Global menu

Our global pages


The GDPR and Consent

  • Ireland
  • General


The Article 29 Data Protection Working Party (“WP29”) has provided some much-needed road signs on the journey towards the GDPR with the publication of its draft guidelines on consent. The draft guidelines have been issued for consultation and the WP29  have invited comments to be submitted by 23 January 2018.

Regulation 2016/679, the General Data Protection Regulation (the “GDPR”), is set to bring sweeping changes to data protection law in Ireland and at the heart of many of the discussions around the GDPR is the issue of consent.

Consent is the first of the six lawful bases for processing data listed in Article 6 of the GDPR and has undoubtedly been the most highly scrutinised of the six grounds. 

EU Member States have taken a variety of different approaches when it comes to interpreting consent, and the Article 29 Data Protection Working Party (“WP29”) has already weighed in on the matter, issuing an Opinion on consent in 2011. 

The stance taken in the GDPR is broadly in line with current practice, but the WP29 draft guidelines on consent published on 12 December 2017 (the “Guidelines”) provide useful clarification and detail on the requirements to obtain and demonstrate valid consent. Consent is strongly linked with transparency, one of the GDPR’s fundamental principles. Given that consent is typically requested for actions that are in principle unlawful without it, it is vital that data controllers ensure that the consent they obtain is valid. 

Key Consent Considerations

The Guidelines discuss the various elements of consent and provide valuable guidance and examples on what exactly constitutes valid consent under the GDPR. The full text of the Guidance can be read by clicking on the following link but the key consent considerations detailed in the Guidance provide that consent must be:

(i) Freely given

In order for consent to be freely given, there must be a genuine element of choice and control. If a data subject feels compelled to consent, will endure negative consequences if they do not consent or if consent is bundled into non-negotiable terms and conditions then consent is not valid. The idea of imbalance in the context of certain relationships between data controllers and data subjects is discussed in the Guidelines, with WP29 specifically highlighting that consent within the employment relationship or consent given to a public authority is highly problematic. Similarly, consent that is given “bundled” with acceptance of terms and conditions will generally not be considered to be freely given, particularly where the processing goes beyond what is necessary for the provision of the service in question.

(ii) Specific

The GDPR does not make any changes to the law in this area; consent must be given in relation to one or more specific purposes in order to be valid. The Guidance warns against “function creep”, which is where a purpose is gradually widened or blurred after consent is obtained.

(iii) Informed

As mentioned above, transparency is one of the basic tenets of data protection law. Consent is not possible without clear, accessible, easily understandable information. This information cannot be hidden in general terms and conditions and should be tailored for the audience at whom it is aimed.

(iv) Unambiguous

There cannot be any ambiguity over whether or not the data subject has consented to the processing of their data. The GDPR requires either a statement from the data subject or a clear affirmative action; silence, inactivity or pre-ticked boxes do not constitute valid consent. The guidance provides some helpful examples of actions that are in compliance with the GDPR, particularly in the digital context. These include actively ticking a consent box, swiping on a screen, waving in front of a camera and drawing a shape with a smartphone. The Guidance also recognises the particular challenges of obtaining consent by electronic means and sets out that internet browser settings can be a source of consent, which prevents “click fatigue” in situations where consent may be required multiple times per day.

Other Considerations

The Guidance discusses a number of additional areas in relation to consent. 

WP29 gives some guidance as to the form that “explicit” consent can take in situations where there is a serious data protection risk. These situations include processing of special categories of data, data transfers to third countries and automated individual decision-making. In these cases, the higher threshold can be met by the data subject filling in an online form, sending an email or using an electronic signature. Two-step verification is also an option here.

One of the key changes introduced by the GDPR is the burden placed on the data controller to demonstrate all aspects of compliance, including the data subject’s consent. This requires that a record of consent must be kept, which raises some interesting questions about additional processing that may be required to comply with this requirement.

WP29 highlighted the “prominent place” given to the withdrawal of consent in the GDPR.  Data subjects should be able to withdraw their consent at any time and as easily as that consent was provided.  For example, consent provided by a tick-box should not require a telephone call during business hours to be withdrawn.

Invalid Consent

The GDPR clearly implies that consent should be given before processing begins, and similarly the basis for processing cannot be changed during that processing. This means that if consent is withdrawn or found to be invalid, the data controller cannot then decide to rely on another of the six grounds for processing. This makes it even more important to ensure that consent is freely given, specific, informed and unambiguous.

For more information contact:

Marie McGinley
Partner, Head of IP, Technology and DP
+353 1 6441 457

Ciara Geraghty
+353 1 6644 336

This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

< Go back