News and developments

Guide Yourself to Explicit Consent: Article 29 Working Party’s Updated Opinion

I. Introduction

The Working Party on the Protection of Individuals
with regard to the Processing of Personal Data ("Working Party") which is
established as per the Directive 95/46/EC of the European Parliament and of the
Council of October 24, 1995 ("EU Directive") updated their opinion on consent
under General Data Protection Regulation ("GDPR") which will be effective on
May 28, 2018.

The GDPR evolved the concept of consent under the EU
Directive and Directive 2002/58/EC of the European Parliament and of the
Council of 12 July 2002 Concerning the Processing of Personal Data and the
Protection of Privacy in the Electronic Communications Sector ("E-privacy
Directive) by providing further clarification and specification of the
requirements for obtaining and demonstrating valid consent. The Working Party's
opinion of November 28, 2017 mainly focuses on this evolution and sheds more
light onto EU Directive - GDPR - Turkish Data Protection Law ("Law No. 6698")
triangle. Law No. 6698 is based on the EU Directive, whereas its consent
related provision for processing personal data is adopted from the GDPR. Hence
the updated opinion answers most of the questions raised by Turkish companies
during their compliance processes.

II.
Elements of Valid Consent

Article 4(11) of the GDPR defines consent as: "any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her".

According to this provision, the consent of the data
subject means any (i) freely given, (ii) specific, (iii) informed and (iv)
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing
of personal data relating to him or her.

 

(i)
The Consent Must be Freely Given

Working Party in their opinion stated that consent
will not be considered as "free" if the data subject is unable to refuse his or
her consent and it can only be valid if the data subject is able to exercise a
real choice. Consent will not be free in cases where there is any element of
compulsion, pressure or inability to exercise free will. Working Party also mentioned
that the imbalance between the data subject and the controller (which mostly
occurs in the events where the data controller is a public authority or where
the data subject is an employee) is also taken into consideration by the GDPR.

The Article 7(4) of the GDPR plays an important role
while determining whether consent is freely given or not. According to this article,
when assessing whether consent is freely given, utmost account shall be taken
of whether, inter alia, the performance of a contract, including the provision
of a service, is conditional on consent to the processing of personal data that
is not necessary for the performance of that contract. By regulating this
provision GDPR aims to narrow the term "the performance of a contract". The Working
party states that there needs to be a direct and objective link between the
processing of the data and the purpose of the execution of the contract (e.g.
processing the address of the data subject in order to deliver the goods which
were purchased online).

The Working Party also mentions the terms
"granularity" while determining the existence of freely given consent. In cases
where a service involves multiple processing operations for more than one
purpose, the data subjects should be free to choose which purpose they accept. Therefore,
several consents may be warranted for each purpose. In other words, consent
should cover all processing activities carried out for the same purpose or
purposes. When the processing has multiple purposes, consent should be given
for all of these purposes.

For example, a company asks from its customers to give
their consent to send them their campaigns and promotions by e-mail messages
and also to share their personal data with other companies within their group
at the same time. According to the GDPR, this consent cannot be considered as granular
since there are no separate consents for these two separate purposes. Therefore,
the consent will not be valid.

According to the GDPR, the data controller also needs
to demonstrate that the data subject is free to refuse or withdraw consent
without detriment and it should be able to prove that the data subject has a
free or genuine choice on giving consent.

 

(ii)
The Consent Must be Specific:

According to the Working Party, to comply with the
element "specific" which is stated in the definition of "consent" under the
GDPR, the data controller must apply the following:

a. If a data controller processes data based on
consent and intends to process the data for a new purpose, the data controller
needs to obtain a new consent from the data subject for the new processing
purpose. The original consent will not legitimize new purposes for processing.

b. If the data controller seeks consent for various
different purposes, it should provide a separate opt-in for each purpose, to
allow users to give specific consent for specific purposes.

c. The data controllers should provide specific
information regarding each separate consent request about the data in order to
make data subjects aware of the impact of the different choices that they have.

