In today’s world, there is exponential growth in the dissemination of personal data by the average person. From registering a mobile phone number, applying for a job opportunity, enrolling in a course, or creating a social media account, the sharing of personal data is as inevitable as it is pervasive. The increasing need for data sharing raises concern over whether the data gathered is always used in a proper and lawful manner.
To effectively address this concern, the Data Protection Act, 2019 (the Act) was passed into law. The Act provides for an obligation on the person who determines the purpose and means of processing data (Data Controller) and the person who processes data (Data Processor) to obtain consent from the person to whom the personal data relates (Data Subject) prior to obtaining and processing data.
Definition of Consent
Consent is only considered lawful when the Data Subject is offered a genuine opportunity to accept or decline the terms offered for the processing of his personal data. To that end, section 2 of the Act defines consent as any express, freely given, specific, informed indication by a Data Subject that he or she wishes for their personal data to be processed in a certain manner.
That express agreement may be given by a statement or a clear affirmative action. This definition brings out four elements of consent:
The Data Subject should be given a genuine choice and control over the use of their data. This is actioned by allowing them to refuse the consent without any detriment and being able to withdraw their consent easily once consent has already been given. Further, consent should not be bundled up as a condition of service unless it is necessary for that service, otherwise it will not be deemed as freely given. Any undue influence and pressure put upon the Data Subject to provide his or her consent invalidates the consent.
There must not be any room for doubt as to whether the Data Subject was sufficiently informed. The request for consent should be separate from other terms and conditions, communicated clearly, simply and in plain language.
Consents should be reviewed and refreshed as necessary where purposes or processing activities evolve. Informed consent also covers the issue of capacity, where it is assumed that adults have the capacity to consent unless there is reason to believe the contrary.
The Data Subject must be informed of all circumstances surrounding the data processing including which data is to be processed, the duration, manner and specific purposes of processing, as well as its consequences. They must also know who is processing the data, whether the data will be transferred to third parties, the consequences of refusing consent, as well as whether consenting to the data processing is a condition for concluding the contract.
To ensure that specific and informed consent has been obtained, the Data Controllers and Data Processors should provide the following information as a bare minimum:
- The name of the Data Controller, Data Processor and each of the third parties who will rely on the consent
- The purposes of processing the data. Separate consents should be obtained for each processing purpose as the notion of ‘evolving consent’ does not exist
- Separate consents should be obtained for each processing activity unless those activities are clearly interdependent
- Details of the right to withdraw consent at any time
Express consent refers to a clear oral or written statement confirming the granting of consent.
Where consent has been obtained orally, a record of the script should be kept. In no circumstance would an implied consent inferred through actions be deemed to be express, even if the said actions are apparent enough to satisfy the basic definition of consent. The same must be confirmed in words.
This is an obvious indication that a Data Subject has consented to their personal data being processed and in the manner it is being processed. However, the United Kingdom’s Information Commissioner’s Office published a guidance on consent in which it confirmed that affirmative action leaves room for implied methods of consent. The guidance gives the example of an individual dropping a business card into a prize draw box at a coffee shop. Though implied, it is a clear indication that the Data Subject agrees to their personal data being processed solely for the purposes of the prize draw.
Nevertheless, affirmative action is required to establish consent and it can be achieved by a deliberate and specific action agreeing or “opting-in” to processing. This could include signing a consent statement, selecting from equally prominent yes/no options, responding to an email requesting consent or ticking a box on paper or electronically.
Silence or a failure to “opt out” is not consent as it does not involve clear affirmative action. The Court of Justice of the European Union (the CJEU) recently delivered Judgment in Bundesverband der Verbraucherzentralen und Verbraucherverbande – Verbraucherzentrale Bundesverband eV v Planet49 (2020) 1 WLR 2248 a case which provided further clarity regarding the validity of a consent where a Data Subject failed to opt out. The case was brought to the CJEU against Planet49, an online gaming company that hosted a promotional lottery on its website. The website had consent checkboxes for use of personal data. Among the checkboxes provided, was one to obtain consent for use of web analytics cookies for the purposes of providing targeted ads to the Data Subject, which was pre-ticked. The issue for determination was whether a pre-ticked checkbox constituted valid consent.
In its Judgment, the CJEU held that there was no valid consent for the following reasons:
- access to information already stored in the data subject’s terminal equipment was permitted by way of a pre-ticked checkbox
- the data subject needed to deselect to refuse his consent which does not show active behaviour on the part of the data subject
- the consent was given not separately but at the same time as confirmation in the participation in an online lottery
The CJEU also considered whether the consent was specific and informed and noted that the duration of the operation of cookies and whether or not third parties may have access to those cookies must be provided.
Conditions for Consent
It ought to be borne in mind that a Data Controller or Data Processor bears the burden of proving that they obtained a Data Subject’s consent for the use of their personal data for a specified purpose.
Further, the Data Subject has the right to withdraw his or her consent at any time. Such withdrawal shall not affect the lawfulness of processing based on prior consent before his or her withdrawal.
In order to determine whether consent was freely given, it will be considered whether the consent was provided such that, performance of a contract or provision of a service was conditional on the consent and further whether, the consent was truly necessary for the performance of that contract or service.
It is noteworthy that a Data Controller and a Data Processor should be consistent in their application of a lawful basis over another. For example, when investigating the validity of consent obtained, they cannot retrospectively utilise another lawful and favourable basis as
envisaged in section 30 of the Act to justify the processing of data.
In addition, obtaining consent does not diminish the Data Controller’s or Data Processor’s obligations to observe the principles of processing data with regard to fairness, necessity and data quality. It is therefore important for Data Processors and Data Controllers to determine the most appropriate legal ground for processing personal data prior to obtaining the said data.
Consent by Children
Section 33 of the Act provides that a Data Controller or Data Processor shall incorporate appropriate mechanisms for age verification and only process data relating to a child where consent is given by the child’s parent or legal guardian.
Recording and Managing Consent
Records of consent should be kept and retained for as long as the data is being processed based on the consent, so that compliance with the accountability obligations under the Act is demonstrated.
Records can include who consented, what they consented to, what they were told at the time, how they consented and whether consent has been withdrawn. In the event the consent has been withdrawn, the retention of personal data shall be permitted if it is strictly necessary for putting forward or defending a legal claim in accordance with the Act.
Additionally, consents should be kept under review. As stated above, evolving consents do not exist and as such data processors and data controllers are expected to refresh consents at appropriate intervals as the purpose or processing activity evolves or changes.
In ending, we reiterate that it is crucial for Data Controllers and Data Processors to review and update their internal processes for obtaining, storing, and using personal data as the Act has placed an enormous burden on them to prove the legality of their said processes, especially with regard to validity of consent. In this regard, the office of the Data Commissioner has issued a guidance note on the subject, which should be referred to when navigating the issue of consent under the Act.