Mar 2, 2017
Consents can be collected from the end users, for example, for the purpose that a company wants to send a weekly online newsletter to its customers or when a mobile app needs to process location data of its users to tell the right path to the nearby restaurant. However, while consent is a mechanism for the user to control the use of one’s personal data, on the other hand, using consent as a basis for processing invokes many data protection related issues.
Legal councils and privacy specialists often advice controllers not to rely on consents as a primarily basis for processing personal data if possible. The primary reason for this is that the users can withdraw their given consents at any time and execute their right to be forgotten and have the collected information erased. In addition, the requirements for a valid consent have been unclear. Nevertheless, despite this, consent has traditionally been widely used as a basis for processing of personal data as it has been relatively easy to use and it applies to many situations. This has led to the discussion of “privacy by consent” kind of thinking. With this it is meant that the processing of personal data is fine if the user just has given his or her consent. This is dangerous as it may lead to the use of invalid consents and neglecting other data protection rules and principles.
One of the goals of the data protection reform has been to clarify and strengthen the rules on consent. Thus, the General Data Protection Regulation (GDPR) has made the rules on consent considerably stricter. When this is combined with the strengthened accountability and transparency principles under the GDPR, consent is no longer an easy way to justify any processing, if it ever was. It should be noticed, however, that for example the processing of sensitive data and automated decision making that produces legal effects to the data subject can be based on the explicit consent of user under the GDPR. Thus, it is vital that the requirements for valid consent are clearly defined.
The second part of this blog series includes a check-list of the golden rules for the data controller in case they want to use end user consent as a basis for processing under the GDPR.
Sini Mickelsson, Privacy Specialist