The enigma of consent
The surest and easiest way to process personal data in a lawful manner is to obtain first the consent of the person whose information you are about to process. We’ve all heard this statement many times, even from some so-called privacy experts. Unfortunately, less than half of it is true.
Securing genuine consent is more complicated than it seems. And even after a successful collection, the ensuing data processing activity may still get nullified for being inconsistent with fundamental data protection principles.
In other words, it’s not easy. And it doesn’t offer absolute protection from a charge of unauthorized data processing.
Here’s why.
The consent given by a data subject (i.e., the individual whose personal data is about to be processed) is regarded as one of the lawful grounds an entity can rely on when processing personal data. It doesn’t matter if mere personal information is involved, or if it concerns the special categories of sensitive personal information (SPI) and privileged information.
Under our Data Privacy Act of 2012 (DPA), consent is defined as any freely given, specific, and informed indication of will, whereby data subjects agree to the collection and processing of their personal data. Proof of consent may be by written, electronic, or recorded means. This definition closely resembles that given by the European Union’s General Data Protection Regulation (GDPR), except that the latter further emphasizes the need for the unambiguous expression of will, manifested through a statement or a “clear affirmative action”.
From this prescribed meaning, we can derive the four key elements that make up a valid consent. It needs to be: (a) freely given; (b) specific; (c) informed; and (d) explicit or unambiguous. Only upon close inspection of all four does one get to appreciate how challenging getting consent actually is.
• Freely Given – This means data subjects must have a real choice. They cannot be compelled to agree, whether it be through deception, intimidation, coercion, pressure, or undue influence. If there is an imbalance of power between the entity asking for consent and the person being asked to provide it, the consent given will likely be considered invalid. This is why, in the EU, government agencies and employers are advised to look at the other lawful grounds first when trying to justify their data collection. They’re fully aware that if your government or your boss asks you to do something, more often than not, you are going to relent. The power dynamics inevitably creates pressure that is brought to bear on citizens and employees alike. Similarly, consent will also be invalid if a person will experience negative consequences if he or she refuses to give it, or will not be allowed to withdraw the same at a later time.
• Specific – This means consent must refer to a particular purpose. To bundle multiple purposes together and ask for consent only once will result in an invalid consent. The requirement is meant to protect against those situations wherein data subjects agree to data processing for a particular purpose, but in doing so, end up being forced to agree to other unrelated purposes, too. Here, it is important to distinguish purpose from a data processing operation. It’s possible for there to be multiple data processing operations that have one common purpose, in which case, consent only needs to be collected once.
• Informed – To put it simply, data subjects should know exactly what they are agreeing to. EU data subjects, as a minimum, need to be informed of the following: (a) identity of the data controller/s; (b) purpose of the data processing; (c) type of data to be processed; and (d) the existence of the right to withdraw consent. If applicable, information about automated decision-making processes, data transfers, and safeguards for such transfers should also be relayed. Our own DPA does not specify the kinds of information data subjects are entitled to when their consent is about to be collected. A safe bet, though, would be the list of information featured under the right (of data subjects) to be informed.
• Unambiguous – It should be clear that data subjects have really given their consent. Hence, the requirement for a “clear affirmative action” on their end. This is also why the DPA says consent may be evidenced via “written, recorded, or electronic means”. This condition exposes some common practices as clearly falling short of the definition of a valid consent: (a) pre-ticked opt-in boxes; (b) silence or inactivity of data subjects; and (c) continued use of a product or service by data subjects.
When the National Privacy Commission was formed in 2016 and came up with the implementing rules for the DPA, many companies and government agencies rushed to draft their consent forms and immediately asked data subjects they frequently did business with to sign those forms. Most seemed to have forgotten that there are other easier and more appropriate legal bases to choose from. There were some who, having misunderstood the concept completely, sent out letters notifying data subjects that by continuing to be customers or clients, they were, in effect, giving their consent to the processing of their personal data.
But the fault does not rest solely on the shoulders of local data controllers. Our lawmakers share part of the blame, too. When they crafted the DPA, they defined the term “sensitive personal information” using an odd selection of information that makes it impossible for data controllers to avail of other legal bases for their data processing operations. They have no choice but to resort to consent, even if it will likely fail to meet all the mandatory elements.
Consider this: age, marital status, and information about education are all considered SPI by the DPA. All three—especially age—are among the most collected types of personal data. Accordingly, every time an entity tries to collect them, it will have to rely on the grounds prescribed by the DPA. Looking at that list, obtaining consent is usually the only available choice.
The problem with that is that in many situations, the refusal by a data subject to give consent leaves the data controller no choice except to cancel the transaction. So, the latter will have to insist on securing consent, even if fully aware that it will probably be a compromised one. On the part of the data subject, if he or she needs the product or services of the data controller bad enough, then he or she ends up giving consent. The outcome? Each party is compelled to do something even if it knows it will yield an invalid result.
Fortunately, there might be some relief waiting in the not-so-distant future. A bill currently pending before the House of Representatives is seeking to amend the DPA. Among the improvements it hopes to introduce is the removal of the three data points identified earlier from the definition of SPI, and the addition of the performance of a contract to the lawful grounds for processing SPI. Together, these two amendments will pave the way for a more sound approach towards obtaining consent as a prelude to lawful data processing.
Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.