By Mark Young, Joseph Jones and Ruth Scoles Mitchell
The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent. We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy. The draft guidance is open for consultation until 23 January 2018.
- Updating existing notices. The guidance is clear that if processing already is underway, “a data controller should ensure that it is compliant with its transparency obligations as of 25 May 2018.” In other words, notices need to be updated to include all of the information set out in Articles 13 and 14.
- Content of notices. A schedule in the guidance sets out all of the required information (under Articles 13 and 14) and WP29’s corresponding comments, such as: notices preferably should include different means to communicate with the controller; notices should specify the “relevant” legal bases; and categories of recipients should be as specific as possible (and the default should be to “provide information on the actual (named) recipients”).
- Clear language. The guidance emphasizes the need to use clear language, and states that expressions such as the following are not sufficiently clear: “’We may use your personal data to develop new services’ (as it is unclear what the services are or how the data will help develop them); ‘We may use your personal data for research purposes’ (as it is unclear what kind of research this refers to); and ‘We may use your personal data to offer personalised services’ (as it is unclear what the personalisation entails).”
- Website notices. The guidance includes some specific pointers on providing notice on websites and in other online contexts, and making sure that notices are easily accessible. In relation to websites, for example, it states, “Positioning or colour schemes that make a text or link less noticeable, or hard to find on a webpage, are not considered easily accessible.”
- App notices. The guidance acknowledges that it can be difficult to provide notice but that users should not have to go searching for it. In the app context, it states that, “once the app is installed, the information should never be more than ‘two taps away’. Generally speaking, this means that the menu functionality often used in apps should always include a ‘Privacy’/ ‘Data Protection’ option.”
- Notices to children. Language should be tailored to the audience. When processing children’s data, the language should be age-appropriate. The guidance notes that, “A useful example of child-centred language used as an alternative to the original legal language can be found in the ‘UN Convention on the Rights of the Child in Child Friendly Language’.”
- Means of providing notice. Providing information in writing is the default method, and the guidance refers to various options, including layered privacy statements/ notices, “just-in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Additional “means” include “videos and smartphone or IoT voice alerts . . . , cartoons, infographics or flowcharts” (see WP29 Opinion 8/2014 on Recent Developments in the Internet of Things). The guidance goes on to set out recommendations for each of these methods of providing information, including for providing notice orally and in-person.
- Icons. The guidance clarifies that icons should not replace all of the information required under Articles 13 and 14, but should be used in combination with such information (citing Article 12(7)). The draft guidance recognizes that “the development of a code of icons should be centred upon an evidence-based approach and in advance of any such standardisation it will be necessary for extensive research to be conducted in conjunction with industry and the wider public as to the efficacy of icons in this context.”
- Free services and notice. Where free services are being provided, “information must be provided prior to, rather than after, sign-up given that Article 13(1) requires the provision of the information ‘at the time when the personal data are obtained’.” The guidance also states, “information provided under the transparency requirements cannot be made conditional upon financial transactions, for example the payment for, or purchase of, services or goods.”
- Changing notices. Going forward, “a notification of changes should always be communicated by way of an appropriate modality (e.g., email/ hard copy letter etc.) specifically devoted to those changes (e.g., not together with direct marketing content).” Further, “References in the privacy statement / notice to the effect that the data subject should regularly check the privacy statement /notice for changes or updates are considered not only insufficient but also unfair in the context of Article 5.1(a).” Although the GDPR is silent on timing requirements when making changes, the guidance recommends that changes are notified to individuals “well in advance of the change actually taking effect” if it involves “a fundamental change to the nature of the processing (e.g. enlargement of the categories of recipients or introduction of transfers to a third country)” or even a change that “may be relevant to and impact upon the data subject.”
- Further processing. The guidance clarifies that information must be provided to data subjects when “personal data are further processed for purposes that are compatible with the original purposes” (applying Article 13.3 and 14.4), including information about the compatibility analysis that the controller has conducted.
- Notice reminders. Even if information in notices does not materially change, if individuals “have been using a service for a significant period of time,” controllers should consider “reacquainting” individuals with notice information, “for example by way of reminder of the privacy statement/ notice notified at appropriate intervals.”
