Definitions

Consent

GDPR's Provisions on Consent

1. Article 4(11) of GDPR defines "consent" as a voluntary, specific, informed, and explicit expression of will by which the data subject agrees through a statement or a clear affirmative action to the processing of personal data relating to him or her.

2. Article 6(1)(a) establishes that the data subject's consent is one of the legal bases for processing personal data.

3. Article 5 outlines data protection principles (lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality), and Article 25(2) on design and default data protection principles, which dictate that only personal data necessary for specific purposes should be processed and inaccessible to others.

4. Articles 7 and the recitals (32, 42, 43) detail the main factors for how controllers should adhere to consent requirements: controllers must be able to demonstrate that the data subject has consented to the processing of their personal data, connected to the accountability principle under Article 5(2) of GDPR. If consent is given in a written declaration that involves other matters, it must be presented in a manner that is distinct from those other matters, easy to understand, and in clear and plain language, and any part of such a declaration that constitutes a breach of the GDPR is not binding. Additionally, data subjects must be informed before giving consent that they have the right to withdraw consent at any time, and such withdrawal should not affect the lawfulness of processing based on consent before its withdrawal. The simplicity of giving and withdrawing consent must be equivalent. Lastly, consent must be given voluntarily; where there is a clear imbalance between the data subject and the controller, consent should not be regarded as freely given.

Other Legal Considerations

Federal Cartel Court Decision Summary

1. The legal question presented was whether the consent obtained from online social network users, given the dominant market position of the network operator, satisfies the effectiveness conditions stipulated in Article 4(11) of the GDPR, particularly the requirement that consent must be freely given.

2. The court observed that a dominant position held by online social network providers does not inherently obstruct users from granting valid consent under the GDPR for the processing of their personal data. Nevertheless, a critical element in affirming the validity of such consent is the operator's obligation to demonstrate that the consent was voluntarily given. This aspect is vital as it influences the user's autonomy in decision-making; the inability of users to refuse or withdraw consent without adverse consequences could create a substantial imbalance between the controller and the data subject.

3. Considerations such as the extent of data processing, its profound effects on users, and the users' reasonable expectations are pivotal factors in evaluating the case.

Guidelines Go Through

Principles and General Provisions

1. Consent from data subjects does not justify collecting personal data beyond what is necessary for specified purposes or in a manner that is unfair.

2. Data processing must adhere to the principles of necessity and proportionality, ensuring compliance with purpose limitation and data minimization principles. The proportionality principle questions the necessity of processing personal data and assesses whether the intended purpose could be fulfilled through less invasive methods or by processing less personal data, whether less detailed or aggregated.

3. Reconciling excessive tracking with the data minimization principle poses greater challenges compared to personalized advertising systems that enable users to determine their preferences autonomously.

4. Data processing activities must uphold the principle of fairness, aligning with the reasonable expectations of data subjects, avoiding discrimination, not exploiting vulnerabilities, preventing imbalances of rights, and refraining from using deceptive or manipulative tactics. When processing activities are particularly intrusive, they should be scrutinized for their impact on the rights and dignity of the subjects, ensuring subjects are provided with the highest level of autonomy. Fairness should guide the controller's decisions, especially when options available to data subjects are limited or potentially manipulated.

5. Principle of transparency.

6. Controllers are expected to observe the data protection principles and uphold the standards set by default data protection guidelines.

7. Special protection for children: Children must be shielded from behavioral advertising influences, exempting them from having to make a "consent or pay" decision.

8. Special emphasis should be placed on GDPR Article 5(2) concerning accountability. Controllers are required to demonstrate that consent obtained from data subjects was given voluntarily and fulfills other criteria necessary for its validity.

Effectiveness of Consent

A. Voluntary Consent

1. Defining Consent: Consent is a definitive indication of the data subject's intent, where voluntariness is essential to the legality of the data processing activities.

2. Ensuring Freedom of Choice: Controllers are required to ensure that data subjects have genuine autonomy in making consent decisions. This includes avoiding the imposition of barriers that could restrict the ability to refuse consent, in line with GDPR provisions on data subjects' control rights over their data. Furthermore, data subjects should not be subjected to misleading designs and must be fully informed about their data processing rights.

