The European Data Protection Board (EDPB) has published updated guidance regarding consent for the purposes of the EU General Data Protection Regulation (GDPR). The updated guidelines should be of particular note for any businesses in New Zealand that are subject to the GDPR (our previous commentary on the GDPR's extra-territorial reach is available here).
For agencies in New Zealand more generally, while there may be a number of differences between the GDPR and the New Zealand Privacy Act (as we've summarised