There is a high bar for using consent as a lawful basis for your data processing activities.
Consent must be informed and specific, which means the individual must be made aware of the identity of the data controller* and the controller’s purpose(s) for the intended data processing. If there are multiple purposes for which the controller is relying on consent as the lawful basis, the individual must be informed regarding each purpose, and must consent to each purpose.
*Recap: The data controller determines how and why data is processed.
Consent must be freely given, which means the individual must actually have a choice that will not yield a detrimental outcome if they do not consent. Consent is not freely given if the individual will be denied the use of a product or service unless they consent. The take it or leave it approach that is used by many (if not most) online services in the U.S. is not going to fly under the GDPR.
Consent must be an unambiguous and affirmative action, which means you must be able to demonstrate that the individual actually did something to express his or her agreement to the contemplated processing.
There are stricter consent requirements for processing activities involving children or special categories of personal data. We’ll cover those later.
You can rely on a contract as the lawful basis for certain data processing activities, such as delivering purchased goods or services. The key here is that the processing must be necessary to perform contractual obligations, or to take steps necessary to enter into a contract with the individual.
For example, you can process an individual’s email address in order to send shipping confirmation for goods they purchased from your website. You cannot rely on contract as a lawful basis for activities outside the scope of the contract, like direct marketing. In other words, contract is not an appropriate lawful basis to justify automatically adding an individual to your email newsletter when they purchase goods through your website. There are also stricter requirements for processing activities involving a minor, and they may not be legally competent to enter into a contract.
(3) Legitimate Interests
Legitimate interest is the most flexible lawful basis. It can be used for processing activities that are necessary for purposes related to legitimate interests of the data controller, subject to certain limitations. It is generally appropriate for processing activities that the individual would reasonably expect and which have a minimal privacy impact.
First, determine the legitimate interests for all of your processing activities. Legitimate interests can be related to your business operations, but they must be related to one or more specific purpose(s). Examples of legitimate interests include detecting fraud, conducting sales, and ensuring network functionality and security. Direct marketing may constitute a legitimate interest, but data subjects have the right to object to direct marketing. We’ll discuss obligations related to the rights of data subjects in a later post.
The contemplated processing must be necessary to achieve the purpose(s) related to your legitimate interest(s), and it must be done in a proportionate way to achieve the purpose. If you can achieve the intended result in a less intrusive way, you can’t rely on legitimate interest as your lawful basis.
If the data subject would not reasonably expect the processing activity or if it might cause unjustified harm, the individual’s interest will override your legitimate interest. When determining whether to use legitimate interest as your lawful basis, consider what the data subject would reasonably expect given the context and timing at the time you collected the data, and the circumstances for which you are considering it necessary to serve a legitimate interest.
The remaining conditions that constitute a lawful basis are worth mentioning, but are less likely to be relevant to most U.S. companies.
(4) Legal Obligation: You can process personal data as required in connection with a legal obligation arising under EU law. For example, if you have employees in the EU, you can process their personal data in order to satisfy any payroll or other tax reporting obligations in the EU country.
(5) Vital Interest: You can process personal data to save the data subject’s life, or to save someone else’s life. This may apply if your company processes personal health data of individuals in the EU, and medical providers need to access that data in order to respond to a medical emergency involving a particular individual.
(6) Public Task: Mostly relevant to public authorities, this allows for processing activities related to public functions or which are carried out in the public interest by a controller with appropriate official authority.
Changing Your Lawful Basis
You have to disclose your lawful basis and intended purposes for processing at the time you collect data (we’ll cover this in more detail in a future post), so it’s important to determine the appropriate lawful basis for your processing activities up front. You may not make it to first if you decide to bunt too late.
You don’t need a new lawful basis for a slightly different or new purpose as long as that new purpose is compatible with original lawful basis and the original lawful basis was not consent.
Compatibility depends on the context, reasonable expectations of the data subject, the type of personal data involved, and the existence of security safeguards in place. Certain processing activities for archiving in the public interest, scientific research, or statistical purposes are presumptively compatible lawful processing operations.
You should always identify and document a new lawful basis to process data for a new purpose that is significantly different from your original purpose, or which would be unexpected or have an unjustified impact on the data subject.
If you relied on consent as your original lawful basis, you must either get specific consent to process personal data for a new purpose, or document a different applicable lawful basis for the new purpose.
If you get specific consent from a data subject to process their data for new purpose, you don’t have to show that your new purpose is compatible with your original purpose.
If you read our first post, you might remember that you are not only responsible to comply with the GDPR, but you have to be able to demonstrate compliance. That means documenting everything. Before you can identify and document the lawful basis for your activities, you should map out how you collect and process personal data, and the purpose for all of your processing activities. Keep a record of the lawful basis you are relying on for each processing purpose, including an appropriate justification for why it applies. You also need to keep sufficient records to demonstrate that you obtained consent, as applicable. If you change the purpose, inform the data subject and be sure to document everything related to the changed or new purpose.
We’ll cover documentation requirements in more detail in a later post. In the meantime, feel free to reach out if you have questions about the lawful basis analysis, or need help mapping out your data processing activities.
UPDATE: The Information Commissioner's Office (ICO) has an interactive guidance tool to help you assess the lawful bases of your data processing activities.
*This blog provides general information for educational purposes only. It is not intended to constitute specific legal advice and does not create an attorney-client relationship.*