Last updated: 
6 days 10 hours ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Article 29 WP draft on Consent

Friday, December 15, 2017 - 09:16

The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.

The first message is that consent is only one of six legal bases for processing personal data: "consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment" (Page 4). Where any part of that requirement cannot be met, data controllers must look at the other five possibilities.

In particular, consent will rarely be appropriate where there is an imbalance of power between the data subject and the data controller. For example public authorities will often have difficulty satisfying the requirements for consent, as individuals have little choice whether or not to use their services. Employers, too, will generally have too much power for employees to give free consent. Neither case is an absolute ban, however: the guidance mentions examples of subscribing to e-mail updates about roadworks or having photographs included in a school magazine, where the organisation may be able to establish that refusal of consent does, indeed, involve no significant adverse consequences.

Commercial organisations also need to take care when using consent: "the two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred". If the personal information is necessary to perform the contract then that, not consent, is the correct basis. Where organisations request additional data that are not directly linked to the contract then free consent is required: this may be demonstrated, for example, by providing two versions of the service, one with additional data and one without, provided these are "genuinely equivalent, including no further costs" (page 10).

The Working Party consider that the greatest changes, most likely to require a change in process, are the need for consent to be indicated by a positive action (no pre-ticked boxes or "consent by silence") and the requirement for organisations to be able to demonstrate that this was done. The latter is likely to involve keeping records of what information was shown to the individual, and what workflow resulted in their consent being obtained. In terms of systems, the biggest change are the need to make withdrawing consent as easy as obtaining it (if you gave consent with a mouse click, you can't be required to withdraw it by a phone call) and, where consented data are used for several different purposes, providing individual consent to each one.

As with the Information Commissioner's draft guidance from last February there's a strong hint here that data controllers should be moving from consent to other bases where these are more appropriate. The Working Party adds an interesting twist: that continuing processing while changing its legal basis may be lawful as part of the change from Directive to Regulation, but not thereafter.