3. Conditions Undermining Voluntary Consent: Consent is deemed involuntary if influenced by deception, intimidation, coercion, or any other circumstances that impede the free will of the data subjects. Additionally, if data subjects are reluctant to accept the adverse effects associated with data processing, such consent is considered invalid.

4. Criteria for Valid Consent: Key considerations for assessing the validity of consent include potential harm to the data subject from refusing or withdrawing consent, the presence of any imbalance of rights between the data subject and the controller, the necessity of consent as a condition for obtaining services or goods, and the ability of the data subject to give consent to various processing activities.

5. Individual Assessment of Consent Validity: The evaluation of consent validity must be conducted on a case-by-case basis, considering the specific circumstances and contexts involved.

• Provision of a Non-Behavioral Advertising Alternative

1. The default provision of only a paid service is not acceptable; controllers must offer a free equivalent alternative that does not involve behavioral advertising. This approach prevents users from being forced into a binary decision between consenting to behavioral advertising and paying to opt out, thereby ensuring that consent remains voluntary.

2. The free alternative should not entail processing personal data for behavioral advertising. Instead, it could involve less invasive forms of advertising, such as contextual or general advertising, with controllers ensuring that only the necessary personal data for such advertising is processed.

3. An essential factor in assessing both the data subject's autonomy in choice and the effectiveness of their consent is whether the controller offers a free alternative devoid of behavioral advertising. This strategy can significantly diminish, or altogether prevent, the adverse effects faced by users who choose not to consent.

4. In scenarios where there is a power imbalance, providing a free alternative is a crucial method for controllers to demonstrate that non-consent does not lead to negative repercussions for the data subject.

5. Controllers must enable data subjects to clearly understand the potential adverse outcomes of each option, ensuring that choices are presented without deceptive designs.

6. Consideration should also be given to specific requirements under the DMA or DSA "gatekeeper" regulations.

• Damage

1. Users who have historically accessed services without fees or consent to behavioral advertising may face financial hardships or lose access to the service if a free alternative is not provided. This impact is particularly pronounced for long-standing users on large online platforms where lock-in or network effects are significant. The introduction of a "consent or pay" model partway through their use can cause substantial harm.

2. On platforms that rely heavily on user-generated content or user interactions, such as video sharing platforms or social networks, network effects can complicate users' decisions to discontinue service use without facing adverse consequences. Often, users prefer to be tracked to maintain online interactions with friends or preferred networks. For users entrenched in the platform's environment, discontinuing use can lead to significant losses, including the loss of communication links, images, videos, and personalized data. The duration of use intensifies the impact of these lock-in effects.

3. Inability to use services integral to daily life or those that play a significant role in society can cause considerable detriment. Services such as social platforms or key forums in economic and political arenas profoundly influence users' social lives and their inability to access these can be damaging.

4. Being unable to access professional or employment-related platforms can harm users by stripping them of equal opportunities for employment and the ability to stay informed about critical developments in their respective fields.

5. Even if users no longer have the right to access certain services, controllers must ensure that they inform users of their GDPR rights, including the rights to access and port their personal data. This ensures that despite the cessation of service use, users' statutory rights are upheld and communicated clearly.

• Power Imbalance

1. GDPR Recital (43) emphasizes that for consent to be deemed voluntarily given, it must be free from any significant power imbalance between the data subject and the controller. This is particularly pertinent when the controller operates within the public sector or as a government entity. In situations where a clear power disparity exists, the data subject might feel coerced, leading to decisions made under duress.

2. Consent under conditions of power imbalance is only applicable in special circumstances. Adhering to the accountability principle, controllers are required to demonstrate that data subjects will not suffer adverse consequences for withholding consent, particularly when a viable alternative to the traditional consent or pay model is offered. Under these conditions, consent may be regarded as valid.

3. Controllers must evaluate the presence of power imbalances using several indicators:
• Market Position: The dominance of a controller, particularly if it is a governmental entity or a major employer, can exacerbate power imbalances. However, a dominant market position alone does not automatically invalidate consent.
• Lack of Alternatives: The absence of realistic alternative services for data subjects can contribute to a power imbalance.
• Link between Imbalance and Harm: The relationship between power imbalances and potential harm should be closely analyzed, including factors like network effects and lock-in phenomena.
• Service Dependency: The extent to which data subjects depend on the services for essential aspects of life, such as employment, public discourse, or daily routines, limits their freedom to choose.
• Vulnerable Target Audiences: Platforms that primarily target vulnerable groups, such as children, are more likely to exhibit power imbalances.

