This article is written by Shrikar Ventrapragada pursuing a Diploma in Cyber Law, Fintech Regulations, and Technology Contracts from Lawsikho.com.
A few definitions of the terms which are frequently used in this article-
- Data-subject- The party whose personal data is being talked about.
- Processing- The process of interfering with one’s personal data by a third party.
- Controller- The network provider/ the person who will get access to our data.
The General Data Protection Regulation (GDPR) is a “regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).” The regulation also governs and addresses the transfer of personal data outside the territory of EU and EEA areas.
The primary aim of GDPR is to ensure that individuals have the authority of their personal data in their own hands and simplify the regulatory environment for international businesses. This law is also a unified law within the EU. This regulation provides us with the necessary requirements and provisions required in order to get access to the data of the individual, located in the EEA. This regulation is applicable to any individual/company regardless of their position and the data subjects’ place of residence.
Processing personal data is prohibited by the law of the EU, until and unless it is for a certain purpose and there needs to be an expressed permission from the court of law, or unless the permission of the person whose data is in context has consented first. Firstly, let us start by defining consent, consent can be defined as giving permission for something to happen, in this case, it is the permission for usage/ sharing of the personal data. Consent can also be given in the form of an agreement to do something. For an individual to be in charge of his data, there is a requirement of genuine consent, which builds the trust between the network provider and the data subject. One must have a valid lawful reason which makes it necessary to process an individual’s personal data. There are six bases mentioned in Article 6(1) of the GDPR which are: agreement of law, legal obligation, vital interests of the data subject, public interests, legitimate interest, and Consent.
Elements of consent
- Freely given- the person should not have been pressured into giving consent, neither should there be any consequences if they refuse to give the consent.
- Specific- the person must be asked about each kind of data processing
- Informed- the consent so given by the person must be clearly mentioned as to what they are consenting for.
- Unambiguous- consent must be clear and in simple language.
- Clear affirmative action- the consent should be confirming the actions.
The lawfulness of processing data
Article 6 of the GDPR defines the lawfulness of processing data. The processing of one’s personal data shall be considered lawful only if at least one of the following applies:
- The data subject has provided consent to process his/her personal data for maybe one or many specific reasons
- In order to fulfill an agreement, it is at times necessary to get access to an individual’s personal data.
- Processing is necessary due to a legal obligation that has to be done by the controller only.
- Processing is mandatory in order to protect the interests of the data subject.
- Processing is mandatory for the performance of a task that is carried out in the public interest or an order given by statutory authority which the controller had to mandate.
- Processing is necessary wherein the purpose of the controller is legitimate and can be explained when questioned, but such a purpose cannot be overridden by the Basic rights or freedom of the Data Subject, which require protection of the personal data, especially in a case where the data subject is a child. This condition shall not be applicable in case the processing is being carried out by a public authority.
Basic requirements for legal consent
The basic essentials which establish legally valid consent are defined in Article 7 and are further elaborated in Recital 32 of the GDPR. Article 7 of the GDPR lists down the certain given conditions for consent:
- The controller (service provider) should be able to show that the data subject (customer) has provided his/her consent for processing his or her personal data.
- When the consent is given in the form of a written statement which constitutes other matters, such as the request for consent shall be given in a manner which is clearly differentiable from other matters, which is in an easily accessible form, using specific and simple language. Any part of such a statement that consists of an infringement of this regulation shall not be binding on the data subject.
- The data subject should be able to withdraw his/ her consent at any given point in time. Once consent has been withdrawn it should have any implications on the lawful processing. Before giving the consent, the data subject shall be informed immediately. Withdrawal of consent should be as effortless as it was to give consent.
- In order to check whether consent has been freely given or not, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of the service, is conditional on consent to the processing of personal data that is not necessary for the performance of the contract.
Further, Recital 32 of the GDPR also provides for the conditions for consent, it states that ‘the consent should be given by a clear affirmative act establishing a freely given, specific and informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him/ her’, which can also be in the form of a written statement, which also comprises electronic means or also an oral statement.
When visiting an internet provider, they usually provide us with an application which includes various points and checkboxes, consent can also be provided by ticking such boxes, or choosing the type of technical settings we require or by any conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his/her personal data. Silence by the data subject or pre-ticked boxes cannot constitute consent. Consent should include all the activities carried out for the same purpose. In case, there happen to be multiple purposes, in such cases, consent needs to be provided for each and every purpose. If the data subjects’ consent is to be provided through electronic means, then such consent should be clear and concise and specifically in relation to the processing.
Conditions applicable to a child’s consent
Article 8 of the GDPR provides for the ‘Conditions applicable to child’s consent in relation to information society services.’ Moreover, Recital 38 provides for the special protection of children’s personal data. In places where the information services are directly provided to a child, such processing of the personal data of a child shall only be lawful where the child is at least of the age 16 years old. In case the age of the minor is not more than the age of 16 years, such processing shall only be lawful if that consent is given or regulated by the parent/ guardian/or any person who has the responsibility of the child.
Every regulation has an exception to it, even this has, the exception is that the member states may state by law that such age may be lowered to not less than 13 years of age, that too only in certain exceptional cases. It is the liability of the controller to verify that the consent is given or authorised by the parent/guardian/or any person who has the responsibility of the child, considering the current availability of technology.
Whom would the burden of proof be on?
When processing is based on consent, it is the burden on the controller to prove that the data subject (client) has consented to the processing of his/her data. The controller must be able to show that the party had clearly stated their consent to them and the controller should be able to prove that all the conditions of the consent had been fulfilled.
Throwing light upon an essential case law
In the case of “Orange Romania Vs. Autoritatea Nationala de supraveghere a prelucrarii datelor cu caracter personal”, the plaintiff, a mobile telecommunication service provider, had come into contracts for providing services with its customers in its office, copies of the customers’ IDs were attached with the contract, which summed up that the customers had been already informed and they provided with their consent to the collection and storage of these copies. The check-box relating to the consent had been ticked by Orange Romania before the contract was signed. Orange Romania failed to prove that the customers ever informed beforehand regarding their consent to collecting and storing their IDs and were hence fined. The plaintiff challenged the fine.
The Court of Justice of the European Union held that ‘it was legitimate for a company to ask customers to provide some personal data and to prove their identity for the purpose of concluding a contract. However, requiring customers to consent to their IDs being copied and stored appeared to be unnecessary for the performance of the contract.’
Personal data is a very important and delicate area, which should only be looked into with one’s permission and consent. Interfering and having a look at a person’s/ company’s personal data is equal to trespassing into a property that is not owned by you. It can be said that personal information is a person’s private property, just that it doesn’t have a real appearance, unlike a tangible asset. But it happens to have the same value as a property owned by a person. Usage of a person’s personal data should only be done if they have consented to it.
Now, does it restrict businesses to stop providing such delicate services? No, it shouldn’t. Businesses should be as transparent as possible when it comes to the processing of a data subject’s personal data. They should ensure that consent so given, is a clear affirmative action where the actions of the data subject’s wishes clearly show active rather than passive behaviour. Businesses should make sure that their contractual terms should not be misleading as to ending the contract even if the party refuses to provide consent for the processing of their data. In fact, the party should be made to understand the consequences if they refuse to consent, they should be told about advantages and perks they would be missing out on if the consent is not obtained.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: