Data consents: lets get granular

T201802 Sugar adhis blogger has previously discussed some of the difficulties in relying on consent as a justification for lawful processing under GDPR, but these difficulties bear closer examination.  First, the basics.  Then some thoughts on the use of consent in the research world and whether it is always needed.

The basics

Consent is one of the six lawful bases that justify the processing of personal data.  To be adequate, consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by a statement or clear affirmative action – granular is the word the regulators use.  It is not silence or a pre-ticked opt-in box.  It is not a blanket acceptance of a set of terms and conditions that include privacy provisions.  It can be ‘by electronic means’ – it could be a motion such as a swipe across a screen.  But, where special category data (sensitive data such as health data) are processed and explicit consent is needed, this will be by way of a written statement.

The data controller must be able to demonstrate consent.   This goes to accountability – the controller is responsible for demonstrating compliance across the piece although GDPR does not mandate any particular method.

Consent must be requested in an intelligible and easily accessible form and must be clearly distinguishable from other matters.  The request cannot be bundled up and appear simply as one part of a wider set of terms.  When the processing has multiple purposes, consent should be given for each of them – granularity again.  Conflated purposes remove freedom of choice.

Consent must be freely given.  It must be a real choice.  Employers will always find it hard to show that their employees have consented freely, for example.  The choice needs to be informed.  Without information, any choice is illusory (the transparency principle).  As a minimum, the informed individual would need to know: the controller’s identity; the purpose of the processing; the data to be collected and used; and, that consent can be withdrawn.

It must be as easy to withdraw consent as it was to give it.  This doesn’t necessarily mean that withdrawal must be by the same action (swipe to consent and withdraw) but rather that withdrawal must be by the same interface (consent via the website, withdraw via the website).  After all, switching to another interface would involve ‘undue effort’ for the individual.  If consent is withdrawn, the individual must not suffer any detriment.

With pleasing circularity, demonstrating that withdrawal carries no cost and no detriment (meaning no significant negative consequences) helps to demonstrate that the consent itself has been freely given.

Consent in research world

Getting granular consent (meaning consent specific to a given purpose) can be repetitive.  Bundling up different consents in one is not allowed so multiple purposes make for long lists of consents and the risk of consenting fatigue.  Other lawful bases may be more convenient and consent should not be the default or unthinking route for controllers.  Aside from the high threshold for adequate consent, the GDPR’s transparency agenda means that there is a strong argument that if consent is given as the lawful basis at the outset there can be no substitution of a different legal basis if consent is withdrawn.

Getting granular consent can be difficult.  GDPR recognises that it may not be possible to fully identify the purpose of scientific research processing at the point of data collection and acknowledges that individuals could consent only to certain areas of research.  GDPR’s principles are relaxed for the benefit of scientific research but they continue to apply.  The purpose of the processing must still be described but it is enough for the research purpose to be ‘well described’ rather than specific.  Transparency is a safeguard where specific consent is not possible.  Research plans should be available.  Consent should be refreshed as the research progresses.

Consent must be freely given.  Does a research participant have a free choice?  Probably yes, if the intended processing is not arbitrary or unusual and if the information provided is adequate and accurate.  An informed refusal to join a clinical trial will not lead to standard treatment being withdrawn so there is no detriment.  But what if the standard treatment is not working?  If the individual has to consent to arbitrary processing of their personal data in order to take what may be their only remaining hope then it is difficult to see that as a free choice.

Consent can be withdrawn.  Researchers have some comfort in that processing that has already been carried out remains legitimate after consent is withdrawn.  But further processing must stop which threatens the ongoing research project, unless the data can be disentangled.  To make matters worse (for the researcher), if there is no other legal basis for holding the data then it may be necessary to delete it – more difficult disentangling, especially if the individual forces deletion through their right to be forgotten.

What can the worried researcher do about the risk of withdrawal?  Anonymise the data and carry on is always a good answer.  Rely on a different legal basis in the first place (and carry on) is another good answer.

