If you think about how many websites you visit every day, chances are pretty good that you will run into a cookie wall (literally and figuratively). To be clear: with a cookie wall I mean a full-screen display that blocks access to the website and in which you are kindly - but urgently - requested to accept all cookies, including tracking cookies, before you can visit the website. There is much debate about the permissibility of these cookie walls. The Personal Data Authority (AP) recently published a document stating that these types of cookie walls are not permitted.1 The reason is that consent is not given "freely. Many companies, as well as lawyers and legal experts, disagree. Many websites, they say, depend on ad revenue. They believe they should be able to decide for themselves whether to allow someone on their Web site or not. Who is right?
To answer this question, I go back to the heart of the discussion: when is consent 'free'? And especially: when is consent no longer 'free'? Here I will give some more real-life examples.
What do we really mean by 'free consent'? The General Data Protection Regulation (GDPR) contains a comprehensive definition of "consent.
"Any freely given, specific, informed and unambiguous expression of will by which the data subject signifies, by means of a statement or an unambiguous active act, his or her consent to the processing of personal data relating to him or her."
Free consent (free expression of will) is only one of the conditions for valid consent under the AVG. In other words, if you have not given voluntary consent, it is not valid under the AVG.
The AVG contains more rules for a visitor's consent that apply side by side. For example, you must:
be able to document that consent was given;
present the request for consent in an understandable, easily accessible form and in clear and simple language;
make a clear distinction between the request for consent and other matters (such as general terms and conditions);
can have the consent given withdrawn at any time;
Make withdrawing consent as easy as giving it; and
review whether the consent is freely given and really needed.
While all the conditions for "consent" are worth discussing, I will only discuss the condition of "freedom" further here.
To speak of "free" consent, you must ask yourself the following five questions:
Do I really need permission?
Does the individual have the choice to refuse consent?
Does the data subject have control over the consent (e.g., to withdraw it)?
Does the person not feel coerced in any way?
Are there no adverse consequences to the data subject if consent is not given?
If you can answer "yes" to all of the above questions, then there is "true" free consent. In all other cases, the consent is probably not entirely voluntary and therefore not valid. The concept of free consent seems so simple at first glance. In practice, however, it turns out to be not so easy to comply with it, due to all kinds of commercial interests (advertising revenue).
In practice, I find that many organizations tend to be too quick to choose "consent" as the basis for a data processing operation. Then they go wrong by somehow enforcing this consent. If this is the case, then there is simply no valid consent and they are acting in violation of the AVG.
The following are some practical examples where consent cannot be given "freely" in any case:
It is often difficult for government agencies to obtain free consent from citizens because of the unequal balance of power. It teeters on the very question of whether the citizen really has the choice to refuse consent, if it would make the citizen ineligible for benefits or permits, for example. If the answer to this is "no," there is no valid consent.
Public authorities are explicitly mentioned in recital 43 of the AVG as an example where it is unlikely that consent can be freely given by a data subject. Public authorities will therefore usually have to choose a different basis, for example the implementation of a law, or the performance of a public task.
The relationship between an employer and employee or job applicant is also seen as an unequal relationship. As a result, it is often problematic for employers to base the processing of personal data in employment relationships on consent. This is because it is not very plausible that employees are completely free to give their consent because of the employee's dependent position. If you ask consent from an employee or job applicant, they usually do not dare to refuse consent, for fear that there may be negative consequences, such as being fired or missing out on a job or promotion. A worse reputation (being known as a killjoy or whiner) can also be a negative consequence.
Therefore, an employee's consent can rarely be truly voluntary. This is only different if, for example, it involves an individual fitness program in which employees can voluntarily participate.
In the employment context, other appropriate bases for processing personal data often already exist so that consent is not necessary (and appropriate) at all. For example, it is necessary to process the employee's BSN in order to comply with social security laws and tax laws. Another example is the need to process the employee's bank account number, in order to pay wages and execute the employment contract. And for camera security in the company building, the employer often has a legitimate interest (security of company property). In these situations, it would be very inconvenient to base data processing on consent. Not only because it is very impractical (imagine having to ask everyone who walks into your business premises if you can film them), but also because "no" is not an option in these situations.
This article can also be found in the files AVG and e-Privacy
