15/05/2020 European Data Protection Board (the “EDPB”) recently published its Guidelines 05/2020 (the “EDPB Guidelines”) on consent under the EU General Data Protection Regulation (the “GDPR”). The EDPB Guidelines are a slightly updated version of the Article 29 Working Party’s Guidelines on consent under the GDPR (the WP29 Guidelines), which were adopted in April 2018 and endorsed by the EDPB in its first Plenary meeting.
Specifically, the EDPB Guidelines, outline that there was a need for clarifications on these following points:
– regarding further browsing: the action of scrolling or swiping through a webpage, or similar user activity on the website do not comply with the data subject’s consent requirements under the GDPR;
– processing of the personal data of a child. EDPB Guidelines pointed out the specific areas of concern in the GDPR as children and the consent given or authorized by the holder of parental responsibility over the child. Please read more detailed information below.
Conditionality as an important element of a freely given consent
The EDPB Guidelines provide for few main recommendations: – service providers cannot prevent data subjects from accessing a service on the basis that they do not consent; “cookie walls” are not permitted: access to services and functionalities must not be made conditional on the consent of users to the placement of cookies or similar technologies on their terminal equipment. In particular, the EDPB Guidelines indicated that consent cannot be considered as freely given, when data controllers offer a choice between their service, that includes consenting to the use of personal data for additional purposes, and an equivalent service offered by a different controller. In such case, the freedom of choice would be made dependent on what other market players do and whether an individual data subject would find the other controller’s services genuinely equivalent. It would furthermore imply an obligation for controllers to monitor market developments to ensure the continued validity of consent for their data processing activities, as a competitor may alter its service at a later stage. As a result, the EDPB Guidelines provide that a consent that relies on an alternative option offered by a third party must be deemed as the breach of GDRP.
Practical example from EDPB Guidelines
The EDPB Guidelines indicate the example of a website provider putting into place a script that blocks content from being visible, except for a request to accept cookies and the information on which cookies are being set and for what purposes data will be processed. In such a case there is no possibility to access the content without clicking on the “accept cookies” button, meaning that the data subject is not presented with a genuine choice. Therefore, consent is not freely given, and cannot be deemed valid, as the provision of the service relies on the data subject consent to the placement of cookies.
Consent as an unambiguous indication of wishes
The EDPB Guidelines define that the GDPR is clear that the consent requires a statement from the data subject or a clear affirmative act, which means that it must always be given through an active motion or declaration, and that it must be obvious that the data subject has consented to the particular processing activity. Therefore, the EDPB Guidelines, in accordance with Recital 32 of the GDPR, find that scrolling or swiping through a webpage, or similar user actions, will not in any case constitute a clear and affirmative action, since it may be difficult to distinguish such behaviours from other activity or interaction of the user. Thus, the EDPB Guidelines provide that in such a case determining that unambiguous consent has been obtained will not be possible, and that it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
Practical example from EDPB guidelines
The EDPB provide the example that swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request (e.g. if you swipe this bar to the left, you agree to the use of information X for purpose Y. Repeat the motion to confirm.”). The controller must be able to demonstrate that consent was obtained this way and data subjects must be able to withdraw consent as easily as it was given.
The specific areas of concern in the GDPR as children
Article 8(1) of the GDPR states that where consent applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. Regarding the age limit of valid consent, the GDPR provides flexibility, Member States can provide by law a lower age, but this age cannot be below 13 years. While accessing the scope of the definition of the “information society services”, EDPB Guidelines also refers to case law of the European Court Justice. The European Court Justice held that information society services cover contracts and other services that are concluded or transmitted on-line. The EDPB Guidelines pointed that the GDPR does not specify practical ways to gather the parent’s consent or to establish that someone is entitled to this action. Therefore, the EDPB Guidelines recommends the adoption of a proportionate approach, in line with Article 8(2) GDPR and Article 5(1)(c) GDPR (data minimization). A proportionate approach may be to focus on obtaining a limited amount of information, such as contact details of a parent or guardian.
Practical example from EDPB Guidelines
The EDPB Guidelines indicate the example where an online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps:
- ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent). If the user states that they are under the age of digital consent:
- service informs the child that a parent or guardian needs to consent or authorize the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian.
- service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility.
- in case of complaints, the platform takes additional steps to verify the age of the subscriber.
If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps mentioned above. More information here.