Clicking the “consent” buttons may have become a usual day-to-day online activity for us. However, the controllers may need a good amount of knowledge, effort and ingenuity to ensure that all the requirements imposed by data protection rules are met so that the consent is validly obtained. Amongst such requirements, the one on freely given consent seems to pose the most difficulties.
According to GDPR and the EDPB consent-related guidelines 5/2020 (EDPB Consent Guidelines), a freely given consent must observe certain rules on balance of power, conditionality, granularity and detriment. The consent is not freely given, and therefore not valid if any of such rules are not met.
As regards the detriment-related rules, things may seem simple at the first glance. But the more we try to get in-depth, the more difficult it becomes.
The rules on detriment
Let’s start with GDPR. The recital 42 sets forth the following: “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
The EDPB Consent Guidelines develop this rule stating (at paragraphs 46 and 47) that “the controller needs to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent. Other examples of detriment are deception, intimidation, coercion or significant negative consequences if a data subject does not consent.”
Two ideas may be derived from the aforesaid EDPB wording. The first one is that the detriment may even be psychological, a matter of feelings and perceptions, a state of mind (e.g., “intimidation”).
With regard to the psychological nature of detriment, EDPB goes on in saying that it may even take the form of fear (paragraph 21):
“Given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal.”
So there is no need to necessarily have a real risk of detriment. Just a fear of detriment is sufficient.
The threshold of stress
The second idea drawn from the aforementioned excerpt from paragraphs 46 and 47 of EDPB Consent Guidelines is that the negative consequences must be significant. In other words, the existence of certain minor negative consequences would not necessarily mean that the consent is not freely given. Not every psychological discomfort would lead to the invalidation of consent.
The fact that the negative consequences must be significant is also expressed by the Austrian data protection authority (DSB) in a case analyzed by me earlier this year here.
In that case, the publisher offered users the option to benefit from full access to website content in exchange of their consent to certain cookies and online tracking. Otherwise, the users had to pay 6 EUR per month, as of the second month. The DSB held that there is a freely given consent here, stating with regard to the requirement of the absence of negative consequences that an alternative payment of EUR 6 per month starting from the second month of subscription is not disproportionately expensive. Thus, there is a certain negative consequence (in this case, a financial one), but it was not deemed sufficiently significant.
Moreover, take one of the examples offered by the same EDPB Consent Guidelines (at paragraph 23):
“A film crew is going to be filming in a certain part of an office. The employer asks all the employees who sit in that area for their consent to be filmed, as they may appear in the background of the video. Those who do not want to be filmed are not penalized in any way but instead are given equivalent desks elsewhere in the building for the duration of the filming.”
What does it mean “equivalent desks”? Probably, if the employees had offices with windows, they have to be offered, for the duration of the shooting, other offices with natural light. If they worked in closed offices, they must not be placed in open space areas. If they worked indoors, they must not be sent to work outdoors for the period of the filming, especially if outside is bad weather.
But no matter how hard the employer will try, it will not be able to avoid a certain irritation which may arise for the employees who need to leave, even if temporarily, their desks. Maybe they will miss the offices they spent the time to design in a friendly manner, bringing some flowers or paintings from home. Or maybe it is the stress of learning to use the printing machine connected to the new desk. Or maybe it is just the discomfort related to moving to another desk. There will be a certain psychological negative consequence.
So the EDPB tells us that the psychological negative consequence must be significant, but how much is “significant”? And, all the more, in relation to whom it must be significant? To the specific employee X who is detached to another desk for the duration of the shooting? Or is it in relation to a generic data subject (i.e., employees as data subjects), taking in consideration typical reactions that such a generic person may experience in that situation?
The question is not without relevance. Taking the example from above, even if normally a desk with windows would matter for an average employee, the specific employee X may not be so much interested in natural light, but in other logistical traits of the new office (for example, the distance to the coffee machine).
From my perspective, if moving of a single employee is at stake, his/her particular priorities are to be taken into consideration. But the bigger the number of such data subjects, the more difficult it will be for the controller to consider the preferences of each of them. Therefore, in the latter case, the controller may refer to the standard of an average data subject. This is particularly relevant in the case of service providers who deal with a large number of customers and the forms provided to such customers are standardized.
The recent CJEU decision in the Orange Romania case, ruled by the court on 11 November 2020, seems to go further beyond what EDPB has contemplated.
In this case, the controller required from the clients who did not want to consent to copying and storing their ID cards to state it in a handwritten form. In case when the clients consented, no such handwritten statement was required.
In March 2020, Advocate General Szpunar has taken the view in his opinion on this case, that requiring clients to give handwritten statements in case of refusal to consent is not in line with the condition that the consent must be freely given (paragraph 60):
“Obliging a customer to state in handwritten form that he or she does not consent to the copying and storing of his or her ID card does not permit freely given consent in the sense that the customer is put into a situation in which he or she perceptibly deviates from a regular procedure which leads to the conclusion of a contract. Customers must not in this connection feel that their refusal to consent to the copying and storing of their identity documents is not in line with regular procedures.”
To put it otherwise, the customer may feel a discomfort that the service provider representative will need to undergo an extra step, deviating from the normal procedure, and this would attain the significant negative consequences threshold stated above, leading to the invalidation of the consent.
The CJEU has reiterated in its decision of November 2020 the position of Advocate General Szpunar, by also making reference to aforesaid paragraph 60 from the Szpunar’s opinion:
“Furthermore, as the Advocate General observed in point 60 of his Opinion, the free nature of that consent appears to be called into question by the fact that, if that consent is refused, Orange România, departing from the normal procedure for concluding the contract, required the customer concerned to declare in writing that he or she did not consent to a copy of his or her identity document being collected or stored. As the Commission observed at the hearing, such an additional requirement is liable to affect unduly the freedom to choose to object to that collection and storage, which it is also for the referring court to determine.” (paragraph 50 of the CJUE decision)
Going back to the change of desks example from the EDPB Consent Guidelines, it is interesting that the detachment to another equivalent office, with all the inherent inconveniences, was not considered to affect the psychological well-being of the data subject as much as the requirement to state in handwritten form that he/she does not want to consent.
It is to be seen how the controllers would adjust their assessment of “significant negative consequences” following the CJUE ruling and how they will deal with the necessity to offer adequate mental comfort to data subjects with regard to lack of detriment in case of refusal to consent.
In the meanwhile, together with aligning the procedural steps in the sense required by CJUE, it is recommendable that the consent forms provided to data subjects are completed with specific wordings which would reflect the lack of detriment rule in case of consent refusal/withdrawal. It may indicate, for example, that no significant negative consequence will occur in case the consent is not given or is withdrawn and that such refusal/withdrawal is circumscribed to a normal procedure implemented by the controller.