Newsletter | Volume 1

When companies or public authorities, wants to process personal data, they must have a legal basis for that processing. In the old days (before 25th May 2018) the condition of consent was that an individual has agreed to the processing the data in question. From 25th May 2018, obtaining approval from the data subject may not be as relatively straightforward. The specific conditions for obtaining consent to process an individual’s personal data can underline the complexities that arise in ensuring a valid consent.

Article 4 of the GDPR requires that, for an individual to actually consent to the processing of their personal data, and that this agreement (consent) to that processing means: "any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

The new GDPR definition of consent contains several new requirements, including that consent, is unambiguous and signified by a statement or by a clear affirmative action. If an indication of consent leaves any doubt as to what data processing a person has consented to, it will fall short of the requirement for unambiguous consent.

Data controllers seeking consent for processing personal data for multiple purposes should use layered consent mechanisms, giving individuals the opportunity to indicate whether or not they consent to each purpose;

Clear affirmative action means that data controllers cannot rely on silence, opt-out boxes, pre-ticked opt-in boxes or inaction by the individual
Consent mechanisms are kept separate from other terms and conditions of service; Consent is not a pre-condition for signing up to a particular service unless such approval is necessary for delivery of that service
Individuals are given "granular options to consent" to consider giving separate permissions to different types of processing
Consent mechanisms explicitly name the data controller and third parties who will rely on that consent as a legal condition

The 'accountability' component of GDPR Article 5; data controllers, must not only obtain valid consent; they must retain sufficient records to demonstrate what a person has consented to and how and when they have given consent;

Data controllers must also tell individuals they can withdraw consent at any time and make it as easy to withdraw consent as to give it.
Data controllers should consider not only whether their mechanisms for giving consent are GDPR compliant, but whether their consent withdrawal arrangements meet new requirements.

For consent is deemed as freely given, the GDPR requires that there must be no power imbalance in the relationship between a data controller and an individual, and there must also be no adverse consequence for a person if they refuse to give consent. Otherwise, the ‘consent’ will be invalid.

Data controllers that are processing a large amount of personal data relying on consent to meet a legal condition under the current legislation before GDPR. However, in preparation for the GDPR
Data controllers should review the existing mechanisms for giving and withdrawing consent
Review their records of consents for processing, where they intend to carry on such processing under the GDPR.
Data controllers must either find another legal condition in the GDPR for that processing or obtain new GDPR-compliant consents or cease the processing of the personal data in question.

If the data controller continues to process personal data without valid consent and without meeting any other legal condition, they run the risk of breaching trust, suffering reputational damage and incurring financial penalties under a more substantial fine structure.

The British philosopher and a seminal thinker of modern political philosophy, Thomas Hobbes who’s ideas were marked by the characterisation of human nature based on greed and fear of death said in 1599; Silence is sometimes an argument of Consent. That in GDPR is no longer valid.