back button

Back

GDPR consent in practice – Part 1: Opportunity

December 12, 2017byJulie Tamba

As a follow up to the article on whether collecting user geolocation require consent, it has to be examined more generally when and how consent should be obtained. The first part of this topic focuses on simple guidance regarding the opportunity to obtain consent.

When should consent be obtained?

It is important to underline that, under the General Data Protection Regulation, consent is not the only ground on which an entity can rely to process personal data: it is one of the six grounds which are exhaustively listed by article 6. Others legitimate reasons to process data are: (i) performance of a contract to which the data subject is a party ; (ii) compliance with a legal obligation to which the controller is subject; (iii) protection of the vital interests of a natural person; (iv) task carried out in the public interest or in the exercise of official authority ; (v) legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Assuming that there is no contract with the individual, no legal obligation, and no vital or public interest at stake, an entity is generally left with two options which are legitimate interest or consent.

Cases where consent is imposed

There are certain cases where a choice between these options is easy, in particular when consent is explicitly required by law. It is the case for automated decisions unnecessary for the purpose of a contract and with legal or significant effects (GDPR article 22), or in case a transfer outside the EU is neither protected by an adequacy decision or appropriate safeguards nor otherwise legally justified (GDPR article 49), or should sensitive data be collected outside nine specific cases (GDPR article 9).

On top of the content of the GDPR, other explicit requirements for consent exist or are in the process of being elaborated: in the ePrivacy legislation on the first hand, especially in relation to direct marketing (article 13 of the current directive and article 16 of the regulation proposal) or implementation of cookies (article 5 of the current directive and article 8 of the regulation proposal); in specific European or national legislation on the other hand, for example – in France and as of December 2017 – in relation to certain types of biomedical research (article 56 of the French Data Protection Act) and analysis of the content of electronic communications (article L.32-3 of the French Electronic Communications Code).

Cases where consent is precluded

In other situations, consent has to be avoided. In its opinion 15/2011 on the definition of consent, the article 29 Working Party pointed out that this is particularly the case:

  • Where “the elements that constitute valid consent are unlikely to be present” (this is the case in the context of employment or other situations of subordination where consent will in all likelihood not be “freely given”), or
  • Where “once consent is withdrawn, the data processing continues based on another legal ground“.

Cases which are not as straightforward

Last but not least, where it is neither required nor discouraged by law or the authorities, consent may be preferred or ruled out depending on whether or not legitimate interest it relevant. In that regard, it has been clarified that legitimate interest is not relevant when interests or fundamental rights and freedoms of the data subject prevail.

Interests or fundamental rights and freedoms of the data subject may prevail for example where the data subject is a child (GDPR article 6) or in relation to tracking and profiling, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research (Opinion 03/2013 on purpose limitation of the article 29 Working Party) or when a risk to such rights and freedoms has been identified after carrying out a Privacy Impact Assessment (GDPR article 35).

Each processing situation must be carefully examined under the above-mentioned criteriq before choosing consent, keeping in mind that methods for obtaining and evidencing consent will further require attentive assessment.

Related articles

February 9, 2018byJulie Tamba

(French) Consentement GDPR en pratique – Partie 3: les mineurs

Consentement des mineurs : une bonne chose de faite ? Mercredi 7 février 2018 a été adopté par l’Assemblée Nationale un amendement ajoutant à la loi Informatique et Libertés un article 7-1 relatif au consentement des mineurs au traitement de leurs données personnelles. Consentement lié à l’offre directe de services de la société de l’information aux enfants…

Read more

CNIL

Consent

GDPR

Informatique et Libertés

Minors

personal data

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more

Consent

European Union

GDPR

Methods

personal data

May 25, 2018byJulie Tamba

A potential future for the Ad Tech industry: consent without tracking walls

Publishers and actors of the Ad Tech sector targeting the EU currently face one of the biggest challenges they have ever encountered, one that may require them to change profoundly their model. Namely? Unambiguous positive consent. Some background Publishers (both online and offline) have traditionally been able to provide their readers with free contents by…

Read more

Ad Tech

Consent

ePrivacy

GDPR

Publishers

March 29, 2018byJulie Tamba

An interpretation of Google new consent requirements for publishers

We wrote a few articles in the last months regarding consent, including on how consent should be obtained (e.g. may clicking on the website be considered a sufficient positive act ?) or why it should be obtained  (e.g. which geolocation uses or marketing communications will require consent ?). Taking into account this framework, we thought it would be…

Read more

Ad Tech

Consent

GDPR

Google

Publishers

targeted advertising

December 5, 2017byJulie Tamba

Does collecting user geolocation require consent?

Collecting geolocation is a tricky topic in data privacy regulations. As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on…

Read more

Consent

ePrivacy

European Union

GDPR

Geolocation

personal data