Consent is perhaps the most well-known legal basis for the processing of personal data. However, it is important to understand that consent may not always be the optimal or even the necessary choice. It may be noble to ask an individual for consent. However, in some cases, relying on consent might make it harder to comply with the General Data Protection Regulation (GDPR). To make privacy easier for your organization, we will give you tips and guidance on when (not) to use consent as the legal basis for a specific data processing activity. In this blog, we will assess the use of consent as the legal basis alongside two other legal bases that are often intertwined: performance of the contract and legitimate interest. But first, we will take a step back and look at the basic principles of that consent.
Consent is one of the six legal bases for the processing of personal data under the GDPR. Consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes.” Freely given consent implies a voluntary choice of the user to accept or decline some or all purposes. This means no pressure of any kind or negative consequences in case a data subject rejects consent. In any case the data subject must be informed about the specific processing.
What not to do? Don’t bundle your consent request with the terms and conditions.
What to do?
The data controller must prove that they have obtained valid consent, and individuals must have the ability to withdraw their consent as easily as they gave it, without any adverse effects. Meeting all the criteria can be challenging and as mentioned earlier, sometimes asking for consent is not even necessary.
It is also important to keep in mind that in case of a clear imbalance, like between an employer and employee, or when a public authority is handling a citizen’s personal data, these organizations often cannot rely on consent as their legal basis. The imbalance means that consent cannot be given ‘freely’. However, the European Data Protection board (EDPB) mentions that these organizations can rely on consent in case consent is freely given and that there are no adverse consequences at all whether or not they give consent. For example, an employer may ask for consent to publish photographs of their employees on the website. The given consent is only lawful in case the employee had a genuine choice and that there are no negative consequences.
The processing of personal data can be based on the performance of the contract if the use of personal data is necessary for the performance of that contract. For example, when you purchase a good online, or buy a service. The legal bases consent and performance of the contract are often considered together. But according to the GDPR (article 7(4) and recital 43) and the EDPB there is an important distinction to be made. The EDPB emphasizes a strict interpretation of what constitutes a necessity for contract performance. For example, if you purchase a good online, the online retailer may not automatically use that same information to build profiles of the users purchases. Even if such profiling is mentioned in the contract, the profiling is not necessary to perform the contract as entered into.
In short, when you need to process personal data that is indeed necessary for the performance of the contract, then not consent but performance of the contract is the ideal legal basis. However, if the data is not necessary, then performance of the contract is not the right choice. In these instances, an organization may be able to rely on an alternative legal basis for this processing, such as legitimate interest or (explicit) consent. We will discuss these legal bases in the following paragraphs.
If an organization has alternative business interests and therefore processing purposes that are not necessary for the performance of the contract, they may be able to rely on legitimate interest. To use legitimate interest as a legal basis, the organization must pursue a legitimate interest and processing must be necessary for that purpose. Furthermore, it must weigh its interest against the privacy impact of the processing on the data subjects. In other words, an organization must assess whether the individual’s interest overrides the pursued purpose of the processing.
With a carefully considered assessment you will find that many possibilities exist. For example, an employee must create management reports of customers or client data to track business performance of a certain division. In such cases it is possible to rely on legitimate interest in cases there are no overriding interests of a data subject. In this instance, we advise not to use consent for two main reasons. Firstly, due to the implication of revoking consent, and secondly, because of the extra administrative burden of tracking the given consent. Therefore, relying on legitimate interest is the appropriate choice.
However, the outcome of a balancing test may also reveal that your interest does not outweigh the impact on the data subject’s privacy. On the 4th of July 2023, the European Court of Justice (CJEU) ruled in a case against Meta that consent is the appropriate legal basis for tracking and profiling driven personalized content and behavioral advertising. The CJEU emphasized that “no legitimate interest would override the users’ rights when websites attempt to provide such services.”
In addition, The Information Commissioner’s Officer (ICO) notes in its Guidance on consent: “If you intend to use or share someone’s data in a particularly intrusive manner or in a way that deviates from the original purpose, consent is the right choice.” This means that if the organization plans to share someone’s data in a highly invasive manner it is important to ensure that the data subject is aware of the processing so that the data subject can make an informed decision to the specific use of their data, especially if it goes beyond what they might reasonably expect based on the original purpose.
Since consent can be hard to obtain, we recommend to assess first whether anotherlegal basis in the GDPR applies. In cases the processing is not necessary for the performance of a contract, an organization can rely on the legal basis legitimate interest. However, in cases there is a clear negative outcome in the balancing test of legitimate interest, such as with behavioral advertisements, then obtaining consent is necessary. In cases where an organization uses intrusive cookies on a website, obtaining consent, or even explicit consent for profiling, is mandatory. Be aware that in any situation when consent is the legal basis, the data subject needs to have absolute control over their data. Thedata subject has only such absolute control when they have a genuine, freechoice with no adverse effects.
Do you or your organization experience further difficulties on the implementation of consentor which legal basis to apply for a certain purpose?
Please do not hesitate to contact us via firstname.lastname@example.org.