In order to be able to process personal data, a legal basis is required. One of the legal bases is the consent of the data subject (the person whose personal data are being processed).
The requirements that the consent of the data subject must meet in accordance with the forthcoming General Data Protection Regulation (‘GDPR’) and the differences from the Dutch Personal Data Protection Act (‘Wbp’), will be explained in this part of the GDPR-Series.
The definition of consent of the WBP was as follows: any free, specific and informed expression of will by which the data subject accepts that personal data relating to him or her will be processed.
The GDPR imposes stricter requirements on consent than the Wbp. The definition of consent under the GDPR is as follows: every free, specific, informed and unambiguous expression of will with which the data subject, by means of a statement or an unambiguous active act, accepts the processing of personal data concerning him.
As of 25 May 2018, the consent no longer has to be apparent from a free, specific and informed expression of will alone, but also from an unambiguous expression of will.
The data subject must be able to express his or her will freely. This means that the data subject must have a real choice and control. This is not the case if the data subject feels compelled to give consent or if the data subject will suffer as a result of not giving consent. This is the case, for example, if the use of an app is made subject to the condition that consent is given to the processing of location data, while these location data are not necessary for the functioning of the app at all.
In the draft version of their policy rules (‘draft policy rules’), the European regulators stress that it is generally difficult for public authorities to obtain consent freely expressed by the data subject, because of the unequal power balance that exists between them. However, a public school can obtain a freely given permission from pupils to use their photographs for, for example, leaflets or banners, as long as pupils are not denied access to education if they do not consent to the processing.
The data subject must be able to give his or her targeted consent. It must be clear and comprehensible to the data subject which processing, which data, by which controller(s), for which purpose(s) and, if so, to which third party(ies) personal data will be disclosed.
The data subject should be informed about the processing in an understandable and accessible way before consent is given. In so doing, the controller should take into account the data subject’s data subject. This is the only way for the data subject to take an informed decision, to understand what is consented to and, where appropriate, to exercise the right to withdraw consent at a later point in time.
The controller should use clear and simple language and make the information available in a clear and accessible manner in writing, orally or digitally. The European supervisory authorities have indicated in the draft policy rules that the information in question should not be hidden in general conditions. It is not yet clear whether this means that the information in question may be included in general terms and conditions, provided it is sufficiently prominent and distinguishable from other information.
Pursuant to the Wbp, the data subject may grant tacit or implicit consent. The question is to what extent the latter remains possible under the GDPR. Pursuant to the GDPR, the behavior of the data subject must show unequivocally that he consents to the processing. To this end, the data subject must give a written or oral statement or clearly take an active action.
This means that, as of 25 May 2018, the data controller will not be allowed to use boxes that have already been ticked and other so-called opt-out constructions. These require the data subject to intervene in order to prevent the granting of consent. So-called opt-in constructions, on the other hand, are allowed, such as ticking or clicking a box or a swipe over a telephone screen. However, in the draft policy rules the European supervisors warn against ‘click fatigue’ that may eventually arise in the digital context, as a result of which the warning effect of opt-in constructions decreases and requests for permission are no longer actually read by the data subject.
In the draft policy rules, the European regulators have also noted that agreeing to an agreement or general terms and conditions or scrolling through general terms and conditions does not count as clear active action by the data subject.
Both the Wbp and the GDPR impose stricter requirements on consent for the processing of special personal data than on the processing of ‘normal’ personal data. In addition to the above requirements, the consent of the data subject must also be explicit.
Express permission is granted with an explicit confirmation of the permission by means of a direct declaration. A direct statement can be given in writing, electronically or orally. Think of filling in a document, sending an e-mail or uploading a scanned document containing a statement along the lines of “I give permission to …”. Clicking on a box or button next to words such as “By ticking this box, you give permission to …” are also considered a direct explanation.
Where possible, have the controller sign a direct statement by the data subject, in order to eliminate any doubt and lack of evidence regarding (the demonstration of) the consent in the future. In this context, however, an oral statement can lead to difficulties for the controller if he has to prove that all other requirements for consent have been met.
Both the Wbp and the GDPR contain specific rules regarding the consent of vulnerable groups, such as children. The GDPR stipulates that in the case of children under the age of 16, permission must be obtained from his or her legal representative for information society services, such as social media, online games and webshops. The GDPR does leave some room for Member States to lower the age limit to 13 years. However, on the basis of the Wbp the age limit has been 16 years, so the Dutch legislator has not seen any reason to lower the age limit under the GDPR.
Under the GDPR, the data controller must be able to demonstrate to the national supervisory authority – in the Netherlands the Personal Data Authority – that the data subject has given permission for the processing. The GDPR offers the data controller the freedom to use a method that fits in with his daily practice, insofar as the method itself does not lead to excessive amounts of additional processing.
Withdrawal of consent
Once a consent has been given, it can always be withdrawn by the data subject. Pursuant to the GDPR, the revocation of consent must be as easy for the data subject as giving consent and may not have any adverse consequences, such as having to pay a revocation fee.
As soon as consent is revoked, personal data may no longer be processed on that basis. Withdrawal of consent does not affect the lawfulness of processing that took place on the basis of consent prior to its withdrawal.