Dr. Judith Nink works as the Data Protection Officer and Head of the Advocacy & Industry Relations Department at eyeo. She explains why consent is not always a savior and why GDPR hasn’t changed a lot in terms of legal permissions.
May 25, 2018 was the date when the General Data Protection Regulation (GDPR) finally became applicable. It had already been effective for two years prior to May 25, 2018.
These days, I am used to receiving a dozen requests and messages from a variety of people regarding GDPR. One of the false but very consistent claims has been: “It is all about consent.” 1
It’s not all about consent!
Even if most publications only use the sentence as a catchy (sub)headline, the idea behind it is exactly what stuck in non-privacy expert readers’ minds: “I won’t be able to process any personal data without explicit consent anymore.” And that is utter nonsense. Actually, GDPR hasn’t changed a lot in terms of legal permissions to process personal data compared to the ePrivacy Directive of 1995 and its implementations into local Member State laws. Both the ePrivacy Directive and the GDPR provide consent as one of many options for legal permission to process personal data. Permissions are, but not limited to, as stipulated in GDPR Art. 6 (1) b-f and GDPR 9 (2) b-j or in local member state laws, e.g. personal data processing is necessary for the performance of a contract or of legitimate interest. Even collective agreements can serve as a permission, GDPR Art. 88 (1).
Imagine if a company would only be entitled to store communication data, such as business emails, created by employees for work purposes if the respective employee explicitly agreed in advance. And even if the employees agree, they can always withdraw their consent, GDPR Art. 7(3), meaning the company would have to stop storing work related communication data.
Consent: not always the best option
The beauty about consent is that the company can, at least in theory, structure any kind of data processing by a consent. A statutory legal permission on the contrary is limited to the scope as stipulated in the respective law. But as the communication data example above shows, relying on consent is not always a wise choice and has some disadvantages. Consent is only possible under very strict conditions as laid out in GDPR Art. 7. Such conditions are:
Consent is freely given.
Consent must be informed. If requested in connection with other declarations, it shall be:
Presented in a manner which is clearly distinguishable from the other matters.
In an intelligible and easily accessible form, using clear and plain language.
Data subject shall have the right to withdraw their consent at any time:
Information about shall be part of the declaration if consent.
Withdrawal must be as easy as to give consent.
The Company requesting consent must be able to demonstrate it was actually declared.
Relying on consent requires quite some effort on drafting the declaration correctly, creating a situation where the data subject can declare it freely and a lot of documentation to demonstrate consent has been given (or has been withdrawn). In addition, the right to withdraw consent at any time with future effect makes it risky to rely on consent no matter the type of data processing.
To make it even more complicated, when a data subject withdraws their consent, the company must stop data processing.
But even if there is a statutory legal permission applicable allowing to process the respective data, it can’t replace the withdrawn consent as the EDPB2 states in its consent guideline: “Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals.” the EDPB3 states in its consent guideline4.
In contrast, most of the statutory legal permissions do not allow the data subject to object to data processing5. This provides a company with the security to be able to rely on such data processing structuring in the long run. Other problems of consent are the voluntariness in employment relationships, or making the provision of a consent a condition for providing a service. These topics, as well as the alternatives to consent-driven data collection and differences between consent and statutory legal permissions, will be elaborated on in the next part of this column.