“Explicit consent” under the new Data Protection Regulation

The new EU Data Protection Regulation redefines consent of individuals.  No longer, will it be sufficient for consents to be “freely given, specific and informed”.  The new rules will also require consent to be “explicit” and evidenced by “a statement or by a clear affirmative action”.  The evidential point simply reflects current regulatory guidance.  We know, after all, that “silence is not consent”.  However the inclusion of the word “explicit” has much greater ramifications. 

“Explicit” in the data protection world generally means “specific”.  In other words the consent must specify the particular types of data, the specific purposes for which they may be used and/or the countries to which they may be disclosed.  So, if it’s going to be harder to rely on consent, what about the alternative avenues enabling companies to avoid having to collect consent? Here’s the rub: the alternative avenues are being narrowed or closed off under the new Regulation.  For example, companies can currently avoid collecting consent where processing is necessary for their (or the relevant recipients’) “legitimate interests”.  Under the Regulation, however, the “legitimate interests” avenue is being substantially narrowed.  Firstly, you will only be able to rely on this in connection with your own “legitimate interests” (not those of third parties).  Secondly, the new transparency rules will require you to notify individuals of any legitimate interests on which you are relying.  So presumably these need to be set out in the relevant privacy policy or other customer-facing documents.  All very prescriptive. Companies will be between “a rock and a hard place” in deciding whether to rely on “legitimate interests” (which will have to be specified) or consent (which will have to be specific).  Remember the phrase “all roads lead to Rome”?

Bear in mind also that the new definition of “consent” will have to interoperate with the e-Privacy rules under Directive 2002/58/EC.  These rules include requirements for prior consent for e-marketing and (as we all know) consent for cookies.  So, suddenly those marketing and cookie consents must also be explicit in order to be valid.  Just as we thought we were moving away from consent as a sensible basis for legitimising the processing of data, we seem to be moving closer to it.

Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

Full bio