Article 7 GDPR: Difference between revisions

From GDPRhub
 
(10 intermediate revisions by 6 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<center>'''Article 7: Conditions for consent'''</center><span id="1"> 1.  Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.</span>
<br /><center>'''Article 7: Conditions for consent'''</center>
 
<span id="1"> 1.  Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.</span>


<span id="2"> 2.  If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.</span>
<span id="2"> 2.  If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.</span>
Line 196: Line 198:


==Commentary ==
==Commentary ==
Article 7 GDPR regulates the "conditions for consent". It specifies the definition of consent set out in [[Article 4 GDPR|Article 4(11) GDPR]] and, by integrating [[Article 6 GDPR|Article 6(1)(a) GDPR]], contributes in defining what legal requirements a valid consent should have. The provision also places the burden of proof on the controller for the existence of consent.     


===(1) Obligation to Provide Proof of Consent===
Article 7 GDPR regulates the "conditions for consent". It specifies the definition of consent set out in [[Article 4 GDPR|Article 4(11) GDPR]] and, by integrating [[Article 6 GDPR|Article 6(1)(a) GDPR]], contributes to defining what legal requirements a valid consent should meet. The provision also places a special burden of proving for valid consent on the controller.     
 
While paragraph (1) further specifics the principle of accountability in [[Article 5 GDPR|Article 5(2) GDPR]], paragraph (2) specifies further requirements in the general principle of transparency under [[Article 5 GDPR|Article 5(1)(a) GDPR]], paragraph (3) further determines the right to withdraw consent and paragraph (4) further specifies when consent is '''freely given'.''      <blockquote><u>EDPB Guidelines:</u> See especially the [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB Guidelines 05/2020 on consent under Regulation 2016/679]. The issue of consent also comes up in other EDPB Guideliens for specific processing operations. For example see also [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them] which only apply to social media platforms but hold important general information on the use of 'dark patterns' which are often used to gain consent.      </blockquote>
 
===(1) Obligation to provide proof of consent===
 
Under Article 7(1) GDPR, the controller must be able to demonstrate that they have obtained data subjects’ valid consent, especially whether it was informed, freely given, unambiguous and specific. It is therefore a specific burden of proof. <blockquote><u>Example:</u> A data subject cannot remember that it gave consent. The controller says they used to have an online form that everyone had to sign, but the form cannot be found anymore. There is no digital trace of the consent. If the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 68 (C.H. Beck, 2nd Edition 2018) who explains the dynamic in this way: "''Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine Risikoverteilungsregelung''".</ref></blockquote>Since consent can be given through a ''"clear, affirmative act''" (see Recital 32 GDPR) in the form of a factual, written, electronic or oral declaration, data controllers are free to determine the specific mechanism to provide this evidence.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (C.H. Beck, 2nd Edition 2018).</ref> However, in practice, they will likely "''need to keep a registry of acquired consents, as they will need to be able to demonstrate that consent has been obtained in situations where the data subject questions her or his provision of consent. In online environments, the consent provided should be logged''".<ref>''Kosta'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref>
 
The elements contained in such a register may vary depending on the type of processing and the type of consent required. For instance, since pre-ticked boxes have been declared ''not'' unambiguous and therefore unlawful,<ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here])</ref> controllers may need to implement consent confirmation systems that can demonstrate the clear intention of the user. For instance, the controller could send an email to the data subject requiring them to click on a confirmation button (double opt-in) to show that the person consenting is also the person having access to a mailbox. Once the user provides that confirmation, the associated token and the time may be stored in the consent register as evidence for the future.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (C.H. Beck, 2nd Edition 2018).</ref><blockquote><u>Example:</u> An implicit consent under Article 6(1)(b) GDPR to be in a group picture by assembling in a group may be documented by the picture itself and witnesses could confirm that the purpose of the processing was clearly communicated. However, online systems usually require some form of consent management, such as a filed in a database together with a cop of the the code and interface.</blockquote>Article 7(4) GDPR relates to the principle of accountability in [[Article 5 GDPR|Article 5(2) GDPR]] and further specifies it for situations where a controller seeks consent.


