If you’re relying on consent, you’re doing it wrong under the GDPR

By Arnoud Engelfriet

Ever since the GDPR went into effect, companies have worked hard to achieve compliance. However, one key mistake keeps on popping up: asking consent as a legal basis for some processing of personal data. It is strange that companies would rely on this ground, because it has the strictest legal requirements and is the most difficult to work with. Yet the myth persists that you should seek consent. Please stop.


Consent is of course one of the ways to acquire a so-called ‘ground for processing’, a legal basis required by the GDPR. Without such a ground, any processing is unlawful. There are other grounds, notably the performance of an agreement and the legitimate interest, but those grounds have scary-sounding requirements like necessity or a balance of interests. Asking consent thus seems logical; you explain what you are going to do and you get a clear and voluntary “yes please”. Right?


Wrong. Consent also comes with strings attached. You need to be able to demonstrate that your intended processing is lawful and proportionate, and that you don’t overask. What’s more, getting genuinely voluntary consent is harder than it sounds. You can’t attach any strings to it, no fines, no contract termination, not even a surcharge if consent is refused.


Untangling these strings is hard to do, and many, many companies make mistakes. The simplest mistake to make is to require consent: for example, a service is refused unless the customer consents to certain actions. That is simply legally wrong. Consent must be given voluntarily, and any form of coercion – even the threat of a surcharge – is enough to make that impossible. This is why employees for example can never give consent. There is always a lingering fear that the employer would hold it against them later (“not a team player”).


However, the biggest reason why consent should not be used is simple: it can be withdrawn at any time, again without any strings attached. No fines, no contract termination, no surcharges or any other action that might cause someone to hesitate. 


Any business process that relies on consent therefore is inherently unstable: all involved persons can withdraw that consent, and after that you are stuck with no option to continue. Apart from newsletters and the like I cannot think of any process where this is desirable.


So what’s the alternative? Simple. There are five other legal grounds, of which the execution of an agreement and the legitimate interest are the most commonly used. Surprisingly often these two are available in situations where consent is asked. An all-too-common and depressing situation for example is where consent is sought to provide customer details to a payment provider. A refusal of such consent would be absurd, thus proving that consent is not the right ground. The agreement however makes payment a legal obligation, which means that the ground of execution of the agreement is the logical choice.


Similarly, a legitimate interest is often easily available. To rely on this ground, a three-step analysis must be made. First, the actual interest must be nailed down. The GDPR mentions a few: security analysis; fraud prevention; usage by computer emergency and incident response teams; and even direct marketing. Second, the interest must be weighed against a privacy or similar interest of the persons involved. And third, privacy-protecting measures must be taken to balance out the weights. 


For example, if a company wants to monitor its internal network, its interest is network security. The privacy interest is to have private communications and not being followed or monitored at all times. The balancing measure then is to only have communications read by people if automated monitoring identifies the contents as risky, and then only by authorized personnel bound to secrecy. Or maybe the monitoring is only done at the level of metadata, with examination of contents occurring only in specific instances where a human supervisor has decided a particular sender or recipient has raised suspicions.


Whatever the reasoning, at no point is the consent of the employees necessary. Which is fortunate enough, as getting that consent voluntarily would have been impossible – and of course, any employee could with­draw it at any time without being subjected to any penalty (such as not being able to use the network). 


So please, if you’re considering getting people’s consent to process their personal data, assume that you’re on the wrong track and consider the other legal grounds instead. You will make your life a lot easier.


About the author

Arnoud Engelfriet, M.Sc, LL.M. is a Dutch IT lawyer and privacy specialist. He is one of the partners at LegalICT.com legal services and among others the author of the Dutch ‘Handboek AVG: Artikels­gewijs commentaar’.