Skip to main content

The „consent fallacy” – the first consequences start to appear

Since about 2017,-mails are flowing in my inbox announcing the update of privacy statements (under any name) and also asking for my consent to continue keeping my data, sending me newsletters etc. – the reason is the GDPR, which entered into force in 2018, after two years of preparatory period. Also, “wherever I go, whatever I do”, I have to sign consent forms. Some of these are justified, but the sheer volume of consent I have to give makes me suspicious. And not by chance: consent is but one of the possible legal bases for processing personal data, and apparently not the soundest one, however sure it seems to be: if the data subject consents, who can complain? - thought some. Lawyers giving this latter advice were warned as early  as March 2019. Let’s jump in time: the 30th July the Hellenic Data Protection Authority fined PWC for processing their employees’ data based on consent, at least telling the employees so. The summary of the decision can be found here ).
There are some interesting points in the decision: “The principles of lawful, fair and transparent processing of personal data pursuant to Article 5(1)(a) of the GDPR require that consent be used as the legal basis in accordance with Article 6(1) of the GDPR only where the other legal bases do not apply…”. Given that consent is listed as first of the possible legal bases and in spite of having heard that statement already on data protection courses, there is a need for further explanation of why consent should only be used when other legal bases are not available.
So, what is the problem with consent? Apart from two risks to the controller, namely that consent can be withdrawn at any time and then processing has to be stopped and that – as it happened in the case of PWC – the controller can be reprimanded for improper information to the data subject, what is the problem?
A good article listing the problems for processing of personal data by mobile apps also complains that even the Article 29 working party  and guidelines from 2016 by the European Data Protection Supervisor and other materials concentrated too much on consent, which is problematic in the case of mobile apps anyway.
The real risk, however, lies in that processing based on consent is not always lawful. Consent must be freely given, and this requires that the controller and the data subject are in a balanced situation in terms of power, the data subjects should not have reason to suspect that they can suffer disadvantages if they deny consent. This is typically not the case in an employer-employee relationship or if the data are needed to provide a service – the controller can justifiably claim that without some data, it cannot provide the service. Even NGOs can fall into that trap: giving certain data can be a precondition to membership – and not giving these data deprives the person from the possibility to be a member. On one hand this is clearly an asymmetric situation, while the NGO justifiably requires some data from its members.

The answer is: if the data are needed – except public authorities, the controller can even evoke legitimate interest as a legal basis -, then the legal basis should be one of the other possibilities. This emphasizes the link between two aspects of personal data processing, treated often separately: the legal basis and the purpose of processing. In my view, these are closely linked. Subparagraph (a) of paragraph 1 of article 6 of the GDPR, listing consent as legal basis, states that consent is given “for one or more specific purposes”, thus also emphasizing this link. It is the purpose also, which can help establishing the legal basis: if the purpose is to fulfil a contract, point (b) is clearly the legal basis (“processing is necessary for the performance of a contract...”) – and this subparagraph includes preparation of a contract as well.
An important limitation is in Recital 43 of the GDPR (also concerning contract, but not only that): “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”. This means that you cannot tie data you don’t need (but would like to have) to data you need.
Consent has to be specific – for a certain purpose, as mentioned, but also for certain data only. There are also administrative requirements, i.e. withdrawing consent must be as easy as giving it and acquired before the processing starts and documented in a way that the fact and the content of the consent has to be presented at any time for any user. This requires a serious recording system.
A further interesting clause in the decision is: “…once the initial choice has been made it is impossible to swap to a different legal basis”. If consent in withdrawn, processing has to be stopped, data erased. So the decisions states that when data are necessary (i.e. there is a legal basis other than consent), consent can even harm.
Here we come to another point of the decision: that the processor infringed the transparency principle: it gave an improper information to the data subjects: “the company gave employees the false impression that it was processing their personal data under the legal basis of consent, while in reality it was processing their data under a different legal basis about which the employees had never been informed.” This underlines the importance of stating properly the legal basis and also the purpose of processing, which, as mentioned above, must be coherent with each other. By the way, the company was aware of its need to process the data, but had the employees sign a statement about it instead of properly documenting (and providing internal documentation to the DPA on its request regarding the choice of) the legal basis used. So in the case of consent a one by one documentation of each person’s consent has to be provided, while in the case of other legal bases, the documentation cannot be neglected either, but one documentation of the choice of legal basis is what is needed.
It has to be noted, that the fine was 0.35% of the turnover of the company while the maximum amount for such an infraction could have been 4%.

Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more