After a year, the General Data Protection Regulation (AVG) and (online) data protection have become ubiquitous on the Internet. Last May, one company after another hit you over the head with a consent email: if you wanted to give your consent to the processing of personal data, including information about the changed privacy policy. And whether you wanted to continue receiving the newsletter. This request for permission and the obligation to be transparent would put consumers back in control of the use of their personal data. But is this true? Or is consent fatique lurking?
The AVG contains six grounds for processing personal data. These grounds are not new; they were already in the Personal Data Protection Act (Wbp). Consent is listed as the first ground, but is this most preferable in practice? The Autoriteit Persoonsgegevens does seem to be pushing for this. Indeed, if you add up all the times when you have to give consent, you would think that consent is the holy grail for processing personal data. However, this is not necessarily the case, as we will see later.
In the debates and drafts of the regulation, consent is often seen as the main criterion for legitimate processing. However, the final version of the regulation treats consent as one of many alternatives for legitimate processing.1
Consent must be given through a clearly active act, showing that the consent is freely, specifically, informed and unambiguous. The data subject must be able to refuse consent and easily withdraw it. The requirement that consent be specific and informed prevents purposes from being hidden or omitted. Asking for consent thus requires clear disclosure and proper accounting. As the responsible party, you must be able to demonstrate who has given permission, when and to which consent request. Technically, consent requires a good set-up of systems.
In practice, we notice that the prevailing policy among data controllers seems to be: we ask the data subject for consent, then we are always right. But is consent always necessary? What if you didn't actually need consent, for example because there is the execution of an agreement, and someone withdraws their consent? Is the agreement then dissolved? Can you then still refuse consent? It puts the data controller in a difficult position, and the data subject may feel wrong-footed when his withdrawal is suddenly no longer honored. The UK regulator Information Commissioner's Office (ICO) even calls asking for consent when another processing ground is present "misleading and inherently unfair. In addition to providing a false choice, it would only give the individual "the illusion of control. The regulator therefore indicates that consent is certainly not always the most appropriate ground for data processing.2
Consent must be specific and transparent. An organization must ensure that the data subject can make an informed decision about the use of its data. This should prevent consumers from being overloaded with too much information when they visit a Web site, browse the Internet, download an application or purchase goods or services. However, the many consent questions can also result in a degree of consent fatique: consent fatigue.3
This article can also be found in the AVG file
