On Consent and Privacy
Data subject’s consent is defined as ‘any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information’.
Take note of the three conditions for valid consent:
a) Freely given
b) Specific
c) Informed
‘Freely given’ consent means that the data subject must have a genuine choice and must be able to refuse or withdraw consent. Remember that it is not consent if the data subject cannot withdraw such consent, though if withdrawn, does not make any processing prior to such withdrawal illegal.
If there is a clear imbalance between the controller and the data subject (e.g., employer-employee relationship, public authority-subject relationship), consent may not be considered as freely given.
‘Specific’ consent means that it was given specifically for the particular processing operation in question. Where the processing activity changes, there may be a requirement to seek new consents from all the affected individuals, since the previously given consent does not cover the new processing.
Consent must be ‘informed’ such that a data subject is given all the necessary details of the processing activity in a language and form they can understand so that they can comprehend how the processing will affect them.
As an example, simply placing an ‘Accept’ button on an online form for a data subject to acknowledge their acceptance may not amount to consent under data protection law, unless the controller can prove that the data subject had a reasonable opportunity to be informed of the significance of this consent.
To be ‘unambiguous’, the data subject’s statement or clear affirmative act must leave no doubt as to their intention to give consent. If there is uncertainty regarding whether consent has been given, the circumstances are construed against the controller.
A pre-ticked, opt-out box on an online form is not consent.
Consent must be demonstrable. Although consent may be made verbally, the fact must be recorded by the data controller.
Consent must be time-bound in relation to the declared, specified and legitimate purpose. Consent cannot be perpetual.