Editor’s Note: Recently the European Data Protection Board (EDPB) published revised guidance on the concept of consent under the GDPR. Provided below is a series of extracts as well as a complete copy of the recent guideline update for consideration by data and legal discovery professionals.
Extract from an article by Claude-Etienne Armingaud and Natali Adison (National Law Review)
EU Data Protection: Updated EDPB Guidance on Consent Clarifies the Mechanism for Cookie Consent
Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains, therefore, the cornerstone (albeit not the only one) of the European data protection framework.
Extract from an article published on the Privacy & Information Security Law Blog (Hunton Andrews Kurth)
EDPB Publishes Updated Guidelines on Consent under the GDPR
Extract from an article published by OneTrust DataGuidance
EU: EDPB Adopts Guidelines on Consent Under the GDPR
Moreover, the Guidelines state that, under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), a service provider cannot prevent data subjects from accessing a service on the basis that they do not consent, and that access to services and functionalities must not be made conditional on the consent of a user to the placement of cookies in his/her terminal equipment. Furthermore, the Guidelines find that scrolling or swiping through a webpage, or similar user activity, will not satisfy the requirement of a clear and affirmative action, since it may be difficult to distinguish such actions from other activity or interaction of the user. Therefore, the Guidelines state that determining that unambiguous consent has been obtained will not be possible, and that it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it.
Extract from an article by Natasha Lomas (TechCrunch)
No Cookie Consent Walls – And No, Scrolling Isn’t Consent Says EU Data Protection Body
You can’t make access to your website’s content dependent on a visitor agreeing that you can process their data — aka a ‘consent cookie wall’. Not if you need to be compliant with European data protection law.
That’s the unambiguous message from the European Data Protection Board (EDPB), which has published updated guidelines on the rules around online consent to process people’s data.
Under pan-EU law, consent is one of six lawful bases that data controllers can use when processing people’s personal data.
But in order for consent to be legally valid under Europe’s General Data Protection Regulation (GDPR) there are specific standards to meet: It must be clear and informed, specific, and freely given.
Hence cookie walls that demand ‘consent’ as the price for getting inside the club are not only an oxymoron but run into a legal brick wall.
Extract from an article by Patrick Van Eecke and Anne-Gabrielle Haie (DLA Piper)
Europe: EDPB Updates Its Guidelines on Concept of “Consent”
What does it mean for business? Businesses must make sure that:
- Access to their service is not conditional to the user’s consent for the processing of his/her personal data;
Guidelines 05/2020 On Consent Under Regulation 2016/79Updated EDPB Guidelines on Consent – 4 May 2020
- The European Data Protection Board (EDPB)
- The European Data Protection Supervisor and the 2019 EDPS Annual Report