Consent
is, we think, one of the most interesting areas of data protection law. For
those who take an academic and technical interest in the machinery that makes
data protection work, consent is a source of reoccurring fascination: it is a
conflation of morality and ethics and law and procedure.
We
all know that the GDPR[1] introduces widespread
changes to many areas of data protection law and, as has been widely reported,
the threshold for consent and the processes surrounding its use are changed.
This article is not meant to be a summary of how and why consent is changing or
a discussion of the basic issues which underlie consent as a lawful basis of
processing personal data. Rather, it expounds the more complex aspects of the
new definition of consent, examines critically the key gaps presented by the
ICO’s draft guidance,[2] pauses to consider the
draft e-Privacy Regulation[3] (ePR) and the thorny
issues of direct marketing before concluding with a challenge to the ICO
regarding the final form of its consent guidance due to be published during
December 2017 to coincide with the Article 29 Working Party guidance.
The ICO Consent Guidance
Between
the guidance and the follow-up myth-buster blogs, the ICO has tried to show
that it is aware of the commercial value attributed to the consent process by
businesses and the reliance they place upon it. However, the ICO’s draft
guidance leaves several areas unclear for businesses and, we will argue,
overreaches the specific requirement of consent in the GDPR. Its ambiguity and
delay are having a real impact on how businesses plan for the GDPR.
The
draft guidance was published by the ICO on 2 March 2017 and was open to
consultation until 31 March 2017. It was originally due to be published in
final form during the summer of 2017 but that was eventually pushed back to
December 2017 in order to coincide with pan-European guidance from the WP29.
The delay has understandably left many corporate entities frustrated and asking
lots of very reasonable questions about what they do next, including whether
they have to start listing third parties in consent notices or privacy
policies.
‘Does the GDPR require us to name third parties?’
One of the big issues
created by the ICO’s draft guidance is the specific stipulation that, in order
to rely on consent under the GDPR, the consent notice must ‘name your organisation and any third parties who will be relying on
consent – even precisely defined categories of third-party organisations will
not be acceptable under the GDPR’.
This is a very significant change for several reasons.
Firstly, it is our view that this represents interpretative overreaching from
the ICO. A thorough review of Article 7 GDPR and the recitals regarding consent[4]
do not at any point reveal or imply that third parties who will rely on consent
should be named. In fact, there is corroborative evidence to the contrary when
one studies other parts of the GDPR. For example, under Articles 13(1)(e) and
14(1)(e) of the GDPR, which relate to the use of information and privacy
notices, the controller is under an obligation to provide the data subject with
information detailing, ‘…the recipient or categories of recipients of the
personal data’ (our emphasis). The GDPR clearly envisages that
describing recipients by category alone is an adequate way of informing data
subjects of the use of their personal data.
The second reason that it is significant is not
academic but practical: naming third parties is a major concern for many
businesses due to its potential commercial impact on the use of direct
marketing (which we discuss further below). Many businesses, large and small,
rely on effective direct marketing in order to generate revenue and, certainly
for large corporates, making even minor changes to the method of obtaining
consent can have a disproportionately negative correlation to sales, potentially
impacting millions of pounds of revenue. In addition to this, adding long lists
of named third parties is likely to make some consent notices or fair
processing notices more, not less, complicated for data subjects.
You could be forgiven for thinking that the ICO was
radical in deciding to require that notices specifically name third parties.
The reality is that there are already other EU member state laws which
stipulate compulsory naming of third parties when obtaining consent (for
example, the Netherlands).[5]
One could argue that such granularity empowers data subjects, enabling them to
see beforehand where their data goes and so make informed decisions about
processing of their personal data. But on the other hand, in light of public
apathy about legal notices asking for consent, what is the likelihood that data
subjects will interrogate any data protection notices naming third parties? This
seems inconsistent with the move by the Commission in the ePR to scale back the
use of cookie notices on websites due to their ineffectiveness. There is also the
commercial conundrum of providing personal data to new third parties, not legally
formed at the time consent was obtained, but who are able to offer new, more
competitive products and services than those whose name is featured on the
list. Any reasonable observer would recognise the commercial benefit of
enhanced competition and the dynamic ability of the data controller to
determine where and when the personal data is shared. In the Direct Marketing
Association’s response to the ICO’s guidance,[6]
the DMA criticised the requirement to name third parties for the disproportionate
impact that it may have on SMEs and their ability to grow.