 

(iii)
The Data Subject Must be Informed:

According to the Working Party, it is essential to
provide information to data subjects before obtaining their consent since it
will enable them to make informed decisions, understand what they are giving
consent to, and exercise their rights regarding their consent. The Working
Party listed the minimum information required for obtaining valid consent in
terms of GDPR. These are:

a. the identity of the data controller,

b. the purpose of each of the processing operations
for which consent is sought,

c. the type of data which will be collected and used
by the data controller,

d. the existence of the right to withdraw consent,

e. information about the use of the data for decisions
based solely on automated processing,

f. if the consent relates to data transfers, information
about the possible risks of data transfers to third countries in the absence of
an adequacy decision and appropriate safeguards

Even though most of the information listed above were
also included in the EU Directive, the GDPR expands the information that should
be provided with the data subject by stating that the data controller should
also inform the data subject that he/she can withdraw his/her consent. This
requirement was not included in the EU Directive.

Similar to the EU Directive, the GDPR also does not
require a certain form or shape of such information. Hence, the valid
information may be provided in various ways (e.g. written, orally, via audio or
video messages). However the GDPR also brings higher standards for the clarity
and accessibility of the information. Accordingly the Working Party stated that
the data controller should use clear and plain language which can be easily
understood by an average person. The Working Party does not allow long
illegible privacy policies or statements full of legal jargon.

 

(iv)
Unambiguous Indication of the Data Subject's Wishes

The Working Party exemplifies Article 7 (2) of the
GDPR which addresses pre-formulated written declarations of consent. According
to the Working Party, when consent is requested as part of a contract, the
request for consent should be clearly distinguishable from the other matters.
Also, if consent is requested by electronic means, the consent request has to
be separate and distinct; it cannot simply be a paragraph within terms and
conditions. This is especially of importance for e-commerce websites, along
with many other online platforms and other real and legal persons processing
personal data. That means no more incorporating data protection clauses into
Terms & Conditions or into employment contracts. The principle of being
"clearly distinguishable" is also linked with being "freely given". For
instance, if consent is indistinguishable and incorporated into an agreement
along with many other provisions, the data subject cannot consent freely and
separately but sign the agreement as a whole.

The EU Directive described consent as an "indication of wishes by which the data
subject signifies his agreement to personal data relating to him being
processed". The GDPR expands this definition, by clarifying that valid
consent requires an unambiguous indication by means of a statement or by a
clear affirmative action which means that the data subject must have taken a
deliberate action to consent to the particular processing.

The GDPR also brings new requirements for the data controllers regarding
the explicit consent they obtain. According to Article 7 of the GDPR, the data
controller is obliged to demonstrate the data subject's consent. The same
provision also states that data controller must ensure that consent can be
withdrawn by the data subject as easy as giving consent and at any given time.

 

III. Reflections of Article
29 Working Party's Updated Opinion to Turkish Personal Data Legislation

Law No. 6698 is based on the EU Directive which is
currently in force. The obligations of data controllers and the rights of the
data subjects set forth under the Law No. 6698 are basically in line with the
provisions under the EU Directive. Having said that, the Law No. 6698 requires
"explicit consent" of the data subjects for any kind of personal data
processing, not only for sensitive personal data, which is in line with the
GDPR. Accordingly, the Working Party's updated opinion for the GDPR may also
guide Turkish businesses in terms of structuring their processes.

For instance, according to the GDPR, the data
controller must be able to demonstrate that valid consent was obtained. Also, mechanisms
for data subjects to withdraw their consent must be available and easy to
apply, and the data controller must provide information on how to withdraw
consent. The Law No. 6698 also brings similar obligations to the data
controllers.

The Law No. 6698 is a separate and independent local regulation.
However, it is likely that the Turkish Data Protection Board, which is the main
authority on data protection related matter, would take the opinion of Working
Party as a basis while evaluating the convenience of the consent, as the Law
No. 6698 is mainly based on the EU legislation and the implementation in the EU
is currently the primary source. Turkish
Data Protection Board has already published its guideline document on consents,
and stated that umbrella consents will be invalid, which is in parallel with
the "specific consent" principle in the EU. We expect that the opinion of the Turkish
Data Protection Board takes shape in time by also taking into account the
implementation in the EU. Data controllers may benefit from the Working Party's
updated opinion for clarity on explicit consent and assess whether their
current flow for consent needs updates.

Authors: Gönenç Gürkaynak, Esq., İlay Yılmaz and Noyan Utkan, ELIG,
Attorneys-at-law

 

(First
published by Mondaq on January 16, 2018)