Under Article 7(1) GDPR, the controller must demonstrate to have obtained a valid consent, including whether it was informed, freely given, unambiguous and specific. Scholars have convincingly noted that Article 7(1) does not provide for another consent requirement (say, "''demonstrability''") but rather creates a distribution of risks during a possible legal procedure. If, for example, the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent.<ref>See ''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 68 (Beck, 2nd edition 2018) (accessed 29 April 2021) who explains the dynamic in this way: "''Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine Risikoverteilungsregelung''".</ref>
===(2) Consent request in the context of a written declaration concerning other matters===


Since consent can be given through a ''"clear, affirmative act''" (see Recital 32 GDPR) in the form of a written, electronic or oral declaration, data controllers are free with regard to the specific form of providing this evidence<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (Beck, 2nd edition 2018) (accessed 29 April 2021). This requirement leaves room for various forms of demonstrations, although of course it only applies to those consent obtaining mechanisms which can be proven. It is clear, however, that the stricter the intended form of consent is, the easier it will be to provide evidence about it</ref>. However, in practice, they will likely "''need to keep a registry of acquired consents, as they will need to be able to demonstrate that consent has been obtained in situations where the data subject questions her or his provision of consent. In online environments, the consent provided should be logged''". <ref>''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref>
Article 7(2) applies when data subjects and controllers communicate in written form about “other matters”, such as a longer contract, sign-up form and alike. In such cases, the request for consent must be presented in a manner which is clearly distinguishable from the other matters. The provision ensures that the consent request is given appropriate prominence so to reduce the risk of consent being inadvertently given or overlooked. To do so, Article 7(2) GDPR sets out certain layout and transparency requirements.  


The elements contained in such registry may vary depending on the complexity of the processing. For instance,  since pre-ticked boxes have been declared ''not'' unambiguous and therefore unlawful <ref>CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available [https://curia.europa.eu/juris/liste.jsf?num=C-673/17 here])</ref>, controllers may need to implement consent confirmation systems that can demonstrate the clear intention of the user. An example could be the sending of an email to the data subject requiring him or her to click on a confirmation button (double opt-in). Once the user provides the confirmation, the associated token may be stored in the consent registry for future evidence purposes.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 69 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref>
==== Consent in the context of a written declaration concerning other matters ====
For the provision to apply, the communication between data subject and controller must meet two requirements: (i) it must occur in written form and (ii) it must concern other matters. Other situations, such as oral requests or stand-alone requests on forms that do not concern other matters do not have to comply with the specific provisions of Article 7(2) GDPR.


===(2) Consent Request in the Context of a Written Declaration concerning other Matters===
The "''written form''" requirement is to be interpreted broadly, which means that the electronic form is covered by this provision.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 77 (C.H. Beck, 2nd Edition 2018).</ref> The communication must concern “''other matters''”. For example, this is the case where complex legal documents deal with various types of processing and require different legal bases for each of them. If any of these processing activities rely on consent, then the provision applies. 


Article 7(2) applies when the communication between data subject and controller takes place in written form and it concerns other matters. In this case,  the request for consent shall be presented in a manner which is clearly distinguishable from the other matters. The provision ensures that the consent request is given appropriate prominence so to reduce the risk of consent being inadvertently given. To do so, Article 7(2) GDPR establishes layout and transparency requirements.   
==== Request for consent: requirements ====
Under Recital 42, where consent is given as part of a written declaration concerning other matters, safeguards should be put in place to ensure that the data subject is aware of the meaning of their actions. Article 7(2) GDPR provides for such safeguards and requires that the request for consent shall be (i) presented in a manner which is clearly distinguishable from the other matters and (ii) formulated in an intelligible and easily accessible way, using clear and plain language.   


==== In the Context of a Written Declaration ====
First, it should be "distinguishable" from other matters. In practice, this translates to a statement which clearly authorises the controller to carry out a specific processing operation. Therefore, the request for consent "''should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements"''.<ref>''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref>
For the provision to apply, the communication between data subject and controller must meet two requirements. First, it must take occur in written form and, second, it must concern other matters. The provision does not apply in other cases.  


