Dear Madam or Sir,
First of all we would like to express our sincere thanks for the opportunity to provide comments on the Article 29 Working Party’s proposed “Guidelines on Consent under Regulation 2016/679” (hereinafter “the Guidelines”). Spolek pro ochranu osobních údajů (Data Protection Association) is the largest organization bringing together professionals in the area of personal data protection and future personal data protection officers in the Czech Republic. We are grateful to have been given the opportunity to review the Guidelines. However, we would like to respectfully submit some amendments and refinements to the proposals on the Guidelines in this areas:
Art. 3.1. Free / freely given
Proposal states in Art. 3.1., that “as a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.”
We consider the term „negative consequences“ to be too broad. GDPR uses in this context the more precise and narrower term “detriment” (rec. 42: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”). The term “detriment” does not correspond to the term “negative consequences.”
Examples used in guidelines
We consider some examples of processing for which consent is required used in the guidelines as not appropriately selected. In several cases the WP29 uses examples of processing that do not fall under the consent legal base. That makes the guidance very confusing as to situations where consent is really needed and may mislead organisations to use it in inappropriate circumstances. In the end this misunderstanding may affect the rights and freedoms of data subjects.
Specifically, in Example Nr. 1 online behavioural advertising should, at least in some cases, fall rather under processing for legitimate interest purposes (as direct marketing, see provision of Rec. 47 and Art. 21). A similar problem arises with Example Nr. 6 and Example Nr. 7 (we believe that the use of customers data to send them marketing communication by e-mail doesn’t require consent, consent would be only needed for sending e-mails of other companies within the group). Moreover, the text is not clear – there are not two separate purposes in this example (the purpose remains the same – direct marketing in the form of e-mails, but this consent is obtained for different controllers). A similar problem arises with Example Nr. 16 etc.
Art. 3.1.1. Imbalance of power
Proposal states in Art. 3.1., that „An imbalance of power also occurs in the employment context. Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera-observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent. Therefore, WP29 deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1a)) due to the nature of the relationship between employer and employee.“
According to guidelines, consent is not suitable for the processing of employees data because their consent will never be sufficiently free. This is not entirely consistent with the view that in some (limited) situations, consent of the employees is needed, typically in relation to the use of employee photos, for example, for marketing purposes.
Art. 3.1.2. Conditionality
The proposal states in Art. 3.1.2. , that “Article 7(4) of Regulation seeks to ensure that the purpose of personal data processing is not disguised nor bundled with the provision of a contract of a service for which these personal data are not necessary. In doing so, the GDPR ensures that the processing of personal data for which consent is sought cannot become directly or indirectly the counter-performance of a contract”. Similarly the proposal states on page 19: “This means, inter alia, that a controller must make withdrawal of consent possible free of charge or without lowering service levels.”
In fact, the regulation provides only that “utmost account shall be taken of whether inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“ This fact is one of the aspects which should be considered, but not the only or the absolute one. Particularly, if the service is provided free of charge, there is no reason to restrict the possibility of the service provider to ask counter-performance in the form of the processing of personal data that is transparently and fairly explained to data subjects. The Working Party should state that consent with processing of personal data can be asked for in exchange for a free service, or should clearly confirm that such processing can be based on legitimate interests (as long as all other data processing principles and rules are followed). The counter-performance in the form of consent with processing of personal data is a concept that is fully compatible with the law of European Union (for a latest example see rec. 4 of the Regulation (EU) 2017/1953).
For the sake of clarification, we would like to add, that a visitor to a freely accessible website usually does not conclude a contract with the provider of such a site in order to read the content placed on the website.
The proposal further states in Art. 3.1.2.: “As long as there is a possibility to have the contract performed or the contracted service delivered by this controller without consenting to the other or additional data use in question, this means there is no longer a conditional service. However, both services need to be genuinely equivalent, including no further costs”. We strongly oppose these conclusions. As stated above, we believe that such a strict and categorically limitation is not included in the Regulation at all.
For the proper interpretation of these provisions the Freedom to conduct a business according to Art. 16 Charter of fundamental rights of the European Union should be duly taken into account. We accordingly recommend to explicitly state that the controller who provides the service free of charge without being obliged to do so should be entitled to decide freely and in line with binding laws what counter-performance he/she will ask for. Particularly we suggest that the requirement for equivalency of the services and no further costs is omitted as it is in a stark contradiction with the freedom to conduct a business.
The same additions should be made in Art. 3.1.4. (for services which are free of charge) – in Art. 3.1.4. proposal namely states “If a controller is able to show that a service includes the possibility to withdraw consent without any negative consequences e.g. without the performance of the service being downgraded to the detriment of the user, this may serve to show that the consent was given freely.” Particularly, the withdrawal of consent (if required so broadly in line with the current position of the Working Party) will have in many cases fatal impact on businesses working with data and running the information society as a whole. It is completely illusory to expect the undertakings to provide the same level of service with the possibility to process personal data and without this possibility.
