GDPR consent in practice – Part 1: OpportunityDecember 12, 2017byJulie Tamba
As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent.
When should consent be obtained?
It is important to underline that, under the General Data Protection Regulation, consent is not the only ground on which an entity can rely to process personal data: it is one of the six grounds which are exhaustively listed by article 6. Others legitimate reasons to process data are: (i) performance of a contract to which the data subject is a party ; (ii) compliance with a legal obligation to which the controller is subject; (iii) protection of the vital interests of a natural person; (iv) task carried out in the public interest or in the exercise of official authority ; (v) legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Assuming that there is no contract with the individual, no legal obligation, and no vital or public interest at stake, an entity is generally left with two options which are legitimate interest or consent.
Cases where consent is imposed
There are certain cases where a choice between these options is easy, in particular when consent is explicitly required by law. It is the case for automated decisions unnecessary for the purpose of a contract and with legal or significant effects (GDPR article 22), or in case a transfer outside the EU is neither protected by an adequacy decision or appropriate safeguards nor otherwise legally justified (GDPR article 49), or should sensitive data be collected outside nine specific cases (GDPR article 9).
On top of the content of the GDPR, other explicit requirements for consent exist or are in the process of being elaborated: in the ePrivacy legislation on the first hand, especially in relation to direct marketing (article 13 of the current directive and article 16 of the regulation proposal) or implementation of cookies (article 5 of the current directive and article 8 of the regulation proposal); in specific European or national legislation on the other hand, for example – in France and as of December 2017 – in relation to certain types of biomedical research (article 56 of the French Data Protection Act) and analysis of the content of electronic communications (article L.32-3 of the French Electronic Communications Code).
Cases where consent is precluded
In other situations, consent has to be avoided. In its opinion 15/2011 on the definition of consent, the article 29 Working Party pointed out that this is particularly the case:
- Where “the elements that constitute valid consent are unlikely to be present” (this is the case in the context of employment or other situations of subordination where consent will in all likelihood not be “freely given”), or
- Where “once consent is withdrawn, the data processing continues based on another legal ground“.
Cases which are not as straightforward
Last but not least, where it is neither required nor discouraged by law or the authorities, consent may be preferred or ruled out depending on whether or not legitimate interest it relevant. In that regard, it has been clarified that legitimate interest is not relevant when interests or fundamental rights and freedoms of the data subject prevail.
Interests or fundamental rights and freedoms of the data subject may prevail for example where the data subject is a child (GDPR article 6) or in relation to tracking and profiling, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research (Opinion 03/2013 on purpose limitation of the article 29 Working Party) or when a risk to such rights and freedoms has been identified after carrying out a Privacy Impact Assessment (GDPR article 35).
Each processing situation must be carefully examined under the above-mentioned criteriq before choosing consent, keeping in mind that methods for obtaining and evidencing consent will further require attentive assessment.