An examination of the criteria for valid consent under the GDPR in the light of the rationale and technological neutrality

Sammanfattning: As a means to safeguard the fundamental right to data protection in light of the rapid advancement of use of technology and to address the fragmented implementation of data protection, the GDPR was introduced. For processing of personal data to be lawful under the GDPR, processing must have a legal basis, such as consent. The ePrivacy Directive establishes that consent is the only valid legal basis for certain processing purposes within the electronic communications sector, thus making the lawfulness of many processing activities dependent on consent. As consent is considered as the cornerstone of data protection, it is vital that the notion of valid consent is consistent with GDPR’s dual rationale; the rationale encompasses the protection of fundamental rights, where data protection is central but not absolute, and the protection of the free movement of data within the European Union. Additionally, technological neutrality is a prerequisite for achieving modern legislation that can meet current needs. Without understanding the criteria for valid consent, compliance is challenging. By researching the requirements for valid consent as defined by the GDPR as well as how the criteria have been interpreted by both the CJEU and at national level, this thesis provides a teleological examination of the criteria in the light of the rationale and technological neutrality. The GDPR establishes four cumulative criteria for valid consent: ‘freely given’, ‘specific’, ‘informed’ and ‘unambiguous’. Freely given consent aims at rejecting consent that has been given under coercive circumstances that do not represent the data subject’s own free will. Specific consent entails that consent has been given to a well-defined and granular purpose. The data subject must be provided with information that enables them to make an informed decision. Finally, there must not be any doubt as to whether the data subject intended to consent or not, thus requiring unambiguity in respect to the data subjects’ intentions. The CJEU has provided some guidance on the criteria, especially on what is required for the criteria to be met when requesting consent using cookie banners. However, there is ambiguity in relation to the distinction of, and attribution to, the criteria. As the criteria leave room for interpretation, there is a level of discrepancy in interpretation and enforcement amongst Member States that gives rise to fragmentation, thus contravening harmonisation and free flow of data within the Union. As shown by several DPA decisions, notably the decision against IAB Europe’s Transparency & Consent Framework in the European AdTech industry, entire technological solutions have been declared as unlawful; the ability to obtain consent has been virtually precluded despite consent being required as a legal basis. Such interpretation is thus not technologically neutral. As the provisions are not practically possible to comply with, the legislation essentially fails with protecting the right to data protection. While further research is needed in order to assess the consequences on specific fundamental rights and freedoms, it can be noted that the current consent criteria might be problematic in relation to the various interests under the rationale. While beyond the scope of the paper, it is suggested that the issues attributed to the interpretation of the criteria, in regard to the rationale, might be an issue of when consent is required rather than the essence of consent. Perhaps, in the light of the rationale and technological neutrality, the criteria for valid consent under the GDPR are neither good or bad, but rather dependant on the context and whether the limits of consent as the appropriate legal basis have been adequately considered.