Consent was drafted in the GDPR as a legal panacea for data processing where no other statutory legal grounds exist. However, there are data controllers / companies that have established consent as one of their major – if not only – legal grounds. Is that prudent?
In her Duet Interview with the well-respected expert on data protection, Prof. Dr Helfrich, Dr Caldarola, author of Big Data and Law, considers whether consent is a suitable instrument for frequent use in digital business models.
Consent needs to be easily understood, transparent and informative in order for an individual to legally consent to the processing of his/her data. Most of the time, companies provide a lengthy and extensive form or text of some sort that customers/data subjects merely skim through or scroll down to continue with their activities on the internet. Is this an appropriate interpretation of a consent and does it fulfil the intent of the legislator? Or are companies deliberately taking advantage of a potential customer’s desire to fulfil his/her original purpose online as quickly as possible without being bothered with extensive consent and information texts, with the result that most customers just scroll though and click “yes” without giving the matter any further thought or consideration?
Prof. Dr Marcus Helfrich: In my opinion, we should be taking the concept of “informed consent” which forms the basis of processing of personal data under Art. 6 para 1 lit. a GDPR (General Data Protection Regulation) more seriously than has previously been the case. Our democratic and liberal society is based on a very fundamental understanding of a person being born free and able to identify him/herself as well as being capable of leading a life grounded in self-determination. Not only are our social and our political systems based on this understanding, which philosophically is formed by the ideas of enlightenment, and, especially, by the influential thoughts of Immanuel Kant, but, indeed, our very legal system reflects this understanding. For this reason, it is incumbent upon us to take the notion of an informed consent very seriously. The legal relationships between individuals are based on trust and decisions which have been made by choice.
My favorite quote is:
“Sapere aude! Have the courage to use your mind without someone else’s guidance.”
Immanuel Kant, 1784
Of course, I recognize that competitive market behaviour, which is characterized by rival companies and the struggle to obtain customer or product sales, has made companies susceptible and willing to influence the customers’ minds and decisions in as effective a manner as possible, including the use of psychological artifices. But, in the end, the basic legal condition remains that a person’s decision must be based on it having been made intentionally and rationally. Such a decision is only possible if the individual is at least aware of all the relevant aspects that might be important. If we do not accept this proviso, we as a political society have to bid farewell to the concepts of free will and self-determination. The road to a non-democratic autocracy in the hands of the most influential enterprises or interest groups would then lie open.
As you might imagine, the question of how we deal with the concept of consent within a context of protecting privacy leads directly to the question of our understanding of democracy, justice and political participation.
In short, there is no alternative, in my opinion, to a concept of “informed consent”. First of all, it is the role and duty of a state to set up rules to protect and enforce this notion. Secondly, everybody has to make his or her own decisions regarding this important issue which translates into exercising our fundamental right to self-determination. The concept of “informed consent” includes, therefore, a need for conscious action on the part of the customer. If he or she acts without having educated himself or herself on this matter and has thus decided without having given any real thought to the issue, then we cannot speak of deliberate consent in this situation. But this might only describe a single instance and is not fundamentally different to the principle of informed consent. As Immanuel Kant stated, we have to use our minds to act and live-in self-determination.
There are statutory legal grounds allowing for data processing and consent as a legal panacea, if no statutory grounds are available. Which cases can resort to consent as the only way to achieve a company’s purpose and which cases have a variety of legal grounds at their disposal?
To put it simply, if no legal grounds can be found under Art. 6 para 1 lit. b to f, then consent remains the only legal option to processing personal data. This having been said, we have to keep in mind that the relation between the different legal grounds for processing personal data under article 6 is complicated. On the one hand, all of these grounds might act as a legal foundation for processing. On the other hand, you are not entitled to base your processing on the legal grounds listed in Art. 6 para 1 lit. b to f, if you asked for consent as per Art. 6 para 1 lit a, and the consent was refused by the person in question. Furthermore, requesting consent might be seen as not acting in good faith if the relevant processing is a legal requirement (e.g. tax law) because not processing the data is simply not an option.
An individual can withdraw his or her consent at any time, meaning that a data controller must stop using the respective personal data and erase the data from its IT systems. Logically, this withdrawal requires consent management. Is it advisable for a company to base its business on the consent of an individual – especially in the cases of Industry 4.0 or Big Data where lengthy manufacturing / analyses times are involved? What alternatives are available and why should they be employed? Why do companies often resort to consent as if it were their only option?
A recommendation to process data legally which is solely based on the consent of an individual is simple and, in its simplicity, wrong.
A company has to consider carefully which legal ground for processing under article 6 is most suitable. Only after that legal analysis has been completed, is the company able to identify situations where it is advisable to ask for consent.
Today, our legislators in Europe are seriously considering under which circumstances companies should be allowed to process personal data only if explicit consent has been given. These situations seem to be characterized by a significant risk that individuals, such as customers, might be misled, insufficiently informed, or be put in a situation requiring a higher amount of protection by the law. The use of cookies for marketing purposes (targeted marketing) or for predictive analytics might be a good example of these types of scenarios.
I doubt that any scientifically reliable research has been done on the question of how often companies resort to other legal grounds instead of consent for legitimate processing of personal data. For this reason, I am not able to speculate on why alternatives to consent are not used to process data.
Consent requires active management of permission being granted and withdrawn. In addition, simply soliciting consent forces users to click more often and thus extends the duration of their online activity which, in turn, carries the risk that individuals might quickly lose interest and stop their purchasing plans – as we have learned in an earlier interview with Petra Dahm. Is consent really effective?