The "written form" requirement is to be interpreted broadly. The electronic form is therefore at least also covered by this provision. Since data protection law is particularly important in a digital context and the legislator aimed to provide comprehensive protection for those affected, the provision can also be used in digital legal transactions.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 77 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref>  
Second, a request for consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language. This means that even users with poor reading skills, whether due to a low level of education or lack of language skills, should understand the text and positively express their consent.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 80 (C.H. Beck, 2nd Edition 2018).</ref> Thus, if the data subject is not able to grasp the meaning of their declaration, the controller must provide further clarification.<ref>''Stemmer,'' in Wolff, Brink, BeckOK Datenschutzrecht, Article 7 GDPR, margin number 63 (C.H. Beck 2020, 36th Edition).</ref> Further, under Recital 42 and "''in accordance with Council Directive 93/13/EEC''" (the Unfair Contract Terms Directive or "UCTD"), the request must not contain unfair terms.<ref>However, according to ''Kosta'', the the reference to the UCTD in the recital is "problematic" because "[w]''hether and under which conditions a contract is formed'' [...] ''is an issue of national law and the answers to these questions differ significantly between civil law and common law countries''". See, ''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref>  


The communication must concern other matters. That is the case, for instance, of complex legal documents dealing with different types of processing and requiring different legal basis for each of them. If any of these processing activities relies upon consent, then the provision applies.   
The legislator uses a very similar requirement for "''concise, transparent, intelligible and easily accessible form, using clear and plain language"'' in [[Article 12 GDPR|Article 12(1) GDPR]], which applies to Articles 13 to 22 and 34 GDPR. The requirements are a specification of the general principle of transparency in [[Article 5 GDPR|Article 5(1)(a) GDPR]].   


==== Request for Consent: Requirements ====
==== Failure to meet the requirements ====
Under Recital 42, where consent is given as part of a written declaration concerning other matters, safeguards should be provided to ensure that the data subject is aware of the meaning of their actions. Article 7(2) provides for such safeguards and requires that the request for consent shall be (i) presented in a manner which is clearly distinguishable from the other matters and (ii) formulated in an intelligible and easily accessible way, using clear and plain language.
If any part of the statement (provided by the controller to the data subject) does not meet these requirements or in any way "''constitutes an infringement of this Regulation [it]'' ''shall not be binding''". Such an infringement amounts to a clear violation of the lawfulness principle, (i.e. if the claimed legal basis is not present, see [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6(1)(a) GDPR]]) and should bring about the immediate stop of processing of all personal data collected.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 83 (C.H. Beck, 2nd Edition 2018).</ref><blockquote><u>Example:</u> A hotel has all guests sign a form upon arrival, informing them about a non-smoking policy, costs for the minibar, the opening hours of the gym and many other matters. In one of the paragraphs, the hotel seeks consent to use guests' registration data for advertisement, direct mailings and alike. This consent is not valid.</blockquote>


First, it should be "distinguishable" from other statements. In data protection terms, this translates into a statement which clearly authorizes the controller to carry out a specific processing operation. Therefore, the request for consent "''should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements"''.<ref>''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref>
===(3) Right to withdraw consent===


Second, a request for consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language. This means that even users with poor reading skills due to a low level of education or lack of language skills should understand the text and consciously express their consent.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 80 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref> It follows that if the data subject is not able to grasp the meaning of their declaration, the controller must provide further clarification.<ref>''Stemmer'', in BeckOK DatenschutzR, Article 7 GDPR, margin number 63 (Beck 2020, 36th ed.) (accessed 3 November 2021).</ref> Further, under Recital 42 and "''in accordance with Council Directive 93/13/EEC''" (the Unfair Contract Terms Directive or "UCTD"), the request must not contain unfair terms.<ref>However, according to ''Kosta'', the the reference to the UCTD in the recital is "problematic" because "[w]''hether and under which conditions a contract is formed'' [...] ''is an issue of national law and the answers to these questions differ significantly between civil law and common law countries''". See, ''Kosta'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).</ref> 
If a controller relies on consent under Article 6(1)(a) or Article 9(2)(a) GDPR, data subjects can withdraw their consent at any time