- Exceptions to providing notice. The guidance examines in some detail the various exceptions to providing notice under the GDPR, including where data is obtained indirectly and providing notice “proves impossible” or “involves a disproportionate effort.” This aspect of the guidance will be of interest to data controllers that process and obtain personal data from various third parties (e.g., in the online space and in connection with research). The guidance also explores exceptions that apply, for example, when conducting anti-money laundering checks, when complying with EU or Member State laws, or when complying with professional obligations of secrecy.
The guidance on consent reiterates that consent is only one of six lawful bases to process personal data under Article 6 of the GDPR (and one of nine lawful bases to process sensitive personal data under Article 9). The guidance emphasizes that when relying on consent, individuals must be offered control and a genuine choice in order for consent to be valid. This confirms what many readers familiar with the GDPR and existing guidance will already know: consent should not be considered a default option to legitimize processing of personal data; and, in some contexts (such as employment), it will be difficult to demonstrate that consents are valid and meet the stringent requirements under the GDPR.
- Existing consents may have to be renewed. The guidance repeats that existing consents are valid if they have been obtained in line with the conditions under the GDPR. In practice, this will likely mean that many organizations will have to update existing consents. For example, the guidance states that “all presumed consents of which no references are kept will automatically be below the consent standard of the GDPR and will need to be renewed.” Similarly, consents based on a more implied form of action by the data subject — such as ignoring a pre-ticked opt-in box — will have to be renewed. On a more positive note, the guidance recognizes that not all of the notice elements in Articles 13 and 14 must always be present for consent to be deemed “informed,” which means that pre-GDPR consents will not automatically be invalid if controllers have not previously provided all of this information.
- Employees and imbalances of power. The guidance cautions against relying on consent as a basis for processing personal data of employees due to the perceived imbalance in the employment relationship. Consent should only be relied upon to process HR data in limited situations where the employee will suffer no adverse consequences “at all” if they do not provide consent. (An example mentioned is if a filming takes place in an office based on the provision of consent and an employee who refuses to consent suffers no adverse consequence). More broadly, any “element of inappropriate pressure or influence” may render consent invalid. (For more on processing data in the HR context, see the WP29 guidance from earlier this year on data processing in the employment context.)
- “Consent and contract cannot be merged and blurred.” The guidance states, citing Article 7(4) GDPR, that tying or bundling consent with the acceptance of terms and conditions is “highly undesirable”; this kind of “conditionality” leads to a presumption of lack of freedom to consent (recital 43), which is only capable of being rebutted in “highly exceptional” circumstances. The guidance states that “to assess whether such a situation of bundling or tying occurs, it is important to determine what the scope of the contract or service is.” If a controller seeks to process personal data that are necessary to perform a contract then the correct lawful basis is more likely to be contract (Article 6(1)(b)), rather than consent. The guidance recalls, however, that processing that is “necessary for the performance of a contract” is to be interpreted strictly; there should be a “direct and objective link” between the processing of the data and the purpose of the contract. Examples provided include processing credit card details to facilitate a payment. Processing that falls outside of this scope will not be considered “necessary.”
- Multiple purposes require multiple consents. The guidance recommends a granular approach to consent. Citing several provisions of the GDPR (recitals 32, 43, etc.), it states that where a controller anticipates using personal data for several separate purposes, consent should be sought for each purpose in order to help prevent “function creep”. Consent may cover different processing activities, but only if these serve the same purpose. If a controller seeks consent for various different purposes, it should provide a separate opt-in for each purpose.
- New purpose requires new consent. Following on from the above point, the guidance states that “if a controller processes data based on consent and wishes to process the data for a new purpose, the controller needs to seek a new consent from the data subject for the new processing purpose. The original consent will never legitimize further or new purposes for processing.” An example given involves a cable TV network that collects subscribers’ personal data, based on their consent, to present them with personal suggestions for new movies they might be interested in based on their viewing habits. If the TV network decides it would like to enable third parties to send (or display) targeted advertising on the basis of the subscriber’s viewing habits, this is a new purpose and new consent would be required.
