From a data protection perspective, the term ‘consent’ has been defined as ‘any freely given specific and informed indication of his/her wishes by which the data subject signifies his/her agreement for personal data relating to him being processed’.
This definition is found in the EU Data Protection Directive which was subsequently superseded the General Data Protection Regulation.
Aside from technical definition, consent, in real life, provides quite a strong impression, that consent to personal data processing is a solid, well-oiled machine, which works almost without any flaws and provides a data subject with a possibility to effectively manage his privacy.
Consent is a way of expressing an individual’s opinion whether and under what conditions the other party can process the data subject’s personal data. According to Daniel J. Solove, consent is an implied legal tool to serve and achieve what is described as a ‘privacy self-management’.
In fact, the importance of the consent can be seen from a common daily experience, when everyone is a subject of consenting many times a week. Common tasks like registration to online services, approving of cookies, online commerce and many others might serve as an example. Consent, needless to say, is a fact of life.
From a legal perspective, consent of a data subject prior to processing of personal data is a fundamental criterion in data protection and privacy. For many, both legislator and data controllers or processors, consent is the most important principle in data privacy.
Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing. While being one of the more well-known legal bases for processing personal data, consent is one of the six basic principles governing the processing of personal data set out in Article 13 of the African Union Convention on Cybersecurity and Personal Data Protection.
For processing to be lawful under the preceding AU Convention, it is imperative to identify a lawful basis to do so. Article 13 of the AU Convention articulates ‘principle of consent and legitimacy of personal data processing’. The provision expresses that the processing of personal data must be considered legitimate if the data subjects have given their consent.
Just to underline, consent turns out to be the most important, if not the only, legal basis for the lawful processing of personal data. Data subjects need to be unequivocally informed about their rights to withdraw consent and to be able to do so easily if desired.
Consent is an unambiguous indication of a data subject’s wishes that signifies an agreement by him/her to the processing of personal data relating to him or her whereby that consent needs to be given in clearly defined ways which are those elements of the definition of consent.
Furthermore, consent management essentially covers the consent lifecycle from start to finish: from data collection and enabling data subjects to change or withdraw consent to deleting personal data whenever the purpose and duration of the data to which the data subject consented are finished.
Drawing from the spirit of both the AU Convention and the GDPR, the right to consent embodies these essential elements, namely consent shall be freely given; consent shall be specific, per purpose; consent shall be informed; consent shall be an unambiguous indication; consent must be given by a statement or by a clear act; consent shall be distinguishable from other matters; and a request for consent needs to be in clear and plain language, intelligible and easily accessible.
However much the consent principle weighs [in processing of personal data], the AU Convention provides grounds for waiver of consent. First, it is lawful to process personal data when complying with a legal obligation to which the controller is subject. Second, it is lawful to process personal data for performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed. Third, it is lawful to process personal data for performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Fourth, it is lawful to process personal data to protect the vital interests or fundamental rights and freedoms of the data subject.
Broadly, consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis. The element free implies a real choice by the data subject. Any element of inappropriate pressure or influence which could affect the outcome of that choice renders the consent invalid. In doing so, the legal text takes a certain imbalance between the controller and the data subject into consideration.
Despite lack of knowledge by many data subjects—that consent is a legal tool to protect their data privacy—there is a light at the end of the tunnel as there’re various regional and international instruments as well as national data protection laws which expressly mention consent in respect of personal data processing.
Notwithstanding other lawful bases for personal data processing, the data subject’s consent remains unquestionably important right.
The writer is a data protection and privacy expert.