==== Failure to Meet the Requirements ====
==== Information about right to withdraw consent ====
If any part of the statement (provided by the controller to the data subject) does not meet the above-mentioned requirements or anyway "''constitutes an infringement of this Regulation [it]'' ''shall not be binding''". In data protection terms, this may easily translate into a violation of the lawfulness principle (the claimed legal basis is not present, see [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6(1)(a) GDPR]]) and should bring to the immediate deletion of all the data collected.<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 83 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref>
Controllers must make data subjects aware of their right before to withdraw consent. This is usually done together with the request for consent and should follow the same transparency obligations applicable to information under [[Article 5 GDPR|Articles 5(1)(a)]], 7(2) and [[Article 12 GDPR|12(1)]] GDPR.


===(3) Right to Withdraw Consent===
It is unclear what the legal consequence of missing information is. The data subject may be even less inclines to consent when it does not know about the option to withdraw consent, which would point at missing information merely being a violation of the controllers duties under the GDPR, but not lead to the consent being invalid when a controller does not inform about the right to withdraw consent.


Data subjects can withdraw their consent at any time and should be made aware of this right before granting consent. Withdrawal should be as easy as giving it; however, the withdrawal will not retroactively affect any processing based on the consent prior to its withdrawal.
==== Withdrawal at any time ====
Data subjects can withdraw their consent at any time. Other than many other rights to withdraw from a legal declaration in EU law (such as 14 days for online purchases under Directive 2011/83/EU), the right to withdraw consent has no limit. This makes long-term management of consent and withdraw necessary.


Article 7(3) GDPR clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent.<ref>For example, if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner or any of its features.</ref> In this perspective, a technical challenge could be the development of an appropriate revocation environment, especially if the person concerned does not have a user account through which they can adjust the privacy settings.<ref>In this sense ''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 91 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref>
==== As easy as consent ====
This withdrawal should be as easy as giving consent. Article 7(3) GDPR clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent.<ref>For example, if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner or any of its features.</ref> This nonetheless poses certain technical challenges, such as the development of an appropriate revocation mechanism, especially if the person concerned does not have a user account through which they can adjust the privacy settings.


The withdrawal has immediate effect and interrupts any consent-based data processing. The withdrawal has an effect on future data processing (''ex nunc''). According to a certain interpretation, if the person concerned wants to delete the data, they have to submit a clear request in that sense under [[Article 17 GDPR|Article 17(1)(b) GDPR]].<ref>''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 92 (Beck, 2nd edition 2018) (accessed 29 April 2021).</ref>  
==== Effect of withdrawal ====
The withdrawal has immediate effect and interrupts any consent-based data processing, but will not retroactively affect any processing based on previously obtained consent. <ref>In this sense ''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 91 (C.H. Beck, 2nd edition 2018).</ref> The withdrawal has an effect on future data processing (''ex nunc''). If there is no other purpose to process the personal data further, withdrawal of consent also requires to delete the personal data. If there are other purposes to process the same personal data, such as security reasons, the effect of a withdrawal would be a partial limitation or processing. This means, that a data subject typically will not have to submit another request for erasure under [[Article 17 GDPR|Article 17(1)(b) GDPR]].<ref>Opposing view: ''Heckmann, Paschke'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 92 (C.H. Beck, 2nd Edition 2018).
</ref>
===(4) Assessing the freely given requirement===
Article 7(4) GDPR provides some useful guidance on the factors to be taken into account in assessing whether consent has been freely given or not. The provision focuses on the common practice of linking the performance of a service to the granting of consent for the processing of data which is not strictly necessary for the stated purpose ("bundled consent").


===(4) Assessing the Freely Given Requirement===
However, the EDPB noted that Article7(4) GDPR was drafted in a non-exhaustive fashion by using the words "''inter alia''". This means that bundled consent is not the only factor of the analysis and that "''there may be a “range of other situations, which are caught by this provision. In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid''”.<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 7-8 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>  
Article 7(4) GDPR provides some useful guidance as to the factors to be taken into account in assessing whether consent has been freely given or not. The provision focusses on the common practice of linking the provision of a service to the granting of consent for the processing of data which is not necessary for the provision of the service (bundled consent). However, the EDPB notes, Article7(4) has been drafted in a non-exhaustive fashion by using the words ‘inter alia’. This means that bundled consent is not the only factor of the analysis and that "''there may be a “range of other situations, which are caught by this provision. In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid''”.<ref>EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 7 (Version 1.1) (Available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref> These other elements are analysed below.


