When it comes to matters related to privacy, one of the most important factors to be considered is consent. An issue only crops up when an individual’s personal data is breached without his/her consent.
Because consent is so integral to privacy, GDPR has incorporated as one of its principles the principle of consent. As per the definition, consent is as follows-
“consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The above definition clearly indicates that the consent must be free from any kind of coercion and undue influence. It should be very precise and accurate along with the consent having been given after the data subject has been made aware about the subject matter for which the consent is being given. The consent should not be a mere expression of the data subject’s wishes but it should also be demonstrated adequately by way of a statement or a clear action.
Hence, we can say that consent should be free, clear and demonstrable.
Article 7 talks about the conditions for consent which are as follows-
- “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Broadly, the conditions of consent are as follows:
- Demonstrable:
The consent that has been given by the data subject must be demonstrable such as signing a declaration, ticking an electronic statement or by an oral statement. The consent given should be for all the processing activities related to the same purpose.
- Clear language:
The request for consent should be presented in very simple language. This is especially important when the data subject’s consent is part of a statement which also pertains to matters other than consent. If the request for consent is not presented in simple language then it shall be constituted as infringement of the GDPR.
- Right to withdraw consent:
The data subject can withdraw consent at any time. The data subject need not give any explanations or reasons for the withdrawal. An example of this would be the newsletters or email notifications that we receive on email. There is always an option to unsubscribe from it. In most of the cases, no log in or form filling is needed at the time of unsubscribing.
In simpler words, withdrawal of consent must be simple and hassle free.
- What determines free consent:
Free consent is when the fulfillment of the service is not dependent on giving of consent for processing personal data which is not related to the fulfillment of that service. For instance, if we are checking out from an online store the website may ask us to consent to sharing our information with third parties as a part of the checkout process. Here, sharing our personal information with third parties is not necessary for the sale to be completed and hence, this shall not be considered free consent. (This is a very simplistic explanation and in real life scenarios, this too can be defended)
The above makes it very clear that not just consent, but free, valid and clearly demonstrable consent shall be taken into account while dealing with matters related to privacy.
References:
-GDPR Articles Commentary with EU Case Laws by Adv. Prashant Mali