On the 4th of May 2020, the European Data Protection Board (EDPB) issued fresh guidelines on ‘consent’ titled Guidelines 05/2020 on consent under Regulation 2016/679 (Guidelines). These new Guidelines have replaced the original guidelines which were previously adopted by what was formerly known as the Article 29 Working Party and which were last revised on the 10th of April 2018.
Under the General Data Protection Regulation 2016/679 (GDPR) there are 6 legal bases for processing personal data, these being: consent, contract, legal obligation, vital interests of the data subject or of another natural person, public interest and legitimate interest.
Consent, which according to Article 4(11) of the GDPR must be freely given, specific, informed and unambiguous for it to be legally valid, has been at the forefront of several controversies. The Guidelines address two issues relating to consent; firstly, the EDPB goes on to clarify the concept of ‘freely given consent’ by assessing the notion of conditionality in relation to third parties and in relation to the validity of consent provided by the data subject when interacting with so-called ’cookie walls’.
Secondly, the EDPB goes on to clarify the issue of ‘unambiguous consent’, as provided for in recital 32 of the GDPR, especially when it comes to ‘scrolling and swiping’.
Freely Given Consent
- In relation to Third Parties
These Guidelines expand on the notion of ‘conditionality’, which is one feature that may affect the validity of a data subject’s consent from being freely granted. The GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
Therefore, as a basic rule, a data subject should not be placed in a situation whereby the rendering of a contract or service is made conditional to the ’consent’ of that data subject. In this regard, the EDPB goes on to clarify that ‘consent’ cannot be considered as freely given if a service provider ties the rendering of a service on the condition that the data subject consents to the processing of their personal data, one might say by force. In such an instance the judgment of the data subject is conditioned and therefore there does not exist the so called ‘freedom of choice’ and independence that is required by the spirit of the GDPR.
- Cookie Walls
Another interesting clarification made by the EDPB was in relation to what is referred to as a ‘cookie walls’. By virtue of these newly revised Guidelines, the EDPB confirmed that the use of cookie walls is unlawful in terms of the GDPR and is therefore strictly prohibited.
What are cookies?
A cookie is a text file that is automatically stored in someone’s device and may or may not be deleted upon the closure of a session. A cookie can have different purposes, for instance, a cookie may be necessary to run a website, or it can be necessary to identify what a user is doing. Cookies are also used for instance to remember your password. Cookies may either be first party cookies of third-party cookies, the former are stored on one’s device directly by the website you are visiting while the latter are stored by a third party like an advertiser or an analytic system.
What is a cookie wall?
A cookie wall is a way for service providers (whatever their nature of business) to deny users access to their websites if they don’t consent to cookies present on that same service provider’s website being used. Therefore, a cookie wall usually works as a self-made border against users who do not consent to cookies, barring them from the service.
Is it legal? If not, why so?
The status of legality of cookie walls was never certain, however the Guidelines have clarified that cookie walls are in no way or form permissible since they do not afford the data subject the ability to make a free and independent choice when giving consent for the processing of their own personal data.
What is a good alternative to a cookie wall?
Technically speaking there is no good alternative to a cookie wall because as effectively the data subject’s consent is being conditioned. However, a suitable alternative would be for a service provider to:
- still set up a cookie banner or request without prohibiting access to the main content of the website and
- provide information in relation to which cookies are being recorded and for what purpose the data will be processed. This is in fact a legal requirement whenever cookies involving personal data are involved.
The second issue that the Guidelines sought to clarify was in relation to the importance of clarity when giving consent for the processing of personal data, more specifically in relation to the act of ‘scrolling’ and ‘swiping’ as a means of valid consent. Under the GDPR, Recital 32 sets out that consent must be a ‘clear affirmative act’ which ensures an unambiguous, clear and affirmative indication of the data subject’s agreement to the processing of personal data.
The new revised Guidelines have clarified that the specific actions of ‘scrolling’ or ‘swiping’ through a webpage or any similar activity for that matter, will not under any circumstance satisfy the requirement of a clear and affirmative action as depicted under the GDPR.
The EDPB went on to also reaffirm its position that the withdrawal of one’s consent shall be as easy as to give consent.
News item written by Senior Associate Dr. Terence Cassar and Associates Dr. Bernice Saliba and Dr. Sean Xerri de Caro.