It is our view that data subjects and corporates would
be better served with a consent or privacy notice which contains well-drafted,
specific and tailored description of the categories of third parties relying on
the consent rather than a list of the applicable third parties. The ICO should
remove the obligation to name third parties from its final guidance.
Unambiguous consent and clear
affirmative action
The GDPR’s definition of consent[7]
includes two important new criteria: consent must be an ‘unambiguous indication
of wishes…by a statement or by clear affirmative action’. There are numerous
good academic articles on the distinction between ‘explicit’ consent required
for processing sensitive categories of personal data and ‘unambiguous
indication of wishes’ for ordinary, non-sensitive personal data. No longer will
silence, pre-ticked boxes or inaction on the part of the data subject
constitute valid consent.[8]
The draft guidance fails to embellish what these mean
in practice. Regarding unambiguous consent, it simply says that ‘this requires more than just a confirmation
that they have read terms and conditions – there must be a clear signal that
they agree. If there is any room for doubt, it is not valid consent.’ Regarding
a clear affirmative act, the guidance says that ‘someone must take deliberate action to opt in, even if this is not
expressed as an opt-in box. For example, other affirmative opt-in methods might
include signing a consent statement, oral confirmation, a binary choice
presented with equal prominence, or switching technical settings away from the
default…the idea of an affirmative act does still leave room for implied
consent in some circumstances, particularly in more informal offline
situations.’
What the guidance fails to do is adequately explain
what sort of clear affirmative acts can be undertaken to demonstrate consent in
an online context other than an opt-in option or switching technical settings.
If one agrees that most consumers are not technologically literate, it is
reasonable to deduce that requiring someone to use default privacy settings on
a device is unlikely to be meaningful to large swathes of the population,
leaving (through absence of any genuine alternative) only opt–in tick boxes
which are a binary choice. It is our view that the ICO could provide better
assistance here to make things clearer for businesses, particularly as consent
tends to raise its head more often than not in the online world.
Playing the waiting game
The frustration that we have seen from clients and
other businesses and professionals regarding the delay in finalising the
consent guidance is understandable. When the ICO published the draft guidance
in March, it was due to be finalised in the summer 2017 before pushing this
back to December 2017.
The delay is particularly acute for businesses that
undertake direct marketing using consent. Many businesses are now aware that
the GDPR requires consent to be brought up to date with the new standards[9]
and so they are undertaking a repermissioning exercise, approaching data
subjects who have consented to direct marketing under the DPA and essentially
obtaining their consent anew. The difficulty with this is, as all technology
lawyers who have drafted consent wording will know, there is great subtlety in
the proper drafting of consent notices which require input from legal and
marketing professionals. This means that, in order to get the wording just
right, the lawyers need to have total confidence that the regulatory guidance
is concrete. That is not the case due to the delay in publishing the guidance.
In addition to this, most marketing professionals affirm that it can take 12
months to build a sizeable database of direct marketing contacts. There are now
just six months to go (at the time of writing) to the implementation of the
GDPR but no finished guidance from the regulator and a reasonable probability,
due to some of the more controversial aspects of the guidance, that the final
form will change.
In its myth buster blog,[10]
the ICO has said that ‘It is unlikely that the guidance will change
significantly in its final form. So you already have many of the tools you need
to prepare.’ However, those
technology lawyers who have been in practice long enough to remember the dawn
of cookie consent notices will recall that, in the run up to the enforcement
date (May 2012), the ICO published one piece of guidance suggesting that consent
really ought to be by opt-in tick box to meet the requirements of Directive
95/46/EC, only to then change this guidance just weeks before the enforcement
date, rowing backwards to a position where implied consent was acceptable. So,
the regulator has form for making last-minute changes to guidance about consent
which can significantly alter how it is implemented in practice.
There also remains the looming issue of enforcement.
We know the ICO has the power to levy large fines under the GDPR[11]
and that theoretically such fines could be levied from May 2018. Failure to
obtain consent in accordance with Article 7 is punishable by the higher
threshold of €20m or 4% of worldwide turnover, whichever is the higher.[12]
The ICO has already said that ‘it’s scaremongering to suggest
that we’ll be making early examples of organisations for minor infringements or
that maximum fines will become the norm.’[13].
However, we empathise with the call from business representatives and lobbyists
calling for an extended grace window when it comes to direct marketing and
repermissioning, a window of time equal in length to the period of delay in
publishing the final guidance.
Electronic Direct Marketing and Consent
Consent
tends to create the biggest waves in the world of direct marketing. One of the
consistent questions we have seen posed over the course of the last 12 months
is how to reconcile the apparently conflicting rules in the GDPR and the draft
ePR regarding electronic direct marketing communications. The issue could be
summarised as follows.
