What is clear consent

Jan Philipp Albrecht

The EU General Data Protection Regulation in 10 points, Part 2

The second important cornerstone of the General Data Protection Regulation is consent. In data protection law, the following applies: only those who can provide a legal basis may process personal data. Such a legal basis can be the consent of the data subject. This enables the individual to decide for himself who should receive, use and save which data from him or her.
The high demands placed on this consent are new. Up to now, companies have happily faked the tacit consent of users: Facebook, for example, interpreted the simple login on the platform as consent to the usage and data protection declarations that have since been changed. Consent was also caught by pre-set ticks in boxes, which users previously had to carefully remove. Such practices are no longer possible from now on. The consent of the person concerned must - as an expression of their right to self-determination - have been informed, voluntarily and clearly declared by an act of consent:

1. Extent to be informed
In order to give consent, the data subject must know what they should consent to in the first place. For this, it must be explained in clear and understandable language who processes the data and for what purposes. In addition, extensive information about the storage period of the data and the rights of the data subject must be provided. In addition, pre-formulated declarations of consent must not contain any unfair terms.

2. Clear act of consent
Any consent also requires a clear consenting action. A tacit consent of a user, which he or she has not even received in case of doubt, as in the Facebook example, is therefore no longer possible. In order to give effective consent to data processing, the person concerned must henceforth be actively involved, for example by independently ticking a box (so-called "opt-in"). Even the current practice of displaying cookie banners and processing website users' personal data without clicking "ok" does not meet the requirements for an effective act of consent.¹

3. Voluntariness
The data subject must also have a real choice of whether or not to consent. Due to the so-called “coupling ban”, the provision of a service must not be made dependent on consent to data processing that is not required at all for the processing of the business. This is to prevent those affected from being able to use offers on the Internet only if they provide data about themselves that are not required at all for the service. The widespread practice of forcing consent to transmit the location data of the smartphone user when installing a flashlight app, for example, is therefore no longer possible.

4. Shape
The General Data Protection Regulation does not provide for a special form of declaration of consent and makes it clear that consent can also be given electronically and, for example, by clicking a box when visiting a website or by selecting technical settings in the browser.

5. Revocability
The possibility of revoking a declaration of consent once given was generally recognized, but not expressly regulated. This is different now: The General Data Protection Regulation clearly stipulates that consent can be freely revoked at any time and without restrictions. The revocation of the consent must be made just as easy for the person concerned as the previous granting of consent. If, for example, an online portal can give consent by ticking its website, it cannot insist on filling out a complicated form to withdraw consent.

Consent that violates one of the points mentioned is ineffective and the company that processes the data would do so without a legal basis and would therefore expose itself to severe fines. You can find out more about the harsh sanctions of the General Data Protection Regulation in the sixth article in our series.

Back to the overview of the data protection reform

¹ The area of ​​online tracking will soon be regulated under the so-called ePrivacy Regulation, which, however, will probably not apply before 2019 and is currently still in negotiations. However, the parliamentary draft also provides for the inadmissibility of the cookie banner practice under the ePrivacy Regulation. Details on the ePrivacy Regulation and the current status of the procedure can be found here.

Share post: