Data is the new oil and the European Union with the new General Data Protection Regulations (“GDPR”) wants to regulate it, come May 2018.
Given the wide territorial scope of GDPR the Regulation applies to the processing of personal data of a person (data subject) who are in the EU, regardless of where the data is processed, ie. in EU or outside of EU. Hence, if an Indian company has data of any person based in EU, then GDPR compliance become applicable and important.
“Consent” is one of the core principles of GDPR. Consent is defined as “means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The conditions for consent are detailed in Article 7.
- Freely given: There should a genuine choice on the part of the data subject when providing their data and that they should not have been misled, intimidated or negatively impacted by withholding consent. Further, it is clarified that consent is not freely given if the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment (Recital 42); and/or there is a clear imbalance between the data subject and the controller (Recital 43). (‘Controller’ means a person/ authority which determine the purposes and means of the processing of personal data).
- Specific: Consent must relate to specific processing operations. Consequently, a general broad consent to unspecified processing operations as they might arise will be invalid. To the extent data processing has multiple purposes; consent to those processing activities should cover all those purposes (Recital 32). Consents should also cover all processing activities carried out for the same purpose or purposes (Recital 32). It would be quite a challenge to identify all the purposes at the time of collecting data. If in the continuum of providing various services, then obtaining consent for all of those services would be required along with an option to opt-in to those services.
Statements such as ‘By agreeing to subscribe to the services being provided, it is assumed that the data subject is allowing the data controller to use the data in any manner that the controller might deem fit’ does not pass the GDPR test.
- Informed: The data subject should be aware at least of the identity of the controller and the intended purposes of the processing, (Recital 42); a right must be provided to withdraw consent, which would be a massive task to work through back-end technology to make this possible. GDPR tries to provide a right to the data subject that withdrawing consent, at any time, should be as easy as giving consent. However, this poses considerable challenge in practice, which means relying on consent is somewhat unreliable. Further information must be given to the data subject to ensure fair and transparent processing.
- Unambiguous or Clear Affirmative Action: A statement or clear affirmative action means that the individual data controller or processor has to make sure that the data subject is given the chance and opportunity to give his consent for the purpose and manner in which his information or the data provided by him will be used. A data controller can only use the data or information collected from the data subject when there is an affirmative action associated with part of the data subject.
Statements such as ‘if you do not indicate a choice or do not provide an explicit consent, we will assume that consent has been granted’ or “by browsing our website, you provide us with the consent to collect, gather and use your information or data for any purposes’ are not ok under GDPR.
Silence, pre-opted (pre-ticked) boxes and inactivity will not constitute consent, since there has to be an active consent (active opt-in).
Consent Fatigue: Every new purpose requires new consent. Multiple purpose requires multiple consent. Every action must have affirmative consent. Consent cannot be considered as default option prior to processing. Think of an IOT scenario, where the data subject could be bombarded with consent requests. Faced with such a situation, the data subject could mindlessly accept any consent request that might come, which makes “consent” a meaningless exercise.
The other situation might be that the Business upfront collects exhaustive consent on all the activities, but the data subject may get tired of ticking those boxes. It is scary for business, because of the friction it causes at the time of gaining new customers and if the data subject does not take the time to tick those boxes.
If the consent statement is broad trying to cover all aspects, then there might be a fear of not being ‘specific’ or ‘ambiguous’.
The question we ask is: Perhaps ‘consent’ alone is not the right framework? Should there be more accountability on the data processors to balance the consent fatigue?
In response to the click fatigue issue, the Article 29 Working Party (WP29) has provided guidance on 28 November 2017 and says “An often-mentioned example to do this in the online context is to obtain consent of Internet users via their browser settings. Such settings should be developed in line with the conditions for valid consent in the GDPR, as for instance that the consent shall be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.”
For Indian businesses having customers in EU, it is a challenge to be met.