The ICO has just published draft Advice (the “Advice”) on the use of consent under the General Data Protection Regulation (GDPR). All I can suggest is that readers engage with the consultation over the content of this draft Advice (especially if a data controller relies on data subject consent).
What follows is a set of statements from the 40 page Advice concerning consent under the GDPR, followed by my commentary which I hope helps your understanding of the issue. This should explain why this Advice requires careful consideration by all data controllers.
“Statements” and commentary
“Doing consent well should put individuals in control”; CP Comment: the data subject being in control means that on the withdrawal of consent, the expectation will be that the processing of the data subject’s personal data will cease. Note that the data controller is NOT in control. If the data subject cannot withdraw consent, then the data controller is likely to require another “Schedule 2” basis to legitimise the processing (i.e. data subject consent is unreliable basis)
“Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default”. CP Comment: “opt-out” is likely to prove unreliable in the GDPR data subject consent era, so discuss this Advice with your marketing people and consider weaning yourself off any “opt-out” currently used (e.g. aim to switch to “opt-in” by the end of the year).
“Explicit consent requires a very clear and specific statement of consent. Be specific and granular”. The Advice also states the GDPR “requires granular consent for distinct processing operations”. CP Comment: there might be more than one “opt-in” needed for specific processing operations (consent for a disclosure to a third party is separate from the consent for the data controller’s use of personal data; see next comment below). See Recital 42 especially for the detail on this requirement.
“Name any third parties who will rely on the consent”. CP Comment: this includes third parties who use the personal data for their marketing; in practice, I think this a general description can also suffice (e.g. “other companies in the XYZ Group”) but this is not what the Advice says. The identification of specific third parties involved in marketing was required by the Tribunal in the Optical Express Decision with respect to automated “robocalls” (see references).
“Make it easy for people to withdraw consent and tell them how. Keep consent under review, and refresh it if anything changes”. CP Comment: information about the data subject's ability to withdraw consent is a requirement of the Right to be Informed (see GDPR Articles 13 and 14). With respect to refreshing consent, the ICO in the Age International & British Red Cross Undertakings required consent to be refreshed every two years (but the draft Advice says nothing about a time limit for consent refreshing).
“Public authorities and employers will find using consent difficult”. CP Comment; this is because data subjects cannot avoid dealing with a specific public authority if they want a public service whilst employers are in a position of power over employees who might feel they are under an obligation to consent. Justifying criminal records checks is in “difficulty” if it relies on data subject consent. However, the use of consent might be legitimate for public authorities and employers on the fringes (so long as the GDPR requirements are met).
“You must keep clear records to demonstrate consent”. CP Comment: this is an explicit requirement of Article 7 of the GDPR.
“The GDPR specifically bans pre-ticked opt-in boxes”. CP Comment: this obligation is found in Recital 32 and shows that the Advice is influenced by the GDPR Recitals. The importance of this use of the Recitals in interpreting the GDPR must be understood by all readers (see references). Do not consider an Article without reading the related Recitals.
“However, you will need to be confident that your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily”. CP Comment: this comment covers the transition from the current standard of "consent" under the DPA to the GDPR standard of consent; it illustrates why you need to move to an "opt-in" arrangement prior to GDPR implementation next year.
“Private-sector organisations will often be able to consider the ‘legitimate interests’ basis in Article 6(1)(f) if they find it hard to meet the standard for consent and no other specific basis applies. This recognises that you may have good reason to process someone’s personal data without their consent – but you must ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable”. CP Comment: remember that if the data subject exercises the right to object to the processing in Article 21 with respect of "legitimate interests", then the onus is on the data controller is to prove that his “legitimate interest” should prevail over that of the data subject.