==== Imbalance of Power ====
==== Imbalance of power ====
The first critical factor is the presence of imbalance of power between the data subject and the controller. The typical example is the relationship between citizens and public authorities where it seems clear that in the majority of cases the data subject will have no viable alternative but to accept the data processing. Another case of imbalance of power also occurs in the employment relationship where it seems hardly credible that the data subject would refuse his consent without facing or at least perceiving the risk of detriment and negative effects on his employment position. The EDPB also points out that imbalances of power are not limited to relationships with public authorities and employers but can occur in any other case where there is "any element of compulsion, pressure or inability to exercise free will".<ref>EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 8-9 (Version 1.1) (Available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>
The first critical factor is the presence of imbalance of power between the data subject and the controller. The typical example is the relationship between citizens and public authorities, where it seems clear that in the majority of cases the data subject will have no viable alternative but to accept the data processing. Another case of imbalance of power also occurs in the employment relationship, where it seems hardly credible that the data subject would refuse their consent without facing or at least perceiving the risk of detrimental effects on their employment. The EDPB also pointed out that imbalances of power are not limited to relationships with public authorities and employers, but can occur in any other case where there is "''any element of compulsion, pressure or inability to exercise free will''".<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 8-9 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref> Overall are many other situations where an economic or other factual imbalance makes a genuinely free choice of the data subject unrealistic, such as various forms of monopolies and oligopolies or other situations where data subjects have no realistic alternative.


==== Bundled Consent ====
==== Bundled consent ====
The second factor identified by the Board is the hypothesis set out in Article 7(4) which consists of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service. Article 7(4) seeks to ensure that the purpose of personal data processing is not “disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract. The two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred”. Such practice is considered highly undesirable because and if consent is given in this situation, it is presumed to be not freely given (Recital 43).<ref>EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 10 (Version 1.1) (Available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>
The second factor identified by the EDPB is the case set out in Article 7(4) GDPR which consists of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service. Article 7(4) seeks to ensure that the purpose of personal data processing is not “''disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract. The two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred''”. Such practices are considered highly undesirable because consent is presumed to not have been freely given in this situation (Recital 43).<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 10 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>


==== Lack of Granularity ====
==== Lack of granularity ====
Another critical profile identified by the Board relates to the lack of granularity in the provision of consent. Whenever a controller forces the data subject to give a single consent for multiple types of processing (e.g., newsletters and communication to third parties), "there is a lack of freedom [...] the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose".<ref>EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 12 (Version 1.1) (Available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>
Another critical profile identified by the EDPB relates to the lack of granularity in the provision of consent. Whenever a controller forces the data subject to give a single consent for multiple types of processing with one action (e.g., newsletters and communication to third parties), "there is a lack of freedom [...] the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose".<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 12 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>


==== Detriment ====
==== Detriment ====
The controller must be able to demonstrate that refusal or withdrawal of consent will not have a detrimental effect on the data subject. Any kind of pressure, coercion or significant adverse effect, including reduction of service, is likely to generate a detrimental effect and thus invalidate consent.<ref>EDPB, Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020, p. 13 (Version 1.1) (Available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref>
The controller must be able to demonstrate that refusal or withdrawal of consent will not have a detrimental effect on the data subject. Any kind of pressure, coercion or significant adverse effect, including a reduction of service, is likely to generate a detrimental effect and thus invalidate consent.<ref>EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 13 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf here]).</ref><blockquote><u>EDPB Guidelines:</u> on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en EDPB Guidelines 05/2020 on consent under Regulation 2016/679]</blockquote>


==Decisions==
==Decisions==

Latest revision as of 16:00, 8 March 2024

Article 7: Conditions for consent
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 7: Conditions for consent

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Relevant Recitals

Recital 32: Conditions for Consent
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Recital 33: Consent for Scientific Research
It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

Recital 42: Proof and Requirements for Consent
Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital 43: Freely Given Consent
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Commentary

Article 7 GDPR regulates the "conditions for consent". It specifies the definition of consent set out in Article 4(11) GDPR and, by integrating Article 6(1)(a) GDPR, contributes to defining what legal requirements a valid consent should meet. The provision also places a special burden of proving for valid consent on the controller.

