Two new documents were issued in December 2017 by the EU’s Article 29 Data Protection Working Party explaining how to interpret and apply the provisions of the General Data Protection Regulation on the consent that must be obtained from data subjects and the information that must be provided to data subjects for processing their data. The Guidelines on Consent under Regulation 2016/679 and the Guidelines on Transparency under Regulation 2016/679 demonstrate that the era of lengthy, fine-print terms and conditions is over. Data controllers will achieve better compliance with the GDPR by using brief and easily understood FAQ and notices.
This follows first from an increasingly restrictive understanding of the notion that consent must be freely given. Obviously consent is not free if it must be given to enter into an agreement, e.g. if a mobile app for photo editing requires users to activate their GPS localisation. The Guidelines on Consent point to another instance excluding voluntary consent: “bundling” consent to processing for several different purposes in a single statement. This would be the case for example if a service provider not does ask separately for consent to transmit marketing information and to provide access to the user’s data to corporate affiliates.
Second, there is growing pressure to make consent more specific—or as the guidelines say, “granular.” It is prohibited not only to obtain a single consent with respect to several processing purposes, as indicated above, but also to obtain one consent for a single but overly broad purpose. Even if the contractor is unsure how exactly it will process the data, proposing vaguely worded consent is not the right way to go. It would be safer to obtain consent that is narrower but clearly defined, and possibly add further consent to that in the future, than request broadly worded consent, just in case, using vague terms, which can lead to “function creep.”
Third, the GDPR requires the data subject to provide “informed” consent. But it’s not enough for data subjects just to realise they are consenting as they do so. Nor is it sufficient to meet this requirement that the data subject’s statement is not defective because of “a state excluding conscious choice,” as the Polish Civil Code puts it. The concepts used in EU regulations should not be equated with those used in national law. The Guidelines on Consent indicate that informed consent is given when the data subject has been informed in advance of the data controller’s identity, the type of data to be collected and used, and the purposes for which consent is sought, and in particular for decisions based solely on automated processing such as profiling. Data subjects must also be informed that even if they consent to processing of their data, they have a right to withdraw consent at any time.
The Guidelines on Consent also stress that the information must be provided in clear and plain language: “Controllers cannot use long illegible privacy policies or statements full of legal jargon,” and information essential for making informed decisions “may not be hidden in general terms and conditions.”
While the Guidelines on Consent point to a number of restrictions, the Guidelines on Transparency suggest how to adjust to these restrictions. At the same time, however, they give their blessing for example to “push” notices, presented to users “just in time”—“in an ad hoc manner, as and when it is most relevant for the data subject to read.” For example, a notice about access to geolocation data might appear when a user wants to tag a photo with the name of the city where the photo is taken. As the guidelines explain, this “helps to spread the provision of information into easily digestible chunks and reduces the reliance on a single privacy statement/notice containing information that is difficult to understand out of context.” After all, it is hard to understand all the rules for using an app before actually using the app.
Moreover, the Guidelines on Consent provide that the customer’s response to notices, e.g. acknowledging that the user has reviewed information or consenting to processing of the user’s data, can be expressed in numerous ways not requiring any signature or even ticking any special boxes. Thus data controllers have leeway “to develop a consent flow that suits their organisation.” For example: “Swiping on a screen, waving in front of a smart camera, turning a smartphone around clockwise, or in a figure eight motion may be options to indicate agreement, as long as clear information is provided, and it is clear that the motion in question signifies agreement to a specific request.” Conversely, scrolling down or swiping through large blocks of text will not satisfy the requirement of consent through a clear and affirmative action.
This all means that replacing a single set of terms and conditions displayed prior to conclusion of a contract with shorter ad hoc notices to customers over the course of contract performance will not only become a permissible solution in the EU, but will be the preferred solution at least with respect to personal data. It is safe to say that companies can shred their existing terms and conditions and privacy policies and instead consider the particular stages of customer service where the user should be given specific notices.