On
the one hand, the GDPR states that direct marketing can be carried out as a
legitimate business interest (implying that consent is not required). This
assertion is found in the final sentence of Recital 47 and simply reads: ‘The processing of personal data for direct
marketing purposes may be regarded as carried out for a legitimate
interest’ (our emphasis). There are several things worth noting about this
assertion. Firstly, all recitals in the GDPR are merely guidance as to
interpretation of the articles. They are not capable of being legally binding on
their own without a concomitant article and there is no article in the GDPR
which states that direct marketing is a legitimate business interest. At best,
Recital 49 is guidance about interpretation of Article 6 (1) (f) which states
that personal data can be lawfully processed on the grounds of the controller’s
legitimate business interest.[14] Secondly, Recital 49 is
not media specific. It fails to address whether electronic direct marketing is
captured within its meaning and so ought (in our view) to be given its widest
meaning, ie that all methods of direct marketing are prima facie within the scope of legitimate business interests. Thirdly,
this Recital was not in the original 2012 draft of the Regulation but rather
found its way in during trilogue. It was the product of debate between the
political bodies in the process of finalising the draft and is arguably an
afterthought.
On
the other hand Article 16 (1) of the draft ePR says ‘Natural or legal persons may use electronic communications services
for the purposes of sending direct marketing communications to end-users who
are natural persons that have given their consent.’ It does not, as many
would like, also end with the words ‘or
where the controller has legitimate business interests to send such
communications’ and so it is reasonable to see that a potential conflict
arises between GDPR and ePR on this point. However, in our view no conflict
exists. The ePR is designed to particularise and complement the GDPR[15] and so it would be
reasonable to interpret the ePR in a similar way to the interpretation of the Data
Protection Act 1998 and PECR,[16] meaning that that the
PECR (and by analogy the ePR) creates an extra layer of protection for data
subjects in addition to the DPA 1998. We know the standard of consent in the ePR
is the same as that in the GDPR[17] and we can also observe
that, whilst there is no specific article in the GDPR about this point in the
GDPR, there is an article in the ePR. In light of the status of the ePR as a
Union regulation rather than a directive, it must be the intention of the Union
legislature to ensure that electronic direct marketing does not take place without
consent and that consent must be the standard set out in the GDPR. The only other
option is presented by the ePR itself in Article 16 (2), which preserves the
current soft opt in rules for electronic marketing communications.
Conclusion
This article was never drafted
to provide all the answers to the stinging issue that is consent under the
GDPR. We hope that it has illuminated some of the more theoretical and
commercially challenging areas. We hope also that it has drawn out the
shortcomings of the draft guidance. You could come away from this article with
the view that we are thoroughly dissatisfied with the ICO’s draft guidance;
this is not the case. There are many areas where it is useful. However, the
shortcomings highlighted throughout this article are having a real impact on
businesses and we call on the ICO to take these points into account as it
finalises its consent guidance and works with the WP29 to produce new guidance,
which is due to be published shortly.
Matthew Holman is a principal and Head of Technology and Data
Protection at EMW. He is an SCL Accredited IT Lawyer and acts for many global
brands, UK plcs and technology businesses. He also does extensive media and
presentation work regarding the GDPR.
Lewis Borg is a solicitor in EMW’s Technology and Data
Protection team, specializing in data protection law.
Matthew and Lewis would like to acknowledge the contributions of
Natalie Ingram, trainee solicitor and research assistant at EMW.
[1] General Data Protection Regulation 2016/679
[2] ICO Consultation: GDPR Consent
Guidance
[3] See the draft regulation published on 10 January 2017
entitled ‘A Proposal for a Regulation of the European Parliament and of the
Council concerning the respect for private life and the protection of personal
data in electronic communications, repealing Directive 2002/58/EC’
[4] Recitals 32, 33, 42, 43 and 171
[5] The Dutch Data Protection Act and guidance of Autoriteit
Persoonsgegevens
[6] https://dma.org.uk/article/read-the-dma-s-response-to-the-ico-s-profiling-feedback-request
[7] Article 4 (11)
[8] Recital 32
[9] Recital 171
[11] Article 83
[12] Article 83 (5).
[14] A more detailed examination of legitimate business interest is outside
the scope of this article.
[15] Article 1 (3) ePR
[16] Privacy & Electronic Communications (EC Directive) Regulations 2003,
as amended
[17] Article 4 (1) (a) EPR