The Curious Case of Consent

For in reason, all government without the consent of the governed is the very definition of slavery.” - Jonathan Swift

Yet when it came to obtaining consent of an individual for storing and processing his or her personal information, until 25 May 2018 we were living in a world where implied consent/failure to deny was interpreted in affirmative.

Then, the world made way for the EU Global Data Protection Regulations in 2018 and thence came the concept of “Free Consent” and “Unambiguous Consent”. So, when is the consent considered “free”? This article explores the way GDPR has bolstered a need for an informed consent and an ‘easy on mind’ privacy policy.

A privacy policy is a mandatory legal requirement for any website owner or App developer, aiming to secure the rights, privacy, and security of internet users from unsafe and unfair data collection and processing. It lays down the manner in which a company collects, stores, processes and transfers the personal information of the users.

GDPR has laid down in Article 6 that processing such information shall be lawful only if the data subject has given CONSENT to the processing of his or her personal data for one or more specific purpose.

Therefore, to understand the extent of revisions that may be required in a pre-GDPR privacy policy, it may be helpful to begin with deciphering the concept of “consent” under the GDPR regime.

Article 4 (11) of GDPR defines Consent of Data Subject as:

any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.The import of the language is as clear as day – a company can store, process and transfer the personal information of a data subject once a clear and unequivocal consent has been indicated by a positive action. Then why has GDPR had multinationals running to their lawyers to tune up their Privacy Policies and Terms and Conditions?

One may be able to fully appreciate the notion of consent under GDPR only after reading Article 7(4) of the Regulations which states:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Along with Recital 43 which states:

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

The onus on the companies collecting personal information has been significantly enhanced by the regulations. The regulations not only qualify ‘consent’ with a positive action on the part of the data subject but also place the intention of the data subject at the center of the entire regime.

Therefore, if an online active-wear store merely informs its customers at checkout that their personal information will be shared with other retailers selling fitness products and supplements, without providing an option to opt out, the consent will be considered not to have been given freely and therefore, invalid. When the processing has multiple purposes, consent should be given for all of them (Recital 32).

Consent should be “explicit” where the data involved is sensitive personal data i.e. physical or mental health data, racial, ethnic origin, etc. “Free” consent would entail a situation where the data subject has the option to exercise a genuine choice whether to consent or not. An “unambiguous” consent, the tricky one, is when there has to be clear affirmative action by the data subject. This may be through a statement in writing or by ticking a box and therefore, the data subject should specifically opt in. Any reliance on silence, default settings, pre-ticked boxes or opt-outs is invalid.

A privacy policy is the first and probably the easiest step towards a company’s GDPR compliance plan Therefore, this is where the companies are required to vigorously commit to promote transparency by obtaining free and unambiguous consent.

Under the GDPR regime, the privacy policies should be:

So, are the Terms and Conditions also affected by GDPR? The answer may depend on a few scenarios. Terms and Conditions is a discretionary document created by the website owner or the App developer which primarily contains rules governing the usage of the website or the App and aims at disclaiming against liabilities. In so far as it is linked to the privacy policy, it may be necessary to update the document periodically.

Lastly, has GDPR made the concept of implied consent redundant? Well, not entirely. Consent may also be given by another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data (Recital 32). Therefore, if a visitor voluntarily provides his name, contact number and e-mail address to the company, it could be said that visitor consented for his or her information to be stored and processed in an implied yet unambiguous manner.

UAE may or may not decide to come out with a federal regulation as comprehensive as EU’s GDPR, the existing legal framework lays down sufficient guidelines to safeguard an individual’s privacy. The general right emanates out of the Constitution which provides that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”.

Guaranteeing this right, the Civil Code of UAE, allows the individual to seek compensation for any “unlawful infringement” of his or her privacy. Acknowledging the importance of privacy, the Penal Code safeguards an individual’s privacy and provides that anyone who misuses or discloses any private or personal data of an individual is punishable by fine and imprisonment.

Authored by Cherry Bhatnagar (Senior Associate) with inputs from Kokila Alagh (Founder).

To stay updated,

subscribe to our newsletter