ICO points businesses towards alternatives to consent as a basis for processing personal data, says expert

Out-Law Analysis | 22 Aug 2017 | 10:02 am | 6 min. read

ANALYSIS: Businesses should consider whether they could or should rely on an alternative to consent to process personal data. That is the clear message from the UK's data protection watchdog.

Obtaining a person's consent to the processing of their personal data is one way businesses can lawfully proceed with that activity. There are other legal bases for processing personal data where consent is not required.

In a recent blog, information commissioner Elizabeth Denham said that one of those other lawful means for data processing "may be more appropriate" for organisations to rely on than consent. Her blog, on the topic of consent under the General Data Protection Regulation (GDPR), said consideration of the alternatives had been lost amidst coverage of the new rules on consent that will apply.

Denham said: "Consent is one way to comply with the GDPR, but it’s not the only way. Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR. Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation."

Denham's latest comments reflect more subtle messages conveyed in draft guidance the Information Commissioner Office (ICO) published earlier this year on obtaining consent under the GDPR. Denham confirmed in her blog that the finalised guidance is likely to be published in December after EU-wide guidance on the topic has been agreed, and that it is "unlikely" to "change significantly" from the draft version.

The ICO's draft guidance not only offers advice on how consent mechanisms can comply with the new Regulation; it also sets out why consent may be an inappropriate basis to rely on, in some circumstances, when seeking to process personal data.

Beyond obtaining consent, personal data processing can also be justified as "necessary for the performance of a contract" that the data subject is a party of, or "necessary for compliance with a legal obligation to which the controller is subject".

Alternatively, if businesses can show that processing is "necessary for the purposes of the legitimate interests" they or others are pursuing then they can also legitimately collect and use personal data, provided those interests are not "overridden by the interests or fundamental rights and freedoms of the data subject".

Other bases for processing personal data are also set out in the GDPR, which will apply from 25 May 2018, as well as in data protection laws that apply currently.

Consent in the digital world

Achieving valid consent has been a contentious issue in the internet age. It has been clear for some time that valid consent to data processing and sharing arrangements cannot be implied from vague, legalistic terms contained in long and complex privacy policies hidden away on websites. Many businesses have therefore, over time, and following new thinking by policy makers and regulators, embraced more proactive and dynamic methods of gaining informed consent, through the use of opt-in 'tick' boxes and pop-ups.

However, businesses will be expected to do more to demonstrate they have consent under the GDPR, which will apply from 25 May 2018. This has prompted the ICO to issue new guidance on the topic to aid compliance.

However, businesses who do not rely on consent as the default position may find that compliance with the GDPR is more readily achievable.

Relying on consent opens up potential obligations on the right to erasure

Under the GDPR, processing on the basis of consent will open up additional obligations for businesses that other organisations processing personal data on an alternative basis will not have to face.

One of the duties that could arise is the need to erase personal data at the behest of data subjects. The Regulation provides individuals with qualified rights to "the erasure of personal data concerning him or her without undue delay", under rules which are perhaps better known as the 'right to be forgotten'.

The duty to erase data can arise in a range of circumstances, including if the data subject "withdraws consent on which the processing is based". Processing data under an alternative lawful basis provides more scope for organisations to reject right to be forgotten requests. This could be important as if an organisation has to delete personal data it may mean that they can no longer provide the service they were offering. In addition, it could force them to delete records they are required to keep of the fact that they provided the service, which the GDPR demands be documented for reporting purposes. If the organisation then sought to rely on an alternative consent to retain the personal data, the reliance on the alternative basis could invalidate the original consent.

Examples of alternatives to consent

Processing personal data on the basis of consent is sometimes the only option for businesses, such as in the case of processing sensitive personal data where the collection of that data is necessary for the performance of a contract, for example the provision of medical insurance. However, there are many circumstances in which other options could be explored, and indeed where consent may not be a valid basis for processing the data at all. Examples are included in the ICO's guidance.

Take, for example, the case where an employer wishes to process data about employees. The imbalance in the relationship between the employer and employee means that it might be difficult for employers to show that consent from an employee was freely given, as is required under the GDPR. As a recital to the Regulation puts it, "consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment".

There are other cases where basing data processing on consent will not be the best option and could cause problems for businesses.

For example, it might be necessary for businesses to process personal data to provide services to those customers that those customers have specifically opted into. In those cases it would be wrong to ask customers for their consent to process that information if, upon that customer withdrawing consent, it would no longer be possible to provide the service, or maintain a record of the fact that that business provided that service to that customer. 

An example of this would be a bank that sought a customer's consent in order to process all personal data connected with the provision of a current account. If the customer withdrew consent, the bank would need to close the account, meaning that the provision of the account was conditional upon the customer giving consent. However, as this is a situation where the processing of the personal data was necessary in order to provide the account, the bank should have relied on the 'necessary for the performance of a contract' provision.

At the point of withdrawing consent, the bank could not then seek to rely on an alternative processing ground, such as necessary for the performance of the contract. This is because it is the ICO's view that giving consumers the impression that they have a choice over data processing would be misleading and inherently unfair, as it presents the individual with a "false choice". Consent is not valid if there is not a free choice and it is not capable of withdrawal. .

In addition, if customers who have given consent subsequently withdraw it, businesses could face a PR disaster, and potential scrutiny by regulators, if they ignore that request to withdraw consent or seek to rely on an alternative processing ground. However, by adhering to requests for the withdrawal of consent, businesses could find themselves forced to shut down services that others depend on. For example, it could see banks unable to complete payments to people owed money.

Oral consent – good news for high-street retailers

Often, retailers will conduct promotional activities in-store where shop assistants seek to get customers to sign up to new services or to mailing lists. In those circumstances, shop assistants may sign customers up on the basis of preferences those customers express orally.

Under the GDPR, businesses face new obligations to keep a record of the consent obtained by data subjects to be able to demonstrate compliance when requested by regulators. However, there has been a question of how those record keeping duties apply to consent given orally.

In its draft guidance, the ICO has offered welcome clarification on the point. It said that oral confirmation represents a clear affirmative action by a consumer to signal their consent to data processing. Answering 'yes' to a clear oral consent request is valid consent for the purposes of the GDPR, it said.

The ICO said that businesses that obtain oral consent must retain records of who consented, and take a note of the time and date when consent was given at the time of the conversation, as well as a copy of any script used for obtaining consent. A full record of the conversation does not need to be kept, it said.

Kathryn Wynn is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.