Skip to main content

The „consent fallacy” – the first consequences start to appear

Since about 2017,-mails are flowing in my inbox announcing the update of privacy statements (under any name) and also asking for my consent to continue keeping my data, sending me newsletters etc. – the reason is the GDPR, which entered into force in 2018, after two years of preparatory period. Also, “wherever I go, whatever I do”, I have to sign consent forms. Some of these are justified, but the sheer volume of consent I have to give makes me suspicious. And not by chance: consent is but one of the possible legal bases for processing personal data, and apparently not the soundest one, however sure it seems to be: if the data subject consents, who can complain? - thought some. Lawyers giving this latter advice were warned as early  as March 2019. Let’s jump in time: the 30th July the Hellenic Data Protection Authority fined PWC for processing their employees’ data based on consent, at least telling the employees so. The summary of the decision can be found here ).
There are some interesting points in the decision: “The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply…”. Given that consent is listed as first of the possible legal bases and in spite of having heard that statement already on data protection courses, there is a need for further explanation of why consent should only be used when other legal bases are not available.
So, what is the problem with consent? Apart from two risks to the controller, namely that consent can be withdrawn at any time and then processing has to be stopped and that – as it happened in the case of PWC – the controller can be reprimanded for improper information to the data subject, what is the problem?
A good article listing the problems for processing of personal data by mobile apps also complains that even the Article 29 working party  and guidelines from 2016 by the European Data Protection Supervisor and other materials concentrated too much on consent, which is problematic in the case of mobile apps anyway.
The real risk, however, lies in that processing based on consent is not always lawful. Consent must be freely given, and this requires that the controller and the data subject are in a balanced situation in terms of power, the data subjects should not have reason to suspect that they can suffer disadvantages if they deny consent. This is typically not the case in an employer-employee relationship or if the data are needed to provide a service – the controller can justifiably claim that without some data, it cannot provide the service. Even NGOs can fall into that trap: giving certain data can be a precondition to membership – and not giving these data deprives the person from the possibility to be a member. On one hand this is clearly an asymmetric situation, while the NGO justifiably requires some data from its members.

The answer is: if the data are needed – except public authorities, the controller can even evoke legitimate interest as a legal basis -, then the legal basis should be one of the other possibilities. This emphasizes the link between two aspects of personal data processing, treated often separately: the legal basis and the purpose of processing. In my view, these are closely linked. Subparagraph (a) of paragraph 1 of article 6 of the GDPR, listing consent as legal basis, states that consent is given “for one or more specific purposes”, thus also emphasizing this link. It is the purpose also, which can help establishing the legal basis: if the purpose is to fulfil a contract, point (b) is clearly the legal basis (“processing is necessary for the performance of a contract...”) – and this subparagraph includes preparation of a contract as well.
An important limitation is in Recital 43 of the GDPR (also concerning contract, but not only that): “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”. This means that you cannot tie data you don’t need (but would like to have) to data you need.
Consent has to be specific – for a certain purpose, as mentioned, but also for certain data only. There are also administrative requirements, i.e. withdrawing consent must be as easy as giving it and acquired before the processing starts and documented in a way that the fact and the content of the consent has to be presented at any time for any user. This requires a serious recording system.
A further interesting clause in the decision is: “…once the initial choice has been made it is impossible to swap to a different legal basis”. If consent in withdrawn, processing has to be stopped, data erased. So the decisions states that when data are necessary (i.e. there is a legal basis other than consent), consent can even harm.
Here we come to another point of the decision: that the processor infringed the transparency principle: it gave an improper information to the data subjects: “the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed.” This underlines the importance of stating properly the legal basis and also the purpose of processing, which, as mentioned above, must be coherent with each other. By the way, the company was aware of its need to process the data, but had the employees sign a statement about it instead of properly documenting (and providing internal documentation to the DPA on its request regarding the choice of) the legal basis used. So in the case of consent a one by one documentation of each person’s consent has to be provided, while in the case of other legal bases, the documentation cannot be neglected either, but one documentation of the choice of legal basis is what is needed.
It has to be noted, that the fine was 0.35% of the turnover of the company while the maximum amount for such an infraction could have been 4%.

Labels:

Comments

Post a Comment

Popular posts from this blog

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more

The Transatlantic Data Privacy Framework - new way to transfer personal data to US organisations

 After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: https://www.dataprivacyframework.gov/s/participant-search .   As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements. ...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more