‘CONSENT’ UNDER THE EU AND NIGERIA DATA PROTECTION REGIME

Introduction

Consent is a very common term. From the traditional contract standpoint, consent is “consensus ad idem” – ‘meeting of the minds’, or “to agree”. This consent can be expressed in several ways, expressly, impliedly, by conduct or by implication. However, consent under the EU and Nigeria  data protection regime is slightly different. 

Before we discuss the concept of consent, we’ll give a little background. Many countries have adopted general data protection laws that apply to every sector that processes personal data. These laws have principles that specifically guide how personal data must be processed. 

There are six principles. The 1st principle is that “processing must be lawful, transparent and fair”. In order for processing to be  lawful, there are six conditions (according to the GDPR and five according to the NDPR), the first being ‘consent’. In subsequent posts, we shall discuss other processing principles and conditions for lawful processing.

Definition

Consent is defined under Article 4(11) of the General Data Protection Regulation (GDPR) and Article 1.3(iii) of the Nigeria Data Protection Regulation (NDPR) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he/she through a statement or clear affirmative action, signifies agreement to the processing of personal data relating to him/her.” Within this definition are several keywords/key terms: “freely given”, “specific”, “informed”, “unambiguous” and “clear affirmative action”. These terms are conditions which must be present for consent to be valid, and we shall be explaining them.

Conditions for a Valid Consent 

Consent must be freely given. The consent must be freely given by the data subject, and he must be able to withdraw the consent freely as well. There must also be no adverse effect for not granting consent or seeking to withdraw it. For instance, where an employer requires the personal information of employees for the purpose of giving clients more information about its company through its website, employees granting ‘consent’ for their personal data to be uploaded on the company’s website may not be seen as giving valid consent if the employees consented in other to keep their jobs.

Consent must be specific. For consent to be valid, it must be specifically given in furtherance of a particular purpose. For instance, if a business obtains consent to process its customers’ personal information for the purpose of publishing their review of its products on its website or socials, it cannot process that information for another purpose, e.g. marketing. This is because consents are specific to the purpose for which it has been requested. 

Consent must be informed. The data subject must be appropriately informed about the scope of the consent he seeks to give and the mode of withdrawal. This information can be given by way of a Privacy Notice. 

Consent must be unambiguous. Consent must be clear, and the intention must be understood clearly to give consent. 

Consent must be expressed by clear affirmative action. While consent in relation to traditional contract agreements may consider implied consent as valid, under data protection framework, consent must be given expressly by affirmative/positive action. For instance, where consent is required to process people’s personal information for marketing, a consent e-form which is already ticked but requires individuals to untick if they do not desire to consent, is invalid consent. This was the position of the Court in the ‘Planet49’ case where the organisation sought to use consent obtained from issuing pre-ticked checkboxes to its users.

How To Ensure a Valid Consent

Considering the conditions a valid consent must possess, the ICO issued certain guidance on consent with the following points to note:

  • Have a clear, concise and conspicuous privacy notice
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Be specific so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service.
  • Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent

Conclusion

It is clear that the conditions for a valid consent are quite stringent, it is important to understand that if you find it difficult to meet these conditions, look for another bases. Remember, we mentioned that consent is just one out of 6 lawful bases. You may not need consent if you can comfortably process personal data under any other bases. 

Based on this post, as a data subjects, if you feel an organisation is/has been processing your personal data unlawfully, kindly reach out to us on complaint@pdpainitiative.com for assistance. 

Add a Comment

Your email address will not be published.