Consent is one of the legal bases provided for by the GDPR on which personal data processing can be based, and is a key part of the European regulation. Close-up on this major system.

Already enshrined in the French Data Protection Act (1978), consent is one of the six legal bases provided for by the GDPR authorising the processing of personal data.

It is defined as ” any free, specific, informed and unequivocal indication of the will by which the data subject accepts, by a statement or by a clear affirmative action, that personal data concerning him or her may be processed”.

Four cumulative criteria for consent

To be valid, consent must meet four criteria. It must be:

• Free : Consent should not be coerced or influenced. The person must be offered a real choice, without having to suffer negative consequences in the event of refusal. Particular attention must be paid to the free nature of consent in the case of the performance of a contract, including for the provision of a service: refusing to consent to processing that is not necessary for the performance of the contract must not have any consequences for its performance or the provision of the service.

• Specific: a consent must correspond to a single processing operation, for a specific purpose. If a processing has several purposes, the persons must be able to consent independently for one or the other of these purposes. They must be able to freely choose the purposes for which they consent to the processing of their data.

• Informed : Consent must be accompanied by a certain amount of information communicated to the person before they consent. In addition to the transparency obligations, the controller should provide the following information to data subjects to obtain their informed consent: the identity of the controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent and, depending on the case, whether the data will be used in the context of automated individual decisions or that they will be subject to an informed consent. transfer to a country outside the European Union.

• Unambiguous : consent must be given by a statement or any other clear affirmative action. No ambiguity as to the expression of consent can remain. The following methods of obtaining consent cannot be considered unambiguous: pre-ticked or pre-activated boxes, “group” consents (when a single consent is requested for several separate processing), inaction (for example, failure to respond to an email requesting consent).

Consent: a reinforcement thanks to the GDPR

The GDPR has not fundamentally changed the notion of consent. However, it clarified its definition and strengthened it, adding certain rights and guarantees:

• Right to withdrawal: the person must be able to withdraw their consent at any time, using a simple method equivalent to that used to collect consent (for example, if the collection was done online, it must be possible to withdraw it online as well).
• Proof of consent: the controller must be able to demonstrate at any time that the person has consented, under valid conditions.

Controllers must therefore document the conditions for obtaining consent in order to be able to demonstrate:

• The implementation of mechanisms to avoid linking the collection of consent, in particular to the performance of a contract (“free” consent)
• The clear and intelligible separation of the different processing purposes (“specific” consent or “granularity of consent”)
• Proper information for individuals (“informed” consent)
• The positive nature of the expression of the person’s choice (“unambiguous” consent)

One of the six legal bases authorising data processing

Consent is one of the six legal bases for an organization to process personal data. The other five legal bases are:

• The contract: the processing is necessary for the performance or preparation of a contract with the data subject;
• The legal obligation: the processing is imposed by legal texts;
• The public interest mission: the processing is necessary for the performance of a public interest mission;
• Legitimate interest: the processing is necessary to pursue the legitimate interests of the data processor or of a third party, in strict compliance with the rights and interests of the persons whose data is processed;
• Safeguarding vital interests: the processing is necessary to safeguard the vital interests of the data subject, or of a third party.

The GDPR does not create a hierarchy between the different legal bases. For example, consent does not take precedence over others. The appropriate legal basis must be determined by the controller in a manner appropriate to the situation and the type of processing, on a case-by-case basis.

Are the “Consent or Pay” schemes compliant?

More and more websites and large web platforms are offering their visitors the option of accepting all of their cookies or paying a subscription (or a fixed amount) in case of refusal. The challenge for them is to be able to broadcast behavioral advertising campaigns of which cookies are the pillars. On 17 April 2024, the European Data Protection Board (EDPB) adopted an opinion on the validity of consent in this context. This notice follows a request made by the Dutch, Norwegian and Hamburg data protection authorities.

The EDPS highlights the need for large platforms to give users a real choice, which implies that the paid alternative should not be considered as the default way forward. It clarifies that, in most cases, it will not be possible for them to comply with the requirements for meaningful consent if users are offered only a binary choice between consent to the processing of personal data for behavioural advertising purposes and the payment of a fee.

The opinion therefore strongly urges large platforms to offer an additional alternative that should be free and free of behavioral advertising (e.g. contextual advertising). In his opinion, the EDPS specifies the criteria to be taken into account for obtaining free consent and, in particular, the absence of an imbalance of powers. For example, the EDPS stresses that the fees charged should not require individuals to give their consent. Controllers must assess, on a case-by-case basis, whether a payment is appropriate, taking into account, inter alia, their position in the market, the extent to which the individual is dependent on the service and the primary audience of the service.