Authors: Judith Rauhofer and Burkhard Schafer

 

(1) Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

(2) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

(3) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

(4) When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I.General overview

1.Introduction

Art. 7 sets out the procedural conditions that must be met for consent to be valid as a legal ground for lawful processing under Art. 6 para. 1 lit. a. Unlike the definition of consent in Art. 4 point 11, which determines whether a statement or affirmative act of the data subject does constitute valid consent (→ Art. 4(11) mn. 52), Art. 7 considers whether consent has been validly given. Art. 7 therefore focuses on formal requirements and external circumstances rather than the elements of consent.

There was no equivalent condition to Art. 7 in the DPD, which was largely silent on questions like when consent must be obtained, what form consent and consent requests should take, whether the data subject has the right to withdraw consent, whether the use of consent should be limited in certain situations. In practice, this led to differences in application across different Member States both in the implementation of the DPD into national law and with regard to enforcement through SAs and national courts. The Comm-P sought to address these issues by providing clearer requirements that would be directly applicable across the EU.

 

2. Consent in a digital environment

In light of technological advances and, in particular, the growing importance of the Internet in commercial interactions, the power imbalance between providers of online services and Internet users has increasingly put into question the validity of consent declarations, on which providers based the processing of personal data. Of particular concern, prior to the adoption of the GDPR, was the fact that these forms of consent were often included in the providers’ non-negotiable terms of business or privacy policies, which Internet users had to accept in order to access the relevant service. Those terms and policies often required users to disclose significant amounts of personal data and to consent to the processing for a wide variety of purposes, not always linked to the actual service provided. Data collected by providers included not just information provided by individual users themselves about themselves, but also information users disclosed about others as well as “observed” data, i.e., data the provider collects about an individual’s behaviour. The combination of personal data provided by data subjects themselves and observed data made it possible for providers to create a third category of data, “inferred” data, that allowed them to profile the data subjects on the basis of their interests and preferences. The profiles thus created have become a valuable commercial asset for controllers, for sale to advertisers and other third parties and/or for use by controllers and their partners directly to target users with content or advertisements. With the “ad-based business model” continuing to represent the dominant means of revenue-generation in the digital economy, personal data have thus turned into a form of “payment” or “counter-performance” in the commercial exchange between users and online providers for the right to access an otherwise “free” service. However, the “take-it-or-leave-it” nature of providers’ terms, combined with the denial or degradation of services where users refuse to consent to the processing, has raised questions about the imbalance of power between data subjects and controllers in those situations, where the service in question dominates a specific online market.

3. Addressing the power imbalance

The Comm-P sought to address many of these issues not only through the amendments it made to the definition of consent itself, but also by imposing a set of formal conditions with which controllers must comply. In particular, Art. 7 para. 1 puts the onus on controllers to “demonstrate” that the data subject has consented to the processing, an obligation which also follows from the GDPR’s “risk-based approach” and the newly included “accountability principle” under which the controller itself is responsible for compliance with the GDPR and for demonstrating compliance. Art. 7 para. 2 specifically applies to contracts of adhesion, where the data subject’s consent to the processing of his or her data is included in a written declaration that also refers to other matters; the controller’s standard terms of conditions, for instance. Applying principles already known from consumer protection law, the GDPR now requires pre-formulated consent requests to be clearly distinguishable from other matters and to be intelligible and easily accessible to the intended user. Art. 7 para. 3 clarifies the data subjects’ right to withdraw their consent at any time, while Art. 7 para. 4 sets our further considerations that controllers must take into “utmost” account when determining whether consent is “freely given”.

II.Legislative history

Several of the conditions imposed on controllers when seeking to rely upon consent as a legal basis were controversial during the legislative process. This is true, in particular, regarding the question of who should bear the burden of demonstrating that consent has been obtained and with regard to the provisions that sought to ensure that consent was freely given in a situation of relative power imbalance.

 

 

[…]