Dr. Judith Nink works as the Data Protection Officer and Head of the Advocacy & Industry Relations Department at eyeo. She explains why consent is not always a savior and why GDPR hasn’t changed a lot in terms of legal permissions.
May 25, 2018 was the date when the General Data Protection Regulation (GDPR) finally became applicable. It had already been effective for two years prior to May 25, 2018.
These days, I am used to receiving a dozen requests and messages from a variety of people regarding GDPR. One of the false but very consistent claims has been: “It is all about consent.” 1
Even if most publications only use the sentence as a catchy (sub)headline, the idea behind it is exactly what stuck in non-privacy expert readers’ minds: “I won’t be able to process any personal data without explicit consent anymore.” And that is utter nonsense. Actually, GDPR hasn’t changed a lot in terms of legal permissions to process personal data compared to the ePrivacy Directive of 1995 and its implementations into local Member State laws. Both the ePrivacy Directive and the GDPR provide consent as one of many options for legal permission to process personal data. Permissions are, but not limited to, as stipulated in GDPR Art. 6 (1) b-f and GDPR 9 (2) b-j or in local member state laws, e.g. personal data processing is necessary for the performance of a contract or of legitimate interest. Even collective agreements can serve as a permission, GDPR Art. 88 (1).
Imagine if a company would only be entitled to store communication data, such as business emails, created by employees for work purposes if the respective employee explicitly agreed in advance. And even if the employees agree, they can always withdraw their consent, GDPR Art. 7(3), meaning the company would have to stop storing work related communication data.
The beauty about consent is that the company can, at least in theory, structure any kind of data processing by a consent. A statutory legal permission on the contrary is limited to the scope as stipulated in the respective law. But as the communication data example above shows, relying on consent is not always a wise choice and has some disadvantages. Consent is only possible under very strict conditions as laid out in GDPR Art. 7. Such conditions are:
Relying on consent requires quite some effort on drafting the declaration correctly, creating a situation where the data subject can declare it freely and a lot of documentation to demonstrate consent has been given (or has been withdrawn). In addition, the right to withdraw consent at any time with future effect makes it risky to rely on consent no matter the type of data processing.
To make it even more complicated, when a data subject withdraws their consent, the company must stop data processing.
But even if there is a statutory legal permission applicable allowing to process the respective data, it can’t replace the withdrawn consent as the EDPB2 states in its consent guideline: “Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals.” the EDPB3 states in its consent guideline4.
In contrast, most of the statutory legal permissions do not allow the data subject to object to data processing5. This provides a company with the security to be able to rely on such data processing structuring in the long run. Other problems of consent are the voluntariness in employment relationships, or making the provision of a consent a condition for providing a service. These topics, as well as the alternatives to consent-driven data collection and differences between consent and statutory legal permissions, will be elaborated on in the next part of this column.
1 See also https://www.isico-datenschutz.de/en/gdpr-myths/, No. 8.
2 European Data Protection Board.
3 European Data Protection Board.
4 EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, May 4, 2020, Recital 122, available at: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202….
5 An important exception is GDPR Art. 6(1) f: data processing based on legitimate interest.