…Read the whole text
Art. 3.3.1. Minimum content requirements for consent to be ‘informed’
Art. 3.3.1. states: „For consent to be informed, it is necessary to inform the data subject of certain elements that are crucial to make a choice. Therefore, WP29 is of the opinion that at least the following information is required for obtaining valid consent….“ We agree that, in order to comply with the obligation to inform, it is necessary to provide the data subject with information mentioned in this article. However, in our view it is sufficient for obtaining valid consent to provide this information:
a) what type of data will be collected and used
b) identity of the controller
c) the purposes of the processing
See also in particular rec. 42: “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
Art. 3.4. Unambiguous indication of wishes
The proposal states: “A “clear affirmative act” means that the data subject must have taken a deliberate action to consent to the particular processing. Recital 32 sets out additional guidance on this. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.”
We believe that the requirement for recorded oral statement does not correspond with the text of the Regulation. First of all, it is not clear what is meant by the term “Recorded”. Is it a record made by the controller in his or her systems (data, content etc.) or must it be a record (in the sense of “recording of oral consent”) of consent?
If the purpose was to ask for recording of oral consent we would like to emphasize that according to Art. 7(1) of the Regulation: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” The Regulation does not specify how this obligation is to be fulfilled, even if it is clear that the burden of proof is on the side of controller. Additionally there is the long tradition in continental law system, that it is possible to use any legal means to prove the fact. It is in the discretion of controller which proof he would choose (it could be for example testimonial evidence of trusted witnesses). The requirement to record oral consent would not correspond to the text of Regulation.
Art. 5.2. Withdrawal of consent
The opinion states: “When consent is obtained via electronic means through only one mouse- click, swipe, or keystroke, data subjects must, in practice, be able to withdraw that consent equally as easily. Where consent is obtained through use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e- mail), there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the sole reason of withdrawing consent would require undue effort”.
We would like to point out that this requirement is real only if the user registers into such an interface and is able to (re)visit it (register into it) repeatedly. The controller in not obliged to offer such a registration.
According to processing the data for other purposes, guidelines limits this possibility in this way: “In cases where the data subject withdraws his/her consent and the controller wishes to continue to process the personal data on another lawful basis, they cannot silently migrate from consent (which is withdrawn) to this other lawful basis. Furthermore, any change in the lawful basis for processing must be notified to a data subject in accordance with the information requirements in Articles 13 and 14 and under the general principle of transparency.”
We generally agree with this conclusion, but we would like to add that further processing on the grounds of another lawful basis could in some situations continue without informing the data subject. This should be possible for example if the data subject had previously been duly informed about this other lawful basis for processing (for example the subject terminates the contract but the processor is obliged to process the data for accounting purposes and the data subject had been duly informed about such a processing previously).
Art. 7.1 Children (Article 8 of the Regulation)
We believe that the whole text of Art. 7.1 should be carefully reconsidered. The impact of Article 8 of the Regulation is limited to situations where consent is the lawful basis (Art. 7(1) of the Regulation: “Where point (a) of Article 6 (1) applies, in relation to the offer of information society services directly to a child…..”).
However, for the processing necessary in order to enable the use of the service itself (ie, the conclusion of a contract on the use of the service and fulfilment of such a contract) the legal basis would be Art. 6(1) point (b) rather than Art. 6(1) point (a): “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.“ From this point of view, we consider the Art. 7.1 and the example Nr. 17 as not fully appropriate. Whether for concluding of the contract is consent of the holder of parental responsibility over the child necessary depends rather on the general contract law of Member States (see Art. 8(3) of the Regulation).
Art. 7.1.2. Offered directly to a child
The guidelines state: “The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.”
It is not entirely clear why an age limit of 18 years instead of 13/16 years has been used. Could this example be clarified?
Art. 7.1.4. Children’s consent and parental responsibility
Unfortunately we have to disagree with the view that: “With regard to a data subject’s autonomy to consent to the processing of their personal data and have full control over the processing, consent by a holder of parental responsibility or authorized by a holder of parental responsibility for the processing of personal data of children will expire once the data subject reaches the age of digital consent. From that day forward, the controller must obtain valid consent from the data subject him/herself.“
We believe that this requirement cannot be derived from the Regulation as a rule in any way. However, we believe that this requirement is reasonable in some situations, but in many other situations not. Especially if the child itself uses the service based on consent and is fully aware that his or her data are processed (for example regularly gets e-mails with information about news in the field of computer games), there is no reason for consent to be renewed.
Art. 8. Consent obtained under Directive 95/46/EC
It is not entirely clear what information about the mechanisms to withdraw is considered mandatory for the consent to be valid under the GDPR. We propose that the Working Party clarifies this duty especially in relation to the information about how to withdraw consent as this requirement is not contained in current laws and regulations including the Directive 95/46/EC and shall not be demanded. This does not affect the obligation to inform about the right to withdraw the consent.
We would like to once again emphasize that we are really grateful for the opportunity to provide the above mentioned comments on the Guidelines.
JUDr. Vladan Rámiš, Ph.D.
Chairman of the Committee
Ing. Václav Mach
Vice Chairman of the Committee