While paragraph (1) further specifics the principle of accountability in Article 5(2) GDPR, paragraph (2) specifies further requirements in the general principle of transparency under Article 5(1)(a) GDPR, paragraph (3) further determines the right to withdraw consent and paragraph (4) further specifies when consent is 'freely given'.

EDPB Guidelines: See especially the EDPB Guidelines 05/2020 on consent under Regulation 2016/679. The issue of consent also comes up in other EDPB Guideliens for specific processing operations. For example see also EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them which only apply to social media platforms but hold important general information on the use of 'dark patterns' which are often used to gain consent.

(1) Obligation to provide proof of consent

Under Article 7(1) GDPR, the controller must be able to demonstrate that they have obtained data subjects’ valid consent, especially whether it was informed, freely given, unambiguous and specific. It is therefore a specific burden of proof.

Example: A data subject cannot remember that it gave consent. The controller says they used to have an online form that everyone had to sign, but the form cannot be found anymore. There is no digital trace of the consent. If the existence of an effective consent is disputed and the controller cannot provide evidence of this, it can be assumed that there is no consent.[1]

Since consent can be given through a "clear, affirmative act" (see Recital 32 GDPR) in the form of a factual, written, electronic or oral declaration, data controllers are free to determine the specific mechanism to provide this evidence.[2] However, in practice, they will likely "need to keep a registry of acquired consents, as they will need to be able to demonstrate that consent has been obtained in situations where the data subject questions her or his provision of consent. In online environments, the consent provided should be logged".[3] The elements contained in such a register may vary depending on the type of processing and the type of consent required. For instance, since pre-ticked boxes have been declared not unambiguous and therefore unlawful,[4] controllers may need to implement consent confirmation systems that can demonstrate the clear intention of the user. For instance, the controller could send an email to the data subject requiring them to click on a confirmation button (double opt-in) to show that the person consenting is also the person having access to a mailbox. Once the user provides that confirmation, the associated token and the time may be stored in the consent register as evidence for the future.[5]

Example: An implicit consent under Article 6(1)(b) GDPR to be in a group picture by assembling in a group may be documented by the picture itself and witnesses could confirm that the purpose of the processing was clearly communicated. However, online systems usually require some form of consent management, such as a filed in a database together with a cop of the the code and interface.

Article 7(4) GDPR relates to the principle of accountability in Article 5(2) GDPR and further specifies it for situations where a controller seeks consent.

(2) Consent request in the context of a written declaration concerning other matters

Article 7(2) applies when data subjects and controllers communicate in written form about “other matters”, such as a longer contract, sign-up form and alike. In such cases, the request for consent must be presented in a manner which is clearly distinguishable from the other matters. The provision ensures that the consent request is given appropriate prominence so to reduce the risk of consent being inadvertently given or overlooked. To do so, Article 7(2) GDPR sets out certain layout and transparency requirements.

Consent in the context of a written declaration concerning other matters

For the provision to apply, the communication between data subject and controller must meet two requirements: (i) it must occur in written form and (ii) it must concern other matters. Other situations, such as oral requests or stand-alone requests on forms that do not concern other matters do not have to comply with the specific provisions of Article 7(2) GDPR.

The "written form" requirement is to be interpreted broadly, which means that the electronic form is covered by this provision.[6] The communication must concern “other matters”. For example, this is the case where complex legal documents deal with various types of processing and require different legal bases for each of them. If any of these processing activities rely on consent, then the provision applies.

Request for consent: requirements

Under Recital 42, where consent is given as part of a written declaration concerning other matters, safeguards should be put in place to ensure that the data subject is aware of the meaning of their actions. Article 7(2) GDPR provides for such safeguards and requires that the request for consent shall be (i) presented in a manner which is clearly distinguishable from the other matters and (ii) formulated in an intelligible and easily accessible way, using clear and plain language.

