Special consideration of consent as a basis for processing
Home » Geolocation » Realize opportunities- Business understanding and data protection plan » Special consideration of consent as a basis for processing

Consent is not always the legal basis that legitimates data processing, as previously expressed. However, these are not the most common situations. Instead, the draft of the ePrivacy Regulation[1] considers consent as the main basis for lawful data processing in the context of electronic communications. Consent, however, will only apply if some conditions are met. If consent is used as the legal basis for data processing, developers should ensure that their device includes the need to obtain the users’ consent for processing in an informed and granular way and the documentation of such consent. Furthermore, such consent must be properly accredited.

It must be crystal clear that consent by the data subject cannot be obtained freely through mandatory acceptance of general terms and conditions, or through opt-out possibilities.[2] It must be granular in approach. On the other hand, the default settings of an operating system should ensure that location services are ‘OFF’, and users may explicitly consent to the switching ‘ON’ of specific applications. Furthermore, “it is important to distinguish between consent to a one-off service and consent to a regular subscription. For example, in order to use a particular geolocation service, it may be necessary to switch on geolocation services in the device or the browser. If that geolocation capacity is switched ‘ON’, every website may read the location details of the user of that smart mobile device. In order to prevent the risks of secret monitoring, the former Article 29 Working Party considers it essential that the device continuously warns that geolocation is ‘ON’, for example through a permanently visible icon.”[3]

Finally, yet importantly, the former Article 29 Working Party recommended that providers of geospatial applications or services should seek to renew individual consent (even where there is no change in the nature of processing) after an appropriate period of time. For instance, it would not be valid to continue to process location data where an individual had not actively used the service within the previous 12 months. Even where a person has used the service they should be reminded at least once a year (or more often where the nature of the processing warrants it) of the nature of the processing of their personal data. Thus, the developer could consider the possibility of incorporating in the device or system an e-tool capable of sending a request to the user in order to (re)gain (or not) their consent to continue with the processing. However, this is more a recommendation than a legal requisite.

Broad consent might be acceptable, but only if some concrete circumstances apply, such as: it is difficult or improbable to foresee how this data will be processed in the future; broad consent used for processing of special categories of data is compatible with national regulations; where broad consent is used, the data subjects are given the opportunity to withdraw their consent and to choose whether or not to participate in certain research and parts of it. Furthermore, some safeguards must be implemented.

Box 3: Broad consent and additional safeguards

The German DPA recently listed some additional safeguards to be implemented in the case of broad consent.[4] These are:

1. Safeguards to ensure transparency:

  • Utilization of usage regulations or research plans that illustrate the planned working methods and questions that are to be the subject of the research project
  • Assessment and documentation of the question why in this particular research project a more detailed specification of the research purposes is not possible
  • Set up web presences to inform study participants about ongoing and future studies.

2. Safeguards to build trust:

  • Positive vote of an ethics committee before use of data for further research purposes
  • Assessment of whether it is possible to work with a dynamic consent or whether a data subject can object before the data might be used for new research questions.

3. Security safeguards:

  • No data transfers to third countries with a lower level of data protection
  • Additional measures regarding data minimization, encryption, anonymization, or pseudonymization
  • Implementation of specific policies to limit access to personal data.

Box 4: Example of best practice for providers of geolocation applications according to the former Article 29 Working Party-[5]:

An application that wants to use geolocation data clearly informs the user about the purposes for which it wants to use the data, and asks for unambiguous consent for each of the possibly different purposes. The user actively chooses the level of granularity of geolocation (for example, on country level, city level, zip code level or as accurately as possible). Once the location service is activated, an icon is permanently visible on every screen that location services are ‘ON’. Users can continuously withdraw their consent, without having to exit the application. Users are also able to easily and permanently delete any location data stored on the device.”

Checklist: consent

☐ The controllers are able to demonstrate that, after balancing the circumstances of the processing, they have concluded that consent is the most appropriate legal basis for processing.

☐ The controllers request the consent of the data subjects in a free, specific, informed and unequivocal manner, according to article 7 GDPR.

☐ The controllers have informed the data subjects about their right to withdraw consent at any time.

☐ Broad consent used for processing of special categories of data is compatible with national regulations.

☐ Where broad consent is used, the controller is particularly aware that the data subjects are given the opportunity to withdraw their consent and to choose whether or not to participate in certain research and parts of it.

☐ Controllers have a direct relationship with the subject who provides the data.

☐ The power imbalance between controllers and data subjects does not impede free consent. This is particularly important in certain contexts such as the labor framework.

☐ The controllers ask people to actively opt in.

☐ The controllers do not use pre-ticked boxes or any other type of default consent.

☐ The controllers use clear, plain language that is easy to understand.

☐ The controllers specify why they want the data,what they are going to do with it and for how long data will be processed.

☐ The controllers give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

☐ The controllers link which pieces of data of categories thereof will be processed for each purpose.

☐ The controllers have informed the data subjects about their right to withdraw consent at any time and how to do so.

☐ The controllers ensure that individuals can refuse to consent without detriment to their access to the service.

☐ The controllers avoid making consent a precondition of a service.

 

 

References

1https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf

2Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 13, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf

3Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 13, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf

4DSK, Beschluss der 97. Konferenz der unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder zu Auslegung des Begriffs „bestimmte Bereiche wissenschaftlicher Forschung“ im Erwägungsgrund 33 der DS-GVO 3. April 2019, at: www.datenschutzkonferenz-online.de/media/dskb/20190405_auslegung_bestimmte_bereiche_wiss_forschung.pdf (accessed 20 May 2020). The English translation comes from a nice summary of the measures that can be consulted here: www.technologylawdispatch.com/2019/04/privacy-data-protection/german-dpas-publish-resolution-on-concept-of-broad-consent-and-the-interpretation-of-certain-areas-of-scientific-research/

5Article 29 Working Party (2011) Opinion 13/2011 on Geolocation services on smart mobile devices Adopted on 16 May 2011. 881/11/EN WP 185, P. 15, at: https://www.apda.ad/sites/default/files/2018-10/wp185_en.pdf

 

Skip to content