Where processing of personal information is based on consent, the EU General Data Protection Regulation (GDPR) sets quite a few conditions that must be met so that the user’s consent is regarded effective and lawful. One of these requirements we want to look at in more detail is that consent must be “freely given”.
What does the law say?
Art. 7 (4) of the GDPR reads:
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
What does this legalese mean? The data controller cannot link the decision of whether it enters into a contract with a potential customer to the condition that the customer consents to, for example, the use of his personal information to distribute marketing messages in a take-it-or-leave-it setup. The company may, on the contrary, ask the customer to consent in the context of concluding the contract - but may not decline the customer solely because he or she refuses to consent.
This concept makes sense when one considers the interplay with other grounds for lawful processing of personal data. Using customer data, for example, to issue invoices is necessary for the performance of the contract and therefore does not require consent. Consent must be obtained only where the purpose of the processing goes beyond the purpose of the contract, such as delivery of marketing messages, and no other legal justification like legitimate interests applies.
What do the supervisory authorities say?
The European Data Protection Board (EDPB), an EU body, issued guidance on the conditions for consent. It states:
“The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid.”
The authorities argue that data controllers may not rely on other equivalent offers that are available on the market and do not require their users to consent to the use of personal data. Striving back to our initial example, the EDPB implies an answer to the question whether online service providers are allowed to block visitors from certain content: Such design may not be justified by the argument that users have the choice to look for another service provider.
Another important aspect in designing valid consent options is the notion of granularity. Where users consent to different purposes of data processing (e.g. marketing messages and sharing of the data in between a group), data subjects must have the option to consent or withhold consent for each of the purpose separately.
Furthermore, the data controller must be able to demonstrate that users can refuse or withdraw consent without detriment, i.e. that such behavior does not lead to extra costs or limited products or services. The EDPB vaguely acknowledges that the GDPR “does not preclude all incentives”, such as exclusive presales for subscribers of the company’s magazine who consented to its receipt, but leaves the onus of proof, and therefore the risk of non-compliance, with the data controller.
In employment contexts, consent is often likely to be considered unfree and therefore invalid. For non-EU companies, this apparently only applies to employees being subject to the GDPR. Where companies intend to implement new processing operations on employee data, in-depth legal review is recommendable. Other justifications than consent, such as legitimate interest, may be an appropriate alternative in the individual case.
What do the courts say?
Not much yet. The European Court of Justice, being the highest instance to rule on the interpretation of the GDPR, have not yet issued precedence on that topic. But this only seems like a question of time. Meanwhile, interesting rulings of national courts fuel the debate.
In August 2018, the Supreme Court of Wien, Austria, confirmed the abovementioned interpretation of Art. 7 (4) GDPR and ruled a clause invalid that included consent to the use of personal data for marketing purposes. The customer only had the choice to agree to the terms and conditions including that clause or to not enter into the contract.
In June 2019, the Higher Regional Court of Frankfurt, Germany, ruled on the validity of a consent given in the context of a free lottery. A website provider offered participation only on under the condition that the user consented to the receipt of marketing messages by 8 partner companies: No consent – no chance of winning. The judges ruled that such consent was freely given, arguing that it was up to the consumer to decide whether the disclosure of the request information in exchange for participation in the lottery was worth it.
In its reasoning, the court did not even discuss whether Art. 7 (4) GDPR had any impact in the given context. Why? It will probably remain the court’s secret. One possible explanation is that they did not consider participation in the lottery in question as a contract, which may be the case due to specific German law on lotteries. Another explanation could be that they simply have not taken account of this relatively new legal norm.
Outlook: monetization of data?
The GDPR gives companies, particularly online service providers, a hard time in monetizing user data. Authorities apply strict interpretations, clearly aiming to crush certain data-driven business models, or at least the idea of giving access to personal information as a consideration for the use of services.
An alternative strategic solution is the implementation of paywalls as an alternative to consent. With this design, users are offered the choice to either pay for content or to consent to the use of their data. This approach is also reflected in the Californian Consumer Privacy Act, becoming effective on January 1, 2020: Under this US State law, businesses may apply different pricing if the differences are reasonably related to the value provided to the consumer by the consumer’s data.
However, legal validity of such solution under the GDPR is not clarified yet and will probably be subject to legal disputes. Statements of the EDPB indicate that authorities will not accept that approach and instead push free service to become chargeable in general. The ruling of the Higher Regional Court of Frankfurt points in a different direction. The competence for final decisions remains in the hands of the courts, particularly the European Court of Justice. We stay tuned.