July 24, 2024
The EU-US Data Privacy Framework: What You Need to Know
With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
GDPR has relatively strict requirements to establish that sufficient consent has been given (in Article 7). In this article, we will go over the main principles.
Your request for consent should be clear, unambiguous and set out in plain language. It should be clearly distinguished from other matters, and data subjects should be given a separate opportunity to consent or refuse consent rather than it being, for example, buried as a clause in a contract. Where appropriate, separate consent should be requested for different processing operations (such as where they are for notably different purposes).
Ticking boxes, choosing settings or clearly indicating consent through statements or conduct will be fine. However, pre-ticked boxes, silence or inactivity cannot be taken as consent.
In order for consent to be informed, you must at the time of obtaining consent make sure that data subjects know at least the identity of the data controller (including any third-party data controllers) and the purpose(s) for which the data will be processed (e.g. sending marketing emails or undertaking market research).
Note that there is a general requirement to provide a broader range of information to data subjects when their data is collected or otherwise received, which applies whether or not you are relying on the consent ground. The items above are the ones specifically linked in the text of GDPR to consent being informed. We will look at the broader requirements in the next article.
Data subjects must also be told of their right to withdraw consent (see below).
Consent is unlikely to be seen as freely given where there is a significant power imbalance between parties. GDPR specifically suggests that there is likely to be an imbalance between individuals and public authorities. Similarly, consent to an employer processing their employees’ data is unlikely to be considered to be freely given. As a result, it will be better for HR data to be processed under a different ground.
More generally, consent will not be free if the data subject is unable to refuse or withdraw consent without suffering detriment. This would appear to rule out, for example, incentive schemes for giving consent.
GDPR makes clear that consent is unlikely to be free if it is required as a condition of entering a contract. This means that to the extent that collecting and processing the personal data of customers really is vital (whether to performing the contract or to your other operations), it will be better to operate under a different ground.
As with most measures under GDPR, you will need to record the steps you have taken and be able to demonstrate compliance. In practice, this will mean keeping details of exactly what consent has been given with your client records. It also means that you should be very wary of getting consent entirely verbally - instead, make sure that it is backed up in writing.
In Article 8, there are specific requirements for consent to be valid where a service is offered online to an individual under 16 years old (although EU countries may legislate to reduce that age to a minimum of 13). In these cases, consent must be given or authorized by the holder of parental responsibility over the child.
It is your responsibility to take “reasonable steps” to verify that this has happened, given the technology available. You will need to think about children who might use your services and decide the best way to ensure that they get permission before providing their consent.
Data subjects have a right to withdraw their consent at any time. They should be informed of this right before giving consent, and the withdrawal should be as easy as giving consent.
It is worth giving some thought to what you will need to do if consent is withdrawn. You will need to make a clear note on your client records, and also bring to a halt any processing in progress.
There are three situations in which GDPR states that consent must be “explicit” in order to justify processing. Two were mentioned in the previous article: in the case of special categories of data, and when the processing involves automated decision-making. The third is when the processing involves transfers of data to a country outside of the EU, or to an international organization.
It is unclear how far this goes beyond the normal consent requirements. What is clear is that the requirement to spell out what you will do with the data and to make clear that it is a free choice is heightened in these cases. The general recommendation appears to be to get this kind of consent in writing, with a handwritten signature.
If the requirements for consent appear onerous, always remember that the other lawful grounds are available instead. For some business models, you may not need to rely on consent at all.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
