It’s Not Just Consent – Part 1

Angst over the use of data on individuals in the United States for marketing and political purposes has led many to suggest that the European Union’s new General Data Protection Regulation provides a regulatory model that the US should emulate.

Any discussion of this issue must be grounded in a substantive understanding of the GDPR’s requirements which are much more extensive than most commentators have described. I don’t believe that anyone is attempting to gloss over the scope of the regulation – rather, the damn thing is 88 pages long, far too much for most of us to assimilate in one sitting. Just because I was curious, I did a comparison of word counts and the regulation (I’ll start referring to it as the GDPR) is 7 times longer than the US Constitution.

So the purpose of this post and the next is to provide the detail necessary to understand it. And the thing is – IT’S NOT JUST ABOUT CONSENT.

The Structure of the GDPR

Under the GDPR, all collection and use of personal data is prohibited, unless an exemption from the prohibition applies. Consent by a data subject provides the exemption most applicable to the majority of American technology companies; however, the rules and obligations accompanying consent are less frequently discussed. Moreover, there are a host of other requirements that must be followed, regardless of the basis on which information regarding data subject may be processed.

So, the following will become very technical very quickly. I’ve tried to keep it readable because I believe that if you are going to discuss this topic, there is a great deal you need to understand. But despite the level of detail that follows, some of the subtleties of the regulation have been lost. Thus, if you are looking for guidance as to how the GDPR applies to you, you’d best get a lawyer.

Let’s start with the definition of personal data. Personal data is “any information relating to an identified or identifiable natural person …”. I’ve read descriptions of personal data which refer to the term as information that can be used to identify a person, and while that covers a large number of cases, it doesn’t quite capture how broad the language actually is. This will become important later when we consider some examples.

Next up is the restriction on using personal data. Earlier I said that the GDPR restricts the collection or use of personal data. Actually, the restriction is broader than that. It prohibits the “processing” of personal data. The definition of processing has over 15 separate verbs attached to the description, so best think of it as “touching” data in any way.

There are two important players in this restriction against the processing of personal data. First is a “Controller” who is the natural or legal person which … determines the purposes and means of the processing of personal data. Second is the “Processor” which is the natural or legal person who processes the personal data for the Controller.

With all that out of the way, we can begin.

The Exemption For Consent

There are six exemptions to the general prohibition; the first and the most important is consent by the data subject. The language is “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” I’ve added the emphasis to point out that the consent cannot be broad and general, such as for “marketing purposes” but must identify the purpose for which collected data will be used in some detail.

However, if you (as a controller) wish to collect data for multiple purposes, you have to get separate consent for each specific purpose. And, once having collected personal data, if you wish to process it for a different purpose than that for which you originally collected it, you must – prior to processing it for such additional purpose – inform the data subject as to such other purpose and provide an opportunity for the data subject to withdraw such consent.

Consent can’t be buried in a long document. Rather, a “request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” (Emphasis added.) Note that consent can be obtained other than through a written document although this may make the record keeping described above a tad more difficult.

If processing is based on consent, the data subject must be able to withdraw consent at any time after it was originally given.

And if consent is obtained as part of the performance of a contract, the consent is unlikely to be valid if the personal data is not necessary for the performance of a contract.

Explicit Consent

The requirements for consent become even more rigorous for special categories of data. These categories are for data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership genetic or biometric data (used for the purpose of uniquely identifying a natural person), data concerning health, sex life or sexual orientation.

Again, such data can be processed if the data subject give “explicit” consent and if the law of the Member State does not provide that the data subject may not “lift the prohibition.” In other words, a Member State may provide that such data may not be processed even with the explicit consent of the data subject.

The GDPR fails to state how “explicit” consent must be obtained. Fortunately, the august Article 29 Working Group published guidelines on explicit consent in April of 2018. A writing signed by a data subject is sufficient. In addition, an electronic signature, a scanned document, or an email from the data subject may qualify as well.

The GDPR also provides an example of explicit consent by a visitor to a website. Provided that the other conditions of consent are met (the request is clear, intelligible, for a specific purpose, etc.) a consent screen that provides “Yes” and “No” check boxes may be sufficient.

Recording Consent

As a data controller you need to be able to demonstrate that the data subject has consented to processing. This means that you, directly or indirectly, must keep a record as to how consent was obtained for as long as you are in possession of the personal data. By implication, you must also keep a record as to the purpose for which consent was given.

A Laundry List of Other Disclosures

When you obtain the data (whether on the basis of consent or otherwise) you must compose a laundry list of up to a dozen different disclosures to the data subject. These include his or her right to object to the processing and to obtain access to, correction of or even erasure of the data.

If you are a controller, a data subject has the right to ask you whether you are processing personal data concerning him or her, and if you are, to find out 8 different items regarding such processing, and to get a copy of the data.

If the data is inaccurate or incomplete, the data subject has the right to correct or add to such information.

Data subjects have the right to have you erase personal data if they are no longer needed for the purpose for which they were processed or if the grounds on which they were processed no longer applies (including, as mentioned, they have withdrawn their consent). If you have made the data public (even if you did so legitimately) you have the obligation to inform any other controllers who may be processing such data that the data subject has requested erasure.

There is a good deal more to say about this right of erasure, but I’ll save that for another post.

Other Rights

A data subject has the right to require you to restrict processing of his or her data if they contest the accuracy of the data, the processing is unlawful but the data subject does not want the data erased, or you (as controller) no longer needs the data for processing. Note how complex this requirement is in practice. You may keep the data in your database, and you can continue to process the data in the remaining parts of the database, but not with respect to the individual(s) that have made such a request.

If you rectify (update) or erase personal data, or restrict the processing of such data under certain of the provisions discussed above, you must communicate such fact to each individual/entity to whom you have previously disclosed such data, unless to do so would prove impossible or involve “disproportionate effort.”

Finally, if a data subject has provided you with personal data either on the basis of consent or pursuant to a contract, he or she has the right to receive that data back, upon demand, in a “structured, commonly used and machine-readable format.” The purpose of this appears to be to enable the data subject to provide such data to another Controller.

Finally, and also worthy of another post, this the right of data subjects to object to processing of personal data under several situations, including any profiling based on such processing. This includes processing of personal data for marketing purposes.