Trust and Internet Identity Meeting Europe
11-14 Feb 2019: Workshops and Unconference

GDPR kills consent

(Peter Clijsters)

Synopsis: There are many regulations regarding consent, which means getting the consent itself is very difficult.

Participants: Mikkel Hald, Peter Molhair, Mehran , Peter S., Mads, Peter Winkler, Raoul, Katarina, Radovan, Peter Pichler, Ralf …

Peter C (peter.clijsters@surfnet.nl) from SURFnet presents what consent needs elements of valid consent:

  • freely given,
  • specific,
  • informed and
  • unambiguous indication of the data subject’s wishes

by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

He wonders how to interpret what ‘freely given’ means. From the WP29 “Guidelines on Consent under Regulation 2016/679” at https://iapp.org/resources/article/wp29-guidelines-on-consent/ :

“The element “free” implies real choice and control for data subjects. As a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid. 12 If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given. Accordingly, consent will not be considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment.1”

Quote from the example from the WP29 doc:

“A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services. The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geolocalisation nor online behavioural advertising are necessary for the provision of the photo editing service and go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these purposes, the consent cannot be considered as being freely given”

A question is: what if a researcher or student can’t access a publisher’s database (Elsevier for example) without consenting to processing of their personal data? Does the student/researcher have any choice? Can they go elsewhere to access the information?

You might want to check for other basis for processing of data before using consent. All possible basis for processing data can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ .

Another question: do you need 2 moments of consent: from the IdP before releasing your attributes and then at the SP before processing? So you know you have to ask every SP to forget you, stop processing etc.

Peter C: We just had the 10 year anniversary of being part of the federation process at the university. We always used consent as a mean for researchers or students to access their institution or proxy to complete their work. The end user is shown what attributes they have already in the system and which need to be filled out. Now the GDPR is there as a new approach. The GDPR’s legal basis requires that in order to process personal and private data, consent is needed (among others: private data, the controller and processor). This has been documented and advised in an article of the board.

As stated in this article, consent should be

Freely given – consent is not valid if it is impacted by outsiders in any way

Patrick C: Web shops are a good example: consent is already given, there is no need for written consent because you wouldn’t go into the shop in the first place to buy. Why is it when I go into a store they ask for data specifically but when you do a query in a website you already are asked for data to enter? Should there be a sign on the door that states exactly what personal data is needed and why?

Peter S.: There are many ways to access some kind of product or information so there is always another choice.

Peter C: Think of a photo manipulation site. Actually using it is strongly related to consent. Whenever there is an imbalance of power there is always a problem in giving access to data. Specific data at the moment of processing should be carefully examined. Here we go into our second attribute for consent:

Specific – data should be given for a specific purpose. Purpose specification is a safe guard for information. Informed – providing information before asking for consent in order for the user to make informed decisions and be able to withdraw consent

And finally there is a third attribute relevant to the consent topic:

Unambiguous indication of the subject’s wishes – active declaration of these wishes

Peter C: The usability of consent will be greatly reduced by GDPR. People should be able to use the service even without giving full consent.

Mads: You couldn’t use the service if the service doesn’t have your data. That is the problem.

Peter S.: Reality is totally different in fact from published documentation. You always need to give a certain amount of data. Giving user information is not the same as giving them ability to consent.

Peter C: What is then called personal information in its core? Always when logging in there is an information exchange between the service provider and the user – in the federation case at least.

Peter S.: It is nowadays called personal info in any case, not only when you can track back the user legally or otherwise.

Peter C: Even a dynamic IP address is now personal information

Patrick Curry: The problem gets worse when you introduce LISP and it’s quite possible to jump through the hierarchy and access multiple instances of IP addresses.

Mads: There is IDP approval from every institution and it makes consent not necessary. It is mostly about policy. IDP takes care of the approval process but for example there are products that are only used from 2 users and no explicit consent is needed in that case. Also if you withdraw your consent you are not really withdrawing it from where it actually matters – the service. Consent is not really consent.

Peter C: We offer three kinds of services: 1. Necessary services for work (no consent asked), 2. Grey area, 3. Service that has nothing to do with the work/ study process and in that case consent can be asked from the end user related to what will be provided

Peter S.: We have now narrowed down why consent is hard to take legally: There is a huge gap between (1) Institutionally approved contracts and (2) there are so many SPs and not each one of them is considered into the consent taking / giving process. Consent is contextual and it is not yet in machine available formats.

Mads: If your institution provided you with consent and you want to visit a certain product, you don’t really need to give consent.

Hald: Example for grey areas?

Peter C: That type of service is an intermediary case when there is no explicit approval from the institution but the work is also at some extent necessary for the user. We are not the service provider though so we just provide that information then. To the next instance.

Ralf: We agree that the form should come from the SP? The user would then agree with the SP directly. They would also be liable at the end.

Peter C: Who is the controller and who is the processor is another important question.

Peter S.: Contracts / legal obligations —- safe guards / research/ scholarships ——- it always gets further away from fully legal and fully compliant services so consent there is a grey area

Peter C: We will not call it consent anymore. It will be called information of some kind.

** Please Note ** KantaraInitiative.org has formed a new Work Group “Consent Management Solutions” that will be developing a Best Current Practices document for Management of Consent to process personal data. Participation in this WG is no-fee, but you must sign the Group Participation Agreement for the intellectual rights agreement. Of course, becoming a fee-paying member of Kantara is always encouraged. The first WG meeting is February 21, 2018 at 10:00am Eastern time / 15:00 GMT.