consent for any single purpose. When a retailer is asking for consent for sending a marketing e-mail that is a different purpose to transferring the customer data to another legal entity. Therefore, each of these two purposes require a separate consent.[10]
- Consent shall be given separately for any data processing operation
Consent shall be given separately for any data processing operation unless a consent, which covers several data processing operations, is exceptionally appropriate in the individual case.[11]
The term data processing operation is not defined in Article 4 GDPR. A different processing operation may be seen firstly by a transfer to different recipients or secondly by a processing of a different set of personal data. But the statement of the Art. 29 WP is not specific enough in this respect. In addition, Art. 29 WP provides insufficient guidance as to when an exception to the general rule applies and a separate consent is not necessary in the individual case.[12]
That leaves a wide range for interpretation and leaves the controllers in a dilemma. Whenever a controller changes the wording of a consent form this indicates a high likelihood that the “old” consent was not in line with GDPR. Whenever a controller does not change the wording of an “old” consent and takes a certain legal risk, the consent may be regarded as invalid by the DPAs or a court – when being attacked by data protection activists.
The German DPAs[13], which are generally regarded as very strict, followed a different and more pragmatic approach than the Art. 29 WP. If a consent was valid under Directive 95/46 it should remain valid under the GDPR. Only the two requirements of the special right of children (Article 8 GDPR) and the conditionality of the consent (see No 1. above) should be fully in line with GDPR. The other principles – like the separation of consent for each purpose – were not regarded as essential.[14] But the German DPAs are now overruled by the latter statement of the Art. 29 WP, as the Art. 29 WP will be transformed into the European Data Protection Board (EDPB), which will be responsible for the binding interpretation of the GDPR.[15]
Apart from the discussed requirements the following conditions should not be neglected:
Consent
- shall be freely given by a clear affirmative action and e.g. not by pre-ticked boxes,
- shall be given in an informed way,
- is not valid if a clear imbalance between data subject and controller occurs – like e.g. in an employment context,
- has to be clearly distinguishable in a written declaration which covers additions aspects – e.g. as general terms and conditions,
- can be withdrawn by the data subject for the future,
- of a child under 16 has to be authorised by the parents.
The burden of proof whether an “old” consent is compliant with the requirements of GDPR lies with the controller[16] and the decision of the controller shall be documented to be in line with the principle of accountability according to Article 5 (2) GDPR.
In Germany, we recently observed a rise in the number of lawsuits concerning consent forms.[17] Consent forms are regarded as general terms and conditions and are insofar part of special consumer protection legislation. This consumer protection legislation provides consumer agencies with the right to take legal action on its own behalf[18] and is now covered by Article 80 (2) GDPR. Any controller which falls under German legislation will face the risk to be sued by consumer agencies – in addition to the option of the data subject to delegate his rights to a NGOs according to Article 80 (1) GDPR – like Noyb of Max Schrems.
[1] Interview with Max Schrems in German, https://www.heise.de/newsticker/meldung/DSGVO-Max-Schrems-will-gegen-Schufa-klagen-4037367.html
[2] Art. 29 Working Party, http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358
[3] Art. 29 WP, Guidelines on Consent under Regulation 2016/679, WP 259, page 29, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
[4] Article 7 (4) GDPR in connection with recital 43
[7] Art. 29 WP, Guidelines on Consent under Regulation 2016/679, WP 259, page 30; http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
[8] Art. 29 WP, Guidelines on Consent under Regulation 2016/679, WP 259, page 9; http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
[9] Art. 29 WP, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP217, page 16
[10] Art. 29 WP, Guidelines on Consent under Regulation 2016/679, WP 259, page 11, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
[12] The German wording does not indicate as clearly as the English version that the general rule is to obtain a separate consent for any data processing operation.
[13] In Germany several DPAs are existing on state level (Bundesländer) and one on federal level (Bundesdatenschutzbeauftragte)
[14] Düsseldorfer Kreis, Beschluss der Aufsichtsbehörden für den Datenschutz
im nicht-öffentlichen Bereich (Düsseldorfer Kreis am 13./14. September 2016), https://www.bfdi.bund.de/SharedDocs/Publikationen/Entschliessungssammlung/DuesseldorferKreis/FortgeltungBisherErteilterEinwilligungen.html?cms_sortOrder=score+desc&cms_templateQueryString=Einwilligung
[15] according to Article 70 GDPR.
[16] See Article 24 (3) in connection with Article 82 (3) GDPR
[17] See e.g. the case consumer agency against Facebook; https://www.heise.de/newsticker/meldung/App-Zentrum-Kammergericht-Berlin-untersagt-Facebook-umfassende-Datenweitergabe-3879983.html
[18] § 2 para. 1 and para 2 Nr. 11 Unterlassungsklagengesetz – UklaG; http://www.gesetze-im-internet.de/uklag/__2.html