- Form of consent. As already mentioned, consent should not be obtained through the same physical act as agreeing to a contract or accepting general terms and conditions. The GDPR states that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action (Article 2(11)). When obtaining electronic consent, the guidance suggests that “affirmative motions” (e.g., swiping on a screen) can qualify as affirmative action. By contrast, scrolling down or swiping through terms and conditions that include declarations of consent will not suffice. Using pre-ticked opt-in boxes is invalid (the GDPR states this explicitly, see recital 32), and opt-out constructions “that require an intervention from the data subject to prevent agreement (for example ‘opt-out’ boxes) similarly are not permissible. The guidance, after setting out the need for specific, granular consents, flags the danger of “click fatigue,” but leaves it to organizations to work it out, saying merely that “GDPR places upon controllers the obligation to develop ways to tackle this issue.”
- Relying on browser settings. In response to the click fatigue issue, the guidance mentions the possibility of using browser settings, noting that any such consent must meet GDPR requirements and thus “be granular for each of the envisaged purposes and that the information to be provided, should name the controllers.” WP29 repeats its long-held view that consent should be given prior to the processing commencing.
- Explicit consent. The guidance clarifies that the need for consent to be “explicit” consent when processing sensitive personal data “refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.” The guidance suggests: expressly confirming consent in a written (and possibly signed) statement, filling in an electronic online form, sending an email, uploading a scanned document with their signature, or by using an electronic signature. Oral statements remain another possibility, although the validity of such consent may be more difficult to demonstrate. Another possibility is two-stage / double consent, i.e., a data subject first receives an email explaining what consent is required, rep[lies by email stating, “I agree,” and after the reply is sent then receives a verification link that must be clicked (or an SMS message with a verification code) to confirm agreement. Again, the guidance recalls that consent is not the only basis to process sensitive personal data — Article 9(2) lists nine other legal grounds.
- Time limit. According to the guidance, the duration of consents depends on: the context, the scope of the original consent, and the expectations of the data subject. If processing operations change or evolve considerably then the original consent will no longer be valid. The guidance highlights that best practice is to refresh consent at “appropriate intervals”.
- Withdrawal. The guidance emphasizes that consent should be as easy to withdraw as it is to give. For example, if providing consent requires swiping a screen, this, or an equally simple method should be available for withdrawal. Further, a data subject must be able to withdraw consent using the same service-specific user interface (e.g., a website, an app, or log-on account) and without incurring any detriment. The general rule set out in the guidance is that if consent is withdrawn, “all data processing operations that were based on consent and took place before the withdrawal of consent . . . remain lawful, however, the controller must stop the processing actions concerned. If there is no other lawful basis justifying the processing (e.g. further storage) of the data, they should be deleted or anonymized by the controller” — unless the processing is based on more than one lawful basis, e.g., performance of a contract, and this has been stated at the outset of processing. The guidance warns controllers against “silently migrat[ing] from consent (which is withdrawn) to [another] lawful basis.”
- Consent of children online. The default rule under the GDPR is that consent of someone with parental responsibility is required before processing — in the online context — personal data of a child under the age of 16. Member States can lower this age, but not below 13. There is no equivalent rule for offline processing. The guidance warns that if a controller provides a cross-border service and processes personal data of children from different countries, the controller “cannot always rely on complying with only the law of the Member State in which it has its main establishment but may need to comply with the respective national laws of each Member State in which it offers the [service].” WP29 encourages the Member States to search for “a harmonized solution” to this issue. Controllers must make “reasonable efforts” to verify the age of the data subject, but the guidance stops short of suggesting specific methods other than to say that “age verification should not lead to excessive data processing” and should involve “an assessment of the risk.” In low-risk situations it may be appropriate to require the entry of a data subject’s date of birth, for example. There is little practical guidance on how to gather the parent’s consent or to establish that someone is entitled to perform this action. The guidance does acknowledge, however, that in some low-risk situations an email may suffice, it may be appropriate to ask for more proof where the risk is higher, and trusted third party verification services may have a role to play. New consents directly from data subjects would be required once they reach the age of 16.
- Scientific research. The guidance considers ‘scientific research’ under the GDPR to have its “common meaning” (i.e., “a research project set up in accordance with relevant sector-related methodological and ethical standards”). The guidance cites recital 33 and states that where the purposes of a scientific research project cannot be specified at the outset, data subjects should be able to consent in more general terms and consent to subsequent processing as the research advances.