In today’s article, part 2 of our countdown to GDPR on May 25, we look at what the European Union General Data Protection Regulation (GDPR) says about consumer consent. For a discussion of when the GDPR can apply to Australian businesses see https://www.compliancequarter.com.au/understanding-gdpr-opportunities-risks/.
By Dr Drew Donnelly, Compliance Quarter.
The definition of consent in article 4(11) of the GDPR provides that it be “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Compared to the existing EU data protection rules, and the definition in the Australian Privacy Act 1988, there is a greater emphasis in the GDPR consent definition on positive action from the data subject.
Implementing Meaningful Consent
In implement the new definition of consent, draft guidance from the UK Information Commissioner is useful. This guideline provides that consent should be
- For example, a request for consent to send marketing emails should be separated from other terms and conditions. It should not be a pre-condition to a service;
- Active opt-in. This means no pre-ticked opt-in boxes. An organisation could instead use unticked opt-in boxes or other active methods such as binary choice;
- Organisations should give ‘granular’ options, allowing a data subject to consent separately to different types of processing (if there will be different types of processing) wherever appropriate;
- The organisation should be named as well as any third parties who will be relying on the consent;
- Organisations should keep records to demonstrate that the individual has consented to, including what they were told, and when and how they consented;
- Easy to withdraw. Organisations should tell data subjects that they have the right to withdraw their consent at any time, and how to do it. It should be as easy to withdraw as it was to give consent.
When is consent required?
Consent is a very important, but not the only, lawful ground for processing personal data. Under article 6(1), other grounds include where that processing is necessary for:
- Fulfilment of a contract with the individual;
- Compliance with a legal obligation;
- Vital interests. You can process personal data if it’s necessary to protect someone’s life;
- An official public function. if you need to process personal data to carry out your official functions or a task in the public interest;
- Legitimate interests. If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. Organisations should take special care before processing data on this ground. Recital 47 to the GDPR states “the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place”.
If you would like tailored advice as to how your organisation can update its compliance program to account for the new consent requirements, please get in contact with us.