Sidestepping the issue by making the consent irrevocable is not a good answer: it would breach the requirement that consent can be withdrawn at any time.

A sneaky lawyer’s answer may be to embrace the requirement that consent must be as easy to withdraw as to give.  If changing formats involves ‘undue effort’ then avoid electronic means and require consent to be in writing.  This answer is not guaranteed by any stretch of the imagination: the data controller is essentially betting that few will bother to put pen to paper to withdraw.

Clearly GDPR consent is a troublesome beastie but there is one strong point in its favour.  Using consent as the legal basis for processing promotes trust.  Repeatedly refreshing that consent as the research progresses reinforces trust.  Trust makes the engagement stronger.  Perhaps the prize of a stronger and more committed and engaged research cohort based on consent is worth it?

Leave a comment

Filed under Databases

Ancient treasure from IP Draughts

IP Draughts has just stumbled across some ancient treasure – articles and an interview transcript – from the around the time he started his firm in 1994. The most interesting, in his view, is an interview that he conducted with Lord Cockfield.

Arthur Cockfield, who died in 2007, was a British politician, who became Secretary of State for Trade in 1982. From 1984 to 1988 he was a European Commissioner, and he was a major driving force behind the creation of the Single European Market in 1992. Shortly before his interview with IP Draughts, he had published a book about the single market.

IP Draughts found Lord Cockfield a difficult person to interview. First, there was huge secrecy about the location of the interview, which turned out to be his London flat. Lord Cockfield insisted on having a list of questions in advance. When IP Draughts turned up for the interview, Lord Cockfield left him in no doubt as to who was going to control the interview. Some of it he insisted would be off the record (those bits are not in the transcript; they weren’t particularly interesting!) From memory, the interview wasn’t published.

Despite these shortcomings, the interview has some historical interest, particularly at a time when it appears that the UK is likely to leave the single market on Brexit. Lord Cockfield discusses the single market, divisions in the Conservative Party, how the European Commission goes about its business, and the UK’s relationship with the EU. IP Draughts kept trying to bring the conversation back to IP issues, but it is clear looking back that Lord Cockfield wasn’t interested in the subject and diverted to other examples to illustrate his themes. The unedited interview can be found here: interview with Lord Cockfield in about 1995.

Also uploaded here for their historical interest to IP Draughts, if no-one else, are:

Happy reading!

 

Leave a comment

Filed under &Law Updates

Another outing for this review of MSCD

via Improve your contract drafting. Step 1: read MSCD, 3rd edn

Ken Adams recently published the 4th edition of his great work, Manual of Style of Contract Drafting. It seems timely to repost IP Draughts’ review of the 3rd edition, from 5 years ago. IP Draughts views on the 4th edition are largely the same as for the 3rd, except that the new edition reflects another few years of thought on the part of the author, and expansion and refinement of the text.

Leave a comment

Filed under Uncategorized

Courses for people

After some recent overseas trips (to rural Ireland, a small town near Barcelona, and central Geneva), IP Draughts is looking forward to a period of relative stability. One of his major tasks in the next few weeks is to organise this year’s outing of the UCL IP Transactions course, which runs from 16-20 April. There are still places on the course, so please do book if it is of interest, and encourage your colleagues to do so! The application form is in the brochure, which can be found here.

You or your colleagues may also be interested in the one-day courses that IP Draughts is running at UCL in the coming weeks and months. Next week it is Advanced IP Licensing, the following week IP Terms in Research Contracts, and we also have a session on Legal Terms in Commercial Contracts booked. Details of these and other courses can be found on the UCL Laws website here. Alternatively, we can run these and other courses for you in-house for a fixed fee – please contact courses@andlaw.eu for further information.

While on the subject, you may be interested in a conference that IP Draughts is helping the American Bar Association to organise, in Copenhagen in June, on the subject of life sciences. Conference brochure here.

 

 

Leave a comment

Filed under courses and training