First, it should be "distinguishable" from other matters. In practice, this translates to a statement which clearly authorises the controller to carry out a specific processing operation. Therefore, the request for consent "should be highlighted by being placed in a frame or printed in a different font or colour - to name just a few options. The requirement is aimed at stopping the common practice whereby businesses include the text for consenting to processing of personal data in the fine print of agreements".[7]

Second, a request for consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language. This means that even users with poor reading skills, whether due to a low level of education or lack of language skills, should understand the text and positively express their consent.[8] Thus, if the data subject is not able to grasp the meaning of their declaration, the controller must provide further clarification.[9] Further, under Recital 42 and "in accordance with Council Directive 93/13/EEC" (the Unfair Contract Terms Directive or "UCTD"), the request must not contain unfair terms.[10]

The legislator uses a very similar requirement for "concise, transparent, intelligible and easily accessible form, using clear and plain language" in Article 12(1) GDPR, which applies to Articles 13 to 22 and 34 GDPR. The requirements are a specification of the general principle of transparency in Article 5(1)(a) GDPR.

Failure to meet the requirements

If any part of the statement (provided by the controller to the data subject) does not meet these requirements or in any way "constitutes an infringement of this Regulation [it] shall not be binding". Such an infringement amounts to a clear violation of the lawfulness principle, (i.e. if the claimed legal basis is not present, see Articles 5(1)(a) and 6(1)(a) GDPR) and should bring about the immediate stop of processing of all personal data collected.[11]

Example: A hotel has all guests sign a form upon arrival, informing them about a non-smoking policy, costs for the minibar, the opening hours of the gym and many other matters. In one of the paragraphs, the hotel seeks consent to use guests' registration data for advertisement, direct mailings and alike. This consent is not valid.

(3) Right to withdraw consent

If a controller relies on consent under Article 6(1)(a) or Article 9(2)(a) GDPR, data subjects can withdraw their consent at any time

Information about right to withdraw consent

Controllers must make data subjects aware of their right before to withdraw consent. This is usually done together with the request for consent and should follow the same transparency obligations applicable to information under Articles 5(1)(a), 7(2) and 12(1) GDPR.

It is unclear what the legal consequence of missing information is. The data subject may be even less inclines to consent when it does not know about the option to withdraw consent, which would point at missing information merely being a violation of the controllers duties under the GDPR, but not lead to the consent being invalid when a controller does not inform about the right to withdraw consent.

Withdrawal at any time

Data subjects can withdraw their consent at any time. Other than many other rights to withdraw from a legal declaration in EU law (such as 14 days for online purchases under Directive 2011/83/EU), the right to withdraw consent has no limit. This makes long-term management of consent and withdraw necessary.

As easy as consent

This withdrawal should be as easy as giving consent. Article 7(3) GDPR clarifies that the withdrawal of consent must be as simple as the granting of consent. In the case of electronic declarations, revocation should be enabled via the same tool used to provide the consent.[12] This nonetheless poses certain technical challenges, such as the development of an appropriate revocation mechanism, especially if the person concerned does not have a user account through which they can adjust the privacy settings.

Effect of withdrawal

The withdrawal has immediate effect and interrupts any consent-based data processing, but will not retroactively affect any processing based on previously obtained consent. [13] The withdrawal has an effect on future data processing (ex nunc). If there is no other purpose to process the personal data further, withdrawal of consent also requires to delete the personal data. If there are other purposes to process the same personal data, such as security reasons, the effect of a withdrawal would be a partial limitation or processing. This means, that a data subject typically will not have to submit another request for erasure under Article 17(1)(b) GDPR.[14]

(4) Assessing the freely given requirement

Article 7(4) GDPR provides some useful guidance on the factors to be taken into account in assessing whether consent has been freely given or not. The provision focuses on the common practice of linking the performance of a service to the granting of consent for the processing of data which is not strictly necessary for the stated purpose ("bundled consent").

