EU GDPR: not so sweet concept of freely given consent

10
07 / 17

Article by Mindaugas Civilka and Minvydas Balčiūnas 

Consent is arguably among the most direct grounds to collect and process one’s personal data. EU General Data Protection Regulation (GDPR) defines consent as “freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement”.

Free will

The compatibility of one’s consent with the inherently “free will” is represented by cohesion of external forms of personal behaviour with the mental will-forming factors (goals, fears, other motives). Sometimes this connection is feeble, especially when the person does not care much about the value of his personal information, or in other cases he does care about privacy, but has no other choice but to give-away his personal information (e.g. if it is the only way to receive some sort of service). People tend to give away their personal data in exchange to a positive response (not necessarily a financial one), and such situations are brilliantly exploited by contemporary business models. Nowadays society is sinking deeper into a complete loss of privacy and is inclined to passively accept it. Personal information makes up an essential part of our identity, and with the loss of control over it, we are gradually losing control over parts of ourselves. “Written” consent, when all you need to do is tick a box (especially if it comes pre-ticked) is the most ostensible devaluation of the very idea of “consent, freely given”.

The most important measure of consent – honesty and lack of deception. Consent that creates an illusion of choice and control over one’s data may never be considered as obtained under fair conditions. This happens where data could be processed without consent, and consent is acquired “just in case” (by incorporating it into the body of the agreement, even if it is not required for data processing). The liberty of consent is also compromised by unexpected clauses in a document, when the consent is obtained as if “on the way”.

Less is more

GDPR requires the request for consent to be clearly separated from other questions. This required independence is intellectual rather than physical – the consent could be incorporated into the body of some other document (for example, a contract), although one should prevent its content and form being tainted with other matters. For example, it has to be excluded from other questions, the decision to give the consent cannot depend on other questions and vice versa – withholding it cannot influence the resolution of other matters, unless the consequences of such action are clearly explained. When the consent is only given for the use of particular data, it must be made clear for that refusal to give one’s consent may lead to certain services being provided in reduced scope or refused, and it should ensue from the narrowness of the consent. The person cannot be misled in the way that his consent is only a formality. On the contrary – if one’s consent is the only basis for the use of his/her data, the importance of both the consent and the action it was given for must be made clear.

Expansion of consent’s scope always leads to going too far – the more generic and absolute terms such as “any similar actions”, “all related data”, “any other recipients” are employed, the less of the value such consent has. Less is more, more is less here.

Presentation of request for consent and related information through the hyperlink or external settings located elsewhere is allowed, but in such a case the hyperlink must not get lost along other objects. Additionally, the guarantee to notice and click it (for example via a pop-up reminder) must be ensured.

Preciseness implies that consent is given only to clearly defined cases, data and purposes, as well as the necessity to renew it if the circumstances change.

Unambiguousness

Unambiguousness manifests when the person transfers data himself or his intention and comprehension that his/her data is being collected are obvious from his actions. Unambiguous consent does not have to be clearly expressed – such expression is replaced by person‘s active actions as well as the context in which they are performed.

Profiling

GDPR specifies some activities that are especially harmful to privacy and which may only be applied unless objected by the individual. One of such potentially harmful personal data-eating techniques is profiling, which is now defined as processing of personal data with the intent to evaluate personal aspects related to particular person as well as foresee aspects related to his work results, financial state, health, hobbies, interests, reliability, behaviour, whereabouts or movement.

Right to know and disagree with automated decisions

Each of us will have the right to know that our data is algorithmically analysed, profiled and used for purely automated decisions (i.e. which analysis or results is not intervened or reviewed by a human). Each of us will have the right to know the logical basis, significance as well as consequences of such profiling.

Additionally, the person also has the right to refuse that purely automated decisions are applied to him (unless such decision making is included in an agreement).

However, these requirements are not absolute and are only applied if automated profiling may bring about significant consequences to the individual. This raises some questions: will the consumer have the right to know if he is assigned to a certain category of clients, and the right to know based on which data such profiling is exercised and how does it affect him (special offers etc.)? Or maybe a higher benchmark of “significant consequences” shall be employed (e.g. decision to decline the online credit, automated diagnosis and prescription)? Or maybe the right will only be applied to the consequences that are unpleasant (e.g. re-calculation of insurance premium), but not to desirable ones (e.g. discounts, promotional offers)?

How will these requirements be accommodated by artificial intelligence and automated algorithms used by social networks (e.g. Facebook, Twitter etc.) or electronic marketplaces (e.g., Amazon)?

Right to disagree with profiling

Under the GDPR profiling with the purpose of direct marketing is subject to two-layer requirements:

  1. a separate consent (from the one to direct marketing) is required;
  2. the person has an absolute right to cancel his/her consent at any time.

Thus, at any given time a person has the right to refuse being categorized with the purpose of getting special offers or any other similar marketing measures.

How to?

Documenting a consent which satisfies all of the requirements of GDPR might become a challenge.

I would suggest following these steps when preparing the form of consent to profiling:

  1. formulate the request for consent and present it in the correct way:
  2. both the request and the consent should be presented in a clear and plain language, indicating the purpose of data processing, the type of data processed and processing operations, when and how long the processing will take place (the phrase “profiling” should be avoided);
  3. distinguishable (via both content and form) from other matters;
  4. properly notify the data subject (identity of data controller, transfer to other recipients etc.);
  5. the consent to profiling should be obtained separately from other consents of the same person;
  6. ensure intelligible form of presenting the request and receiving the consent; it is important that the person himself makes (i) a statement (including ticking a box, even though it is one of the lowest forms of statement), or (ii) clear affirmative action;
  7. retain both the record of presenting the request and the record of receiving the consent (GDPR introduces requirement to keep systemized evidence (records) about the date and form of consent, the location where it is held etc.);
  8. offer convenient way to request and receive additional information about his data and the aspects of its use and how it affects the offers he is receiving;
  9. supply clear and simple information about the way the person can withdraw or change his consent (and consequences of doing so).

What if?

For e-commerce, marketing and advertising business the profiling of individuals is a significant tool, and it goes without saying that the consequences of revoking the consent to profile could be dire.

However, even after revocation of consent the data processor shall be allowed to use those parts the profile, which are developed by data controller himself, although it cannot have links to personal data.

If possible, processing of the data should be based on grounds other than consent, and business processes should automatically be adapted for an emergency scenario of consent withdrawal (for example, by anonymizing data as it is collected).