The word “consent” is being bandied about quite a bit these days. For instance, serial sexual abusers defend themselves by saying that that their victims had consented.
But consent is hardly valid when it is coerced. And that’s equally true when it comes to use of data by companies, judging by the Data Protection Working Party’s new paper (WP @59) on consent.
This paper, designed to prepare firms for the EU’s General Data Protection Regulation, says consent must be obtained whenever data on people is being processed. And that consent must be:
These terms seem pretty clear, and are applicable wherever consent is required. But the working group spells out just what it means by consent.
“The word 'free' implies “real choice and control for data subjects,” it begins. “As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid
The paper continues that if “consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given."
In addition, consent will not be considered free if “the data subject is unable to refuse or withdraw his or her on sent without detriment.”
Clearly, that discussion can cover any number of situations. But there are other elements to consider, such as the imbalance of power.
How does that occur? It can happen when the data processor is a public authority or an employer.
You might argue that such authorities should not need consent to use information, and the EU would agree in some cases. But not in every one.
For example, a municipality may want to send emails to update residents on road maintenance disruptions. It still should ask for permission, making it clear that refusers will not miss out on services if they decline.
When an imbalance exists, consent is only valid when "the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra oats) if he/she does not consent."
It adds that consent cannot be free when there is "any element of compulsion, pressure or inability to exercise free will.”
Let’s say you offer a variety of services and process data in multiple situations: Be prepared to get permission for every one.
"In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes."
To further clarify, it adds that “consent is presumed not to be freely given if the process/procedure for obtaining consent does not allow data subjects to give separate consent for personal data processing operations respectively (e.g. only for some processing operations and not for others).
This all falls under the heading of granularity.
What does the GDPR mean by "unambiguous indication of wishes?" Simply that it requires a "statement from the data subject or a clear affirmative act which means that it must always be given through an active motion or declaration. It must be obvious that the data subject has consented to the particular use.”"
Does consent sunset at some point? Yes. And you will have to ask for it once again.
“There is no specific time limit in the GDPR to how long consent will last. How long consent lasts will depend on the context, the scope of the original consent and the expectations of the data subject.”
It concludes: “if the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained."
One more note: These rules apply to U.S. firms with European citizens on their lists.