• Conditionality
1. Under GDPR Article 7(4), the assessment of voluntary consent must critically examine whether data subjects are compelled to consent to processing activities that are objectively unnecessary for accessing services. Services conditioned on such consent are not deemed to be offered on a conditional basis.
2. The Federal Cartel Court has ruled that when data processing operations are not essential for contract fulfillment, controllers are obligated to provide a viable alternative that does not require such data processing. If necessary, this may involve a fee, thereby ensuring compliance with the conditionality requirement and preventing invalid consent.
• Provision of an Equivalent Alternative
1. Definition: An equivalent alternative is a service offered by the same controller that does not necessitate consent for processing personal data for behavioral advertising.
2. Degree of Difference: The alternative should be deemed equivalent if differences from the original are limited to the absence of data processing for behavioral advertising.
3. Function and Quality: Equivalence pertains to the functional and qualitative aspects of the service. The alternative version should provide the same features and functions as the original, although it need not be identical. Additionally, the quality of the alternative service should not be degraded.
4. Data Processing Requirements: The equivalent alternative should not involve initial tracking of data users or the provision of personalized advertising recommendations, unless tracking is performed for purposes other than behavioral advertising.
• Appropriate Fee Considerations Base on Necessity
1. Personal data must not be commodified. The necessity and appropriateness of any fees must be aligned with the principles set out in the Charter and GDPR.
2. Controllers are required to determine the appropriateness of fees on a case-by-case basis, taking into account the specifics of each situation and GDPR guidelines concerning valid consent.
3. It is crucial that fee imposition does not obstruct the data subjects' ability to refuse consent nor coerce them into consenting. Fee strategies should uphold data subjects' autonomy.
4. Attention must be focused on adhering to GDPR Article 5's principles of fairness and accountability.
5. While controllers have the autonomy to set fees, regulatory bodies retain the authority to intervene if fees undermine voluntary consent or contravene accountability norms. The enforcement and interpretation of GDPR compliance rest with regulatory authorities, though cooperation with other agencies may be sought.

• Granularity In the "consent or pay" framework, it is imperative that the different processing purposes are distinctly separated, allowing data subjects the liberty to select each purpose independently. The granularity of consent, particularly in the context of behavioral advertising on large online platforms, is intricate and requires nuanced attention to ensure clarity and compliance.

B. Informed Consent

• Content of Consent: Based on the accountability principle, controllers are required to provide a transparent simulation and record of the information processing activities, ensuring that data subjects have a clear understanding of the implications, scope, and potential outcomes of their decisions. While GDPR recital (42) mandates only the disclosure of the controller’s identity and the purposes of processing, it does not necessitate a detailed description. However, when employing the "consent or pay" model, large online platforms must ensure that users are fully informed about the processing activities, their changes, and impacts. This includes providing detailed information enabling data subjects to comprehend fully the services to which they are consenting and maintaining the option to object to other services. The purposes of processing must be clearly defined, avoiding vagueness, and should elucidate both the benefits and potential adverse effects to the data subjects. The information should align with the provided choices and explain the technologies used in processing personal data, maintaining adherence to principles of fairness and transparency. Controllers are also advised to update data subjects about any new versions or changes in the processing activities and disclose the legal basis for processing personal data. Specific attention should be given to the disclosure of recipients of personal data, the transfer of data to third countries, the retention period, the ongoing collection and processing of data regardless of consent, the rights of data subjects to withdraw consent, and the implications of such withdrawal, as well as the potential combination or cross-use of data.

• Methods of Providing Information:
1. Timing: Information must be provided thoroughly before the initiation of data processing for behavioral advertising purposes, ensuring that data subjects have sufficient time to digest and understand the information.
2. Methodology: The use of deceptive design methods is strictly prohibited.
3. Transparency: Adherence to GDPR’s transparency guidelines is crucial. The information should be presented in a language that is clear, comprehensible, and concise, explicitly stating the consequences of the data subject’s choices regarding personal data processing.

C. Specific Consent

D. Explicit Expression of Will

Additional Factors

A. Withdrawal of Consent

B. Re-obtaining Consent

Compliance Recommendations