Skip to main content

The „consent fallacy” – the first consequences start to appear

Since about 2017,-mails are flowing in my inbox announcing the update of privacy statements (under any name) and also asking for my consent to continue keeping my data, sending me newsletters etc. – the reason is the GDPR, which entered into force in 2018, after two years of preparatory period. Also, “wherever I go, whatever I do”, I have to sign consent forms. Some of these are justified, but the sheer volume of consent I have to give makes me suspicious. And not by chance: consent is but one of the possible legal bases for processing personal data, and apparently not the soundest one, however sure it seems to be: if the data subject consents, who can complain? - thought some. Lawyers giving this latter advice were warned as early  as March 2019. Let’s jump in time: the 30th July the Hellenic Data Protection Authority fined PWC for processing their employees’ data based on consent, at least telling the employees so. The summary of the decision can be found here ).
There are some interesting points in the decision: “The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply…”. Given that consent is listed as first of the possible legal bases and in spite of having heard that statement already on data protection courses, there is a need for further explanation of why consent should only be used when other legal bases are not available.
So, what is the problem with consent? Apart from two risks to the controller, namely that consent can be withdrawn at any time and then processing has to be stopped and that – as it happened in the case of PWC – the controller can be reprimanded for improper information to the data subject, what is the problem?
A good article listing the problems for processing of personal data by mobile apps also complains that even the Article 29 working party  and guidelines from 2016 by the European Data Protection Supervisor and other materials concentrated too much on consent, which is problematic in the case of mobile apps anyway.
The real risk, however, lies in that processing based on consent is not always lawful. Consent must be freely given, and this requires that the controller and the data subject are in a balanced situation in terms of power, the data subjects should not have reason to suspect that they can suffer disadvantages if they deny consent. This is typically not the case in an employer-employee relationship or if the data are needed to provide a service – the controller can justifiably claim that without some data, it cannot provide the service. Even NGOs can fall into that trap: giving certain data can be a precondition to membership – and not giving these data deprives the person from the possibility to be a member. On one hand this is clearly an asymmetric situation, while the NGO justifiably requires some data from its members.

The answer is: if the data are needed – except public authorities, the controller can even evoke legitimate interest as a legal basis -, then the legal basis should be one of the other possibilities. This emphasizes the link between two aspects of personal data processing, treated often separately: the legal basis and the purpose of processing. In my view, these are closely linked. Subparagraph (a) of paragraph 1 of article 6 of the GDPR, listing consent as legal basis, states that consent is given “for one or more specific purposes”, thus also emphasizing this link. It is the purpose also, which can help establishing the legal basis: if the purpose is to fulfil a contract, point (b) is clearly the legal basis (“processing is necessary for the performance of a contract...”) – and this subparagraph includes preparation of a contract as well.
An important limitation is in Recital 43 of the GDPR (also concerning contract, but not only that): “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”. This means that you cannot tie data you don’t need (but would like to have) to data you need.
Consent has to be specific – for a certain purpose, as mentioned, but also for certain data only. There are also administrative requirements, i.e. withdrawing consent must be as easy as giving it and acquired before the processing starts and documented in a way that the fact and the content of the consent has to be presented at any time for any user. This requires a serious recording system.
A further interesting clause in the decision is: “…once the initial choice has been made it is impossible to swap to a different legal basis”. If consent in withdrawn, processing has to be stopped, data erased. So the decisions states that when data are necessary (i.e. there is a legal basis other than consent), consent can even harm.
Here we come to another point of the decision: that the processor infringed the transparency principle: it gave an improper information to the data subjects: “the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed.” This underlines the importance of stating properly the legal basis and also the purpose of processing, which, as mentioned above, must be coherent with each other. By the way, the company was aware of its need to process the data, but had the employees sign a statement about it instead of properly documenting (and providing internal documentation to the DPA on its request regarding the choice of) the legal basis used. So in the case of consent a one by one documentation of each person’s consent has to be provided, while in the case of other legal bases, the documentation cannot be neglected either, but one documentation of the choice of legal basis is what is needed.
It has to be noted, that the fine was 0.35% of the turnover of the company while the maximum amount for such an infraction could have been 4%.

Labels:

Comments

Post a Comment

Popular posts from this blog

A Hungarian case about processing data based on law - what are the requirements?

This question can be interesting in respect of the latest change in Hungarian health data processing: doctors performing health on the workplace tests are obliged to upload the entire files to the common health space where access is not as limited as it should be. The concrete case adjudicated by the European Court of Justice concerns the processing of COVID vaccination data, also based on national law. For processing based on a legal obligation to which the controller is subject, Member Statesmay maintan and introduce specific provisions determining more specific requirements and can also describe features of the processing, including measures to ensure fair and lawful processing. Processing of special categories of data (including health data) for reasons of substantial public interest (in any area) or of public interest in the area of public health requires that the élaw should provide for suitable and specific measures to safeguard the fundamental rights and interests of the data ...
Post a Comment
Read more

Doubts around data transfer - use of derogations

 A lot happened since Schrems-II , among others the European Data Protection Board published a FAQ document , a guidance on essential guarantees for surveillance measures      and submitted another guidance , on measures that supplement transfer tools. Transfer tools are either safeguards which ensure that data subjects enjoy adequate protection of their privacy at the place and in the organisation to where their data are transferred or derogations which enable transfer essentially without adequate protection. I used the term adequate protection and previously the view was that the protection ensured need not be identical with that in the EU. The Schrems II judgment, however, speaks about equivalent protection and this is stronger. In case the derogations (according to article 49 GDPR) are used, the EDPB is of the view that the last sentence of Article 44 GDPR (All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more