Yes, consent is promotional. Exercising your right to free will and self-determination requires effort. If self-determination is not being practiced owing to one or two clicks, this would prove that our political development since the 18th century has only progressed in terms of technology.
Companies often draft consent not only because they require it. They frequently use consent to include other data processing activities. Most of the time, an individual isn’t given the opportunity to grant a partial consent in order to pursue the activity which had originally been planned. Are companies using consent to become a data vacuum cleaner? Are companies misusing the legal grounds of this last resort to legitimate data processing and does this mean that consent is turning into a tool to suck up even more data?
In my experience, these types of behaviour on the part of companies very often occur owing to misinformation and a lack of knowledge of how data processing might be done lawfully. The limitation to a defined purpose is one of the fundamental principles of data protection law. I doubt it is possible to identify companies deliberately misusing the intended legal panacea as a general problem.
Of course, there are companies who wilfully go beyond what they are legally allowed to do and gather additional data. In such cases, the supervisory authorities are asked to investigate these situations and to react by applying significant punitive fines. In concrete terms, we have seen that, since 2018, there is a development towards sanctioning these criminal acts.
In order for a consent to be legitimate, it must be precise and yet comprehensible for data subjects. For legal advisors, it seems very difficult to draft such a consent that fulfils all legal requirements. Many consents that have been reviewed by the courts were judged not to have been legitimate. Is consent a good choice for secure legal grounds of a digital business model?
If a request for consent is made, after a company had analysed the necessity for consent based on the rules of Art. 6, then it is indeed a prudent choice to ensure the secure legal grounds of digital business.
The problem is that legal advisors themselves must analyse these situations in a nuanced fashion, and their conclusions must be based on skilled business expertise. We really need specialists who are familiar not only with the legal requirements of the different legislative acts governing privacy laws, they must also know how business processes are defined and which business needs are based on the processing of personal data. Fulfilling all of these requirements means that privacy law and proper legal advice concerning it have become challenging activities for consultants.
Given the fact that digital business models are very complex, an individual can hardly be expected to have a real overview of the implications of the consent in question. With this in mind, do you think that an individual is truly able to provide his or her consent? In other words, is consent an appropriate legal basis? Would it have been wiser if the legislator had provided a precise list of data processing aims to give individuals and companies a legally watertight and reliable framework?
Yes, I strongly believe in the capacity of people to understand what is important to them. This includes the fact that one can ask if something is dubious or not trustworthy. In the end, one has to decide for oneself if one is willing to take the risk of being subject to one’s personal data being processed, if the grounds for such processing have not been explained properly. This freedom to take risks is also part of the idea of having the right of self-determination and acting upon it. As a liberal society we have to accept such a decision as well.
Digital business models are very intricate, and the processing of data is hardly comprehensible for most consumers. Complexity can usually only be reduced through trust. Is it, therefore, not the responsibility of specialists, such as data protection authorities, data protection officers, information security officers, data protection legislators and others, who understand the complexity in its entirety due to their insights and profession, to act as a guarantor for legitimate, balanced, honest and fair data processing?
Yes, I agree completely with that sentiment. Expertise is not only a professional qualification. It corresponds with an understanding of accepting the duties and responsibilities which come with being an expert in that specific domain. Therefore, the expert in question should play an active role within the process of developing transparency and trust, especially if digital technology is concerned and personal data is being processed. In my opinion, there is a need to explain not only how data processing functions, but also to show which positive effects might be associated with the use of data processing. A general and broader social consent should become a prerequisite of the broader use of information technology and data processing within a democratic society. Data processing not only has positive effects on the economy. It has an important impact on society and affects our understanding of political participation, decision-making processes and, in the end, how we view individual freedom and human rights. Experts play an important role in how we rationally acquire knowledge concerning information technology and data processing. Proper information within a rational framework is the key to avoiding “alternative facts” and to creating trust in legitimate processes.
The GDPR has been in force since May 2018, and companies and data subjects have experienced quite a few different scenarios due to the fact that data protection and information security have come into the spotlight. Do you anticipate the next legal amendment to revise the instrument of consent?
It is hard to speculate about future legal developments. But I do not think that the concept of consent will disappear. As I explained earlier, expressing your consent is to be seen as one of the most important capabilities and rights of a self-determining individual. Perhaps the concept of consent will reflect future technological developments. The core idea of consent, namely that an individual has to make a decision while gathering all the necessary information and evaluating them using a value- based approach to reach a rational conclusion, will not change.
The statute of e‑privacy is intended to come into force quite soon. Drafts have already revealed that consent is to be composed in a much more differentiated way in this statute. Can you, first of all, briefly explain what might be expected with regard to consent, and, secondly, whether the way it has been drafted indicates that this thorny subject will be handled better, and, finally, whether it is likely that the way consent is treated in the e‑privacy statute may be a model for the next revision of the GDPR?
Given that the draft is still under discussion, it is impossible to speculate or to discuss aspects which could improve or correct the processing of personal data under e‑privacy at this time. The GDPR defines the basis for legitimate processing of personal data. Perhaps the upcoming e‑privacy regulation might improve the requirements for lawful processing. If the requirements are not expanded upon or improved in some way, then we must revert back to the baseline found in the GDPR.
Prof. Helfrich, thank you so much for sharing your opinion, your thoughts and your view on consent, its importance and its handling in daily life
Thank you, Dr Caldarola, and I look forward to reading your upcoming interviews with recognized experts, delving even deeper into this fascinating topic.