The GDPR will abolish and replace EU Directive 95/46/EC, which is called The Data Protection Directive. One thing that people became confused about this Directive concerns what is exactly meant by consent. It is critical to understand consent as correctly receiving it plays an important role in legally processing data. Without consent, an organization does not have legitimate reasons to store or use personal data. The current Directive was written in a way that led some member states to highlight different aspects of consent and how to seek consent. Without changing the general understanding of “consent,” the GDPR should facilitate a better approach to getting consent and provide more detailed definitions.
Before looking at what new definitions the GDPR added, let us first review two definitions of consent:
- According to Directive 95/46/EC, “the data subject’s consent” refers to any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
- According to the GDPR, ‘consent’ of the data subject refers to any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
The GDPR definition seems to add the term “unambiguous.” But this was actually already included in Article 7 of the Directive, which states that “Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent…”
The GDPR definition also adds the phrase “by a statement or clear affirmative action.” This added phrase is important because it emphasized the need for an individual to take action to be considered as providing his consent. The GDPR also states that “silence, pre-ticked boxes or inactivity should not […] constitute consent.” This clause places the responsibility on individuals to check boxes themselves, to press a button, to orally affirm their consent, or to perform other action that indicate their consent.
The GDPR also updated the meaning of “freely given” in view of the imbalance of power between parties that affect free will. It was noted that consent is presumed not freely given if it does not allow separate consent to be given to different personal data processing operations despite it can be given in the individual case. In case of a contract or the provision of service, consent is presumed not freely given if the contract or service is dependent on the consent despite it is not necessary for such performance.
US-based companies or those that would utilize these companies’ services must review the GDPR and the Privacy Shield agreement. They must make sure that their collection or processing of data from people in the EU is GDPR compliant, otherwise they could face heavy fines.