“Instead, if you believe the processing is necessary for the service, the better lawful basis for processing is more likely to be that the “processing is necessary for the performance of a contract”. CP Comment: This comment in the Advice is very relevant to private sector bodies who use a construction such as “By signing this contract you consent to …..”. For instance, most of us have signed such a contract with respect to disclosures to credit reference agencies and loans (e.g. whether we do or do not repay a particular monthly instalment). Notice that such disclosures have to be “necessary for the performance of a contract”, and this condition does not require the contract to be between the data controller specifically offering the contract to the data subject.
“Public bodies cannot generally rely on ‘legitimate interests’ under the GDPR, but should be able to consider the ‘public task’ basis in Article 6(1)(e) instead. However, you will need to be able to justify why the processing is necessary to carry out your functions – in essence, that it is proportionate and there is no less intrusive alternative”. CP Comment: Article 6 of the GDPR explicitly excludes the legitimate interest condition for public functions of a public authority controller; it is expected such a controller will use the condition when the processing is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. The use of the word “necessary” links to Article 8(2) of the Human Rights Act that requires any interference is “necessary” (i.e. proportionate and for some pressing social need) and this explains the comments in the Advice. Note that "legitimate interest" can be available for any processing that is “non-public task” etc (e.g. such as employment purposes).
Concluding comment
The Advice raises two big changes that are coming down the GDPR line (i.e. when the processing of personal data is legitimised by data subject consent or by the legitimate interests of the controller). With the former, the data subject can withdraw consent; with the latter, the data controller will be obliged to demonstrate why his “legitimate interest” should prevail..
So when you use the “C” word, make sure you mean that you are aware that you do not have control over the processing of personal data.
Note added after publication: Readers will be interested in the Comments to this blog (click on Comments below).
Other Publicity
Forthcoming Amberhawk’s courses in March/May
- Next GDPR Workshop: 19 April (London)
- DP Practitioner Course: Starts 28 March (BCS syllabus; London)
- DP Practitioner Course: Starts 8 May (BCS syllabus; Edinburgh)
- FOI Practitioner Course: Starts 18 May (BCS syllabus; London)
UPDATE: we have devoted the next UPDATE day-long session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO, Hunton & Williams, DMA and Grant Thornton as well as the usual suspects from Amberhawk http://www.amberhawk.com/bookevents.asp
References
“The Recitals are essential to your understanding the General Data Protection Regulation”: http://amberhawk.typepad.com/amberhawk/2016/01/the-recitals-are-essential-to-your-understanding-the-general-data-protection-regulation.html
ICO draft guidance on GDPR consent and consultation document (closes on march 31); https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/
Optical Express Tribunal: http://informationrights.decisions.tribunals.gov.uk//DBFiles/Decision/i1628/EA-2015-0014_31-08-2015.pdf
The guidance is good in places, such as emphasising that consent might not be the right legal basis, but it also contradicts the law in places and is misleading by using so many marketing examples.
Given e-privacy law applies a more specific layer of rules over GDPR, when it comes to marketing, you will only actually need opt-in consent where you cold call or cold email individuals and where you want to sell / pass on details to a third party.
You will be able to mail people using legitimate interests, contact your own customers electronically using the soft opt-in, and B2B marketing doesn't require consent. So the example of the business card in a fish bowl to win a prize is incorrect in stating that the contact details on the card can't be used for marketing. (Clearly you should be transparent re uses of the data.)
The guidance also uses marketing examples when discussing the need for explicit consent, which as we all know is only required for sensitive data (and is one ground for automated decision making as per art 22). So why use a marketing example?
I urge people to respond to the consultation not only on these points but to provide real-world examples of processing done by businesses on the basis of consent, so they can stop constantly using marketing examples!
Posted by: Emma Butler | 07/03/2017 at 05:10 PM
If you allow personal data (online activity) to be passed to another data controller, (e.g. by embedding third-party sub-resources which access terminal storage) in your website, you already need opt-in consent under the ePD, and there is no exception defined there for a legitimate interest basis.
Posted by: Mike O'Neill | 09/03/2017 at 02:16 PM