EU Data Protection Working Party Issues Guidance on Consent


Guidance on consent under GDPR

Many people have been waiting for the Information Commissioners Office to issue guidance on consent. However, the ICO have needed to wait for Working Party 29 to issue their guidance. That's because GDPR is a Regulation, there is no scope for interpretation, not even by the UK regulator! It is to be interpreted the same everywhere.

Good news! WP29 guidance was published on the 12th December. This means the ICO can now issue theirs. However, we would suggest you don't wait for the ICO guidance, after all it must say roughly the same as the WP29 version - Article 63 and indeed all of Chapter 7 of GDPR specifically says that all supervisory authorities must interpret things the same way - in fact that's the point of WP29 and also GDPR itself. We have rushed together a video telling you all about the key things you need to know from the guidance.

At Corpdata we have always been sceptical about the wisdom of using consent, and we have been quite outspoken. In the October Newsletter, we observed consent is being over-hyped, and in a mid-month update we highlighted the logical implausibility of transferring consent from a list owner to a licensee of the data. We also took issue with the DMA about their 'GDPR Checklist' guidance leading people to think consent will be transferable.

It turns out we judged it correctly! In section 3.3.1. Minimum content requirements for consent to be 'informed', WP29 says:

if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named.

For third party lists, CONSENT WILL NOT BE VALID!

You are responsible

Don't forget, as we have said previously, GDPR says you are responsible for demonstrating you have complied with the law.

If your data supplier has been promising you can use their data on the basis of consent, they have been flat-out misleading you! Now, to be fair, no-one has told them what to do, they have been waiting for guidance too, but what poor judgement! These suppliers should be experts in the field. They should at least care about preventing their customers breaking the law, don't you think? Maybe all that was important to them was making a quick sale?

As we previously mentioned, we are genuinely concerned, and were continually a bit peeved when we heard our customers were being misled by unscrupulous dealers!

Moving on, Article 13(1)(c) of GDPR says you must tell the data subject at the time the data is collected, the legal basis for processing. So, these data suppliers have been telling people the legal basis is consent. What are the implications of changing the legal basis? The data collected on the basis of consent is not valid for use under legitimate interest, unless each data subject is informed of the new legal basis. So if you process this data, you will be doing so unlawfully, and probably be breaching GDPR with all the consequences that may have!

So if you hear of data suppliers doing a quick 'volte-face' and suddenly talking about 'legitimate interest' (the only way you can legally use third party lists by the way), we'd suggest you don't touch them with a barge-pole!

Do your due-diligence. We have made a list of Due Diligence Questions to ask Data Suppliers.

Here is one extra question which you should ask too:

Has every data subject been informed their data is processed on the basis of legitimate interest or consent?

Just in case this all seems a bit pernickety, The very last paragraph of the WP29 guidance document says:

Under the GDPR, it is not possible to swap between one lawful basis and another.

In the first paragraph of section 6, it spells it out in black and white (it's a long quote, but go with it):

The lawful basis cannot be modified in the course of processing. Hence, the controller cannot swap between lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Therefore, under the GDPR, controllers that ask for a data subject's consent to the use of personal data shall in principle not be able to rely on the other lawful bases in Article 6 as a "back-up", either when they cannot demonstrate that GDPR-compliant consent has been given by a data subject or if valid consent is subsequently withdrawn. Because of the requirement to disclose the lawful basis which the controller is relying upon at the time of collection of personal data, controllers must have decided in advance of collection what the applicable lawful basis is.

Thankfully there is no ambiguity there then!

Want more like this?

Want more like this?

Insight delivered to your inbox

Keep up to date with our free email. Hand picked whitepapers and posts from our blog, as well as exclusive videos and webinar invitations keep our Users one step ahead.

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy

side image splash

By clicking 'SIGN UP', you agree to our Terms of Use and Privacy Policy