Consent as the legal basis for processing personal data. The criterion of free will

The General Data Protection Regulation which became directly applicable on the 25th of May 2018 has triggered a real boom in privacy policies among companies. The threat of penalties has woken up the business which earlier had quite a negligent attitude towards data protection issues. Many had quite a struggle identifying what data and for what purposes as well as legal grounds are they processing.

Speaking of the legal basis for processing personal data, there is no doubt that one of the most popular among the business is a person‘s consent. You have obtained a number of consents and you feel calm. After all, if a person has given his consent, what can be wrong? Processing personal data based on consent provides a sense of security, and when it comes to fines up to 20 million euros, we want to feel safe. However, for the consent to be valid it must meet certain criteria, one of which is the free will of the data subject. Namely, the flaws of the obtained consents manifest through the lack of free will, which in fact means that the processing is not legal. So, when shall it be considered that a person has freely given you his consent to the processing of his personal data?

The provisions of the Regulation imply that freely given means a real power to make a choice – to decide whether the person wishes for his data to be processed for a certain purpose or not, without experiencing any pressure for it or negative influence, etc. Assessing whether a person had a real decisive power while giving consent, (i) the balance between the controller and the data subject is taken into consideration as well as (ii) non-conditionality, (iii) granularity of the consent and (iv) absence of risk of facing any detriment in case of refusal to consent.

(i) Balance of power. The consent is not an appropriate legal basis for processing personal data when the controller is in a position of power, i.e. when the controller is the stronger and therefor more influential party (for example a public authority, employer). When the data controller is in the position of power it is likely that a person will give his consent because of the pressure he feels and not because he expresses his true will. Therefore, a quite common mistake in practice is to rely on legal basis of consent in employment relations, since an employee will always be the weaker party, and the employer – the controller – the stronger party which dictates conditions, and from which will an employee depends. It should be noted that, in exceptional cases, the employer may rely on consent when processing employee’s personal data, particularly in those cases where the processing operations themselves are of benefit to the employee – for example, to allow a worker to apply for discounts when purchasing employer’s products.

(ii) Non-conditionality of consent. Any pressure or influence upon a person while obtaining consent proves the lack of free will and, consequently, makes such a consent invalid. These are particularly the situations where a contract or terms and conditions state that by signing the contract or accepting terms and conditions a person expresses his or hers consent to data processing (objectively not necessary for the provision of a contract or service). Or where the data controller claims that the contract shall not be signed/ a service provided unless the person consents to the processing (objectively unnecessary) of data. However, in such cases, the person wishing to receive a service or conclude a contract is prevented from expressing his or her true will for the processing of the said data.

(iii) Granularity of the Consent. Data processing operations can have different goals, in cases where the consent of the data subject is to be relied on, separate consent is required for each of them. Consent will not be considered freely given, for example, where on the website data subjects are provided with a single box to mark their consent for using their data for direct marketing and for transferring of personal data to the company’s partners.

(iv) Absence of negative effects. If the refusal to consent to data processing would adversely affect (financial losses, lower quality of service, longer waiting period, etc.) a person, the consent would not be considered freely given. For example, the person who has not given consent to the sharing of data with the service provider’s partners must pay more than the one who has consented.

Considering the above said, if while obtaining consent from the data subjects the mentioned conditions are met you are in the right path. Although it should not be forgotten, that apart from the criterion of free will there are more requirements set out in the Regulation regarding the validity of consent, but it is a separate theme to be discussed in the next article.