However, the EDPB noted that Article7(4) GDPR was drafted in a non-exhaustive fashion by using the words "inter alia". This means that bundled consent is not the only factor of the analysis and that "there may be a “range of other situations, which are caught by this provision. In general terms, any element of inappropriate pressure or influence upon the data subject (which may be manifested in many different ways) which prevents a data subject from exercising their free will, shall render the consent invalid”.[15]

Imbalance of power

The first critical factor is the presence of imbalance of power between the data subject and the controller. The typical example is the relationship between citizens and public authorities, where it seems clear that in the majority of cases the data subject will have no viable alternative but to accept the data processing. Another case of imbalance of power also occurs in the employment relationship, where it seems hardly credible that the data subject would refuse their consent without facing or at least perceiving the risk of detrimental effects on their employment. The EDPB also pointed out that imbalances of power are not limited to relationships with public authorities and employers, but can occur in any other case where there is "any element of compulsion, pressure or inability to exercise free will".[16] Overall are many other situations where an economic or other factual imbalance makes a genuinely free choice of the data subject unrealistic, such as various forms of monopolies and oligopolies or other situations where data subjects have no realistic alternative.

Bundled consent

The second factor identified by the EDPB is the case set out in Article 7(4) GDPR which consists of “bundling” consent with acceptance of terms or conditions, or “tying” the provision of a contract or a service to a request for consent to process personal data that are not necessary for the performance of that contract or service. Article 7(4) seeks to ensure that the purpose of personal data processing is not “disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract. The two lawful bases for the lawful processing of personal data, i.e. consent and contract cannot be merged and blurred”. Such practices are considered highly undesirable because consent is presumed to not have been freely given in this situation (Recital 43).[17]

Lack of granularity

Another critical profile identified by the EDPB relates to the lack of granularity in the provision of consent. Whenever a controller forces the data subject to give a single consent for multiple types of processing with one action (e.g., newsletters and communication to third parties), "there is a lack of freedom [...] the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose".[18]

Detriment

The controller must be able to demonstrate that refusal or withdrawal of consent will not have a detrimental effect on the data subject. Any kind of pressure, coercion or significant adverse effect, including a reduction of service, is likely to generate a detrimental effect and thus invalidate consent.[19]

EDPB Guidelines: on this provision there are EDPB Guidelines 05/2020 on consent under Regulation 2016/679

Decisions

→ You can find all related decisions in Category:Article 7 GDPR

References

  1. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 68 (C.H. Beck, 2nd Edition 2018) who explains the dynamic in this way: "Da die Vorschrift zwar die Pflicht eines Nachweises aufstellt, allerdings an einen möglichen Verstoß keine unmittelbare Rechtsfolge anknüpft, stellt diese Regelung keine Bedingung dar, sondern ist vielmehr eine Risikoverteilungsregelung".
  2. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (C.H. Beck, 2nd Edition 2018).
  3. Kosta, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 350 (Oxford University Press 2020).
  4. CJEU, C‑673/17, Planet49, 1 October 2019, margin number 58-60 (available here)
  5. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 71 (C.H. Beck, 2nd Edition 2018).
  6. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 77 (C.H. Beck, 2nd Edition 2018).
  7. Kosta, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).
  8. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 80 (C.H. Beck, 2nd Edition 2018).
  9. Stemmer, in Wolff, Brink, BeckOK Datenschutzrecht, Article 7 GDPR, margin number 63 (C.H. Beck 2020, 36th Edition).
  10. However, according to Kosta, the the reference to the UCTD in the recital is "problematic" because "[w]hether and under which conditions a contract is formed [...] is an issue of national law and the answers to these questions differ significantly between civil law and common law countries". See, Kosta, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 7 GDPR, p. 350 (Oxford University Press 2020).
  11. Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 83 (C.H. Beck, 2nd Edition 2018).
  12. For example, if a consent is given through a cookie banner, it should be possible to withdraw it through the same banner or any of its features.
  13. In this sense Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 91 (C.H. Beck, 2nd edition 2018).
  14. Opposing view: Heckmann, Paschke, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 7 GDPR, margin number 92 (C.H. Beck, 2nd Edition 2018).
  15. EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 7-8 (available here).
  16. EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), pp. 8-9 (available here).
  17. EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 10 (available here).
  18. EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 12 (available here).
  19. EDPB, ‘Guidelines 05/2020 on consent under Regulation 2016/679’, 4 May 2020 (Version 1.1), p. 13 (available here).