1 No consent without choice
The key form of the question for consent is the question you pose at a marriage: “Do you like to marry me?“ In addition we may know the consent from the old roman priciple: “Volenti non fit inuria“ – the consenting person can not be harmed since he agrees to the action. But both situations have the principle in common that consent must be freely given. This aspect is equally highlighted by GDPR in recital 33:
„Consent should be given by a clear affirmative act establishing a freely given, … unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,…“
The Bundeskartellamt (German-Anti-Trust-Agency) confirms this interpretation in its recent decion on Facebook.1Since WhatsApp leaves no choice to it’s users to refrain from the consent to transfer their data to Facebook, the consent is invalid. This binding interpretation by a regulator shows that a consent without choice is invalid.
This interpretation is underlined by Art. 7 (4) GDPR:
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“
According to the interpretation of WP 29 the term ‘necessary for the performance of the contract’ has to be interpreted in a narrow way.2
Referring to the example of WhatsApp the service can not be provided without the transfer of the mobile number of the user to WhatsApp since without his mobile number a connection with the messaging service is not possible. But the service of WhatsApp does not necessarily require the data transfer to Facebook. Without the data transfer to Facebook the messaging service is still technically possible.
Eventually, the data subject has the right to withdraw the consent at any time according to Art. 7 (3) GDPR. Therefore, a consent which may not be withdrawn is legally invalid. That derives from the argumentum e contrario.
2 Consent shall be specific for different purposes
In addtion GDPR requires consent to be given seperately for each purpose in case different purposes do apply. Recitial 32 GDPR states:
“When the processing has multiple purposes, consent should be given for all of them.“
- Data processing to improve the services of the controller.
- Data processing for advertising.
- The transfer of personal data to other legal entities within the group of undertaking.
- The transfer of personal data to external third parties.
In addition GDPR requires a seperate consent for each different ‘processing operation’ insofar it is appropriate. Recital 43 GDPR states:
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case,…“
But this last aspect shall not be further elaborated.
But this effect fails and leads to the contrary:
- A fall back legal basis is no legally valid option.
The DSK – which is the conference of all German Data Protection Authorities – provided a recent statement on No. 3 the fall back legal basis. According to the DSK a voluntarly switch from one legal basis to another legal basis by the controller is not admissable.3
Firstly, the controller shall inform the data subject according to Art. 13 GDPR about the legal basis of the processing. That requires the controller to name a specific legal basis.
Secondly, the data processing must be fair according to Art. 5 (1) (a) GDPR. The principle of fairness prohibits the use of a fall back legal basis which leaves the data in a uncertainty on how to check the lawfulness of the data processing.
1Bundeskartellamt, Fallbericht, Facebook; Konditionenmissbrauch gemäß § 19 Abs. 1 GWB wegen unangemessener Datenverarbeitung, Az B6-22/16, vom 6. Februar 2019, S. 11, 12; https://www.bundeskartellamt.de/SharedDocs/Entscheidung/DE/Fallberichte/Missbrauchsaufsicht/2019/B6-22-16.html;jsessionid=6E2F698E64D2AFFC8247F0997CF1AE97.1_cid362?nn=3591568;
Bundeskartellamt, press release; https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html;jsessionid=6E2F698E64D2AFFC8247F0997CF1AE97.1_cid362?nn=3591568
2Article 29 Working Party, WP 217, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014; https://datenschutz.hessen.de/infothek/artikel-29-datenschutzgruppe
3DSK (Datenschutzkonferenz), Kurzpapier Nr. 20, Einwilligung nach der DS-GVO, 22. Februar 2019, S. 3; https://www.datenschutzkonferenz-online.de/kurzpapiere.html