The GDPR quite meaningfully changes the rules and conditions around consent as a legal basis for processing personal data. This blog post will address one particular rule, about which there is a great deal of uncertainty due to various misleading statements being made by individuals and organizations whose representation of the law is not rooted in law but ideology. Specifically, they claim that under the GDPR it is illegal to make access conditional on consent for data processing; or in other words that a data subject must be able to refuse to give consent while still having access to the service.
The rule in question is GDPR Article 7(4):
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
This rule stipulates, in essence, that one needs to consider whether the fact that access to a service to which the data subject seeks access is conditional on a data subject consenting to data processing. A careful reading of this provision reveals that the words “prohibition” or “prohibited” do not form part of the rule.
This is no coincidence. This language has been carefully drafted with the specific intent of not establishing a general prohibition of such take-it-or-leave-it choices. Indeed, the European Parliament’s legislative resolution of 12 March 2014 read:
“[…] The execution of a contract or the provision of a service shall not be made conditional on the consent to the processing of personal data that is not necessary for the execution of the contract or the provision of the service […]”
As those familiar with the legislative process in the European Union know, the European Parliament is but a co-legislator with the Council of the EU also having to agree to a legislative text in order for law to be adopted. It did not agree to establishing a prohibition of take-it-or-leave-it consents and so a compromise was reached that fell short of a prohibition of the practice, while creating the possibility for the practice to be unlawful in certain circumstances – “utmost account shall be taken of whether” consent to processing of personal is a condition for provision of a service, as opposed to “provision of a service shall not be made conditional on the consent to the processing of personal data […].”
The question thus is, when is it appropriate to make provision of a service conditional on consent and when not?
In IAB Europe’s view, it is perfectly reasonable for a publisher to refuse access to its content to users who do not agree to the publisher processing data to display data-driven advertising to monetize the content. Just like any other private provider of commercial goods and services can refuse access to their offering, unless terms, conditions, and payment are accepted by the consumer. Obviously, it must always be the consumer’s free choice to enter into the commercial agreement or not. It the very essence or the free market and respect for private property.
In other circumstances like the supply of insurances or public goods, where the citizen is without a choice, e.g. healthcare, schools, drivers licenses, etc. it is reasonable that these services must be provided even if the citizen does not want to consent to processing of the personal data for commercial purposes.
Luckily, for the moment the ePrivacy Directive, which complements and particularizes the general rules of the GDPR, states that “[a]ccess to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose,” such as advertising.