Why “consent” is at the heart of the processing of personal data | The new times

From a data protection perspective, the term “consent” has been defined as “any free, precise and informed indication of his will by which the data subject gives his consent for personal data concerning him to be processed”.

This definition is found in the European Data Protection Directive, which later replaced the General Data Protection Regulation.

Beyond the technical definition, consent, in real life, gives quite a strong impression, that consent to the processing of personal data is a solid and well-oiled machine, which works almost flawlessly and offers the data subject the ability to manage their privacy effectively.

Consent is a means of expressing an individual’s opinion whether and under what conditions the other party may process the personal data of the data subject. According to Daniel J. Solove, consent is an implicit legal tool to serve and achieve what is described as “privacy self-management”.

In fact, the importance of consent can be seen from a common everyday experience, when everyone is subject to consent several times a week. Common tasks such as registering for online services, approving cookies, e-commerce and many more can serve as an example. Consent, of course, is a fact of life.

From a legal point of view, the consent of a data subject before the processing of personal data is a fundamental criterion of data protection and privacy. For many, whether regulators or data controllers or processors, consent is the most important principle in data privacy.

The processing of personal data is generally prohibited, unless this is expressly permitted by law or the data subject has consented to the processing. While being one of the best-known legal bases for the processing of personal data, consent is one of the six fundamental principles governing the processing of personal data set out in Article 13 of the African Union Convention on cybersecurity and personal data protection.

For the processing to be lawful under the previous AU Convention, it is imperative to identify a lawful basis for doing so. Article 13 of the AU Convention sets out “the principle of consent and the lawfulness of the processing of personal data”. The provision states that the processing of personal data should be considered legitimate if the data subjects have given their consent.

Just to emphasize, consent turns out to be the most important, if not the only, legal basis for the lawful processing of personal data. Data subjects must be clearly informed of their rights to withdraw their consent and be able to do so easily if they so wish.

Consent is an unambiguous indication of the will of a data subject which means an agreement on his part to the processing of personal data concerning him, this consent must be given in a clearly defined manner which are the elements of the definition of consent .

In addition, consent management essentially covers the consent lifecycle from start to finish: from data collection and the possibility for data subjects to change or withdraw their consent to the deletion of personal data each time. that the purpose and duration of the data to which the data subject has consented have ended.

Drawing on both the spirit of the AU Convention and the GDPR, the right to consent embodies these essential elements, namely that consent must be given freely; the consent must be specific, by purpose; consent must be informed; the consent must be an unambiguous indication; consent must be given by a declaration or by an overt act; consent should be distinguished from other matters; and a request for consent must be written in plain language that is intelligible and easily accessible.

Whatever the weight of the principle of consent [in processing of personal data], the AU Convention provides grounds for waiver of consent. First of all, it is lawful to process personal data in the context of compliance with a legal obligation to which the data controller is subject. Second, it is lawful to process personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party to whom the data is disclosed. . Third, it is lawful to process personal data for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering into a contract. Fourth, it is lawful to process personal data to protect vital interests or fundamental rights and freedoms of the data subject.

In general, consent must be freely given, specific, informed and unambiguous. To obtain free consent, it must be given on a voluntary basis. The free element implies a real choice on the part of the person concerned. Any element of inappropriate pressure or influence that could affect the outcome of this choice renders the consent invalid. In doing so, the legal text takes into account a certain imbalance between the controller and the data subject.

Despite many data subjects’ lack of knowledge – that consent is a legal tool to protect the privacy of their data – there is light at the end of the tunnel as there are various regional and international instruments as well as national privacy laws. data that expressly mentions consent to the processing of personal data.

Notwithstanding other legal bases for the processing of personal data, the consent of the data subject remains an unquestionably important right.

The author is an expert in data protection and privacy.

Comments are closed.