“For in reason, all government without the consent of the governed is the very definition of slavery.” - Jonathan Swift
Yet when it came to obtaining consent of an individual for storing and processing his or her personal information, until 25 May 2018 we were living in a world where implied consent/failure to deny was interpreted in affirmative.
GDPR has laid down in Article 6 that processing such information shall be lawful only if the data subject has given CONSENT to the processing of his or her personal data for one or more specific purpose.
Article 4 (11) of GDPR defines Consent of Data Subject as:
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.The import of the language is as clear as day – a company can store, process and transfer the personal information of a data subject once a clear and unequivocal consent has been indicated by a positive action. Then why has GDPR had multinationals running to their lawyers to tune up their Privacy Policies and Terms and Conditions?
One may be able to fully appreciate the notion of consent under GDPR only after reading Article 7(4) of the Regulations which states:
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Along with Recital 43 which states:
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”
The onus on the companies collecting personal information has been significantly enhanced by the regulations. The regulations not only qualify ‘consent’ with a positive action on the part of the data subject but also place the intention of the data subject at the center of the entire regime.
Therefore, if an online active-wear store merely informs its customers at checkout that their personal information will be shared with other retailers selling fitness products and supplements, without providing an option to opt out, the consent will be considered not to have been given freely and therefore, invalid. When the processing has multiple purposes, consent should be given for all of them (Recital 32).
Consent should be “explicit” where the data involved is sensitive personal data i.e. physical or mental health data, racial, ethnic origin, etc. “Free” consent would entail a situation where the data subject has the option to exercise a genuine choice whether to consent or not. An “unambiguous” consent, the tricky one, is when there has to be clear affirmative action by the data subject. This may be through a statement in writing or by ticking a box and therefore, the data subject should specifically opt in. Any reliance on silence, default settings, pre-ticked boxes or opt-outs is invalid.
Under the GDPR regime, the privacy policies should be:
Lastly, has GDPR made the concept of implied consent redundant? Well, not entirely. Consent may also be given by another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data (Recital 32). Therefore, if a visitor voluntarily provides his name, contact number and e-mail address to the company, it could be said that visitor consented for his or her information to be stored and processed in an implied yet unambiguous manner.
UAE may or may not decide to come out with a federal regulation as comprehensive as EU’s GDPR, the existing legal framework lays down sufficient guidelines to safeguard an individual’s privacy. The general right emanates out of the Constitution which provides that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”.
Guaranteeing this right, the Civil Code of UAE, allows the individual to seek compensation for any “unlawful infringement” of his or her privacy. Acknowledging the importance of privacy, the Penal Code safeguards an individual’s privacy and provides that anyone who misuses or discloses any private or personal data of an individual is punishable by fine and imprisonment.
Authored by Cherry Bhatnagar (Senior Associate) with inputs from Kokila Alagh (Founder).
To stay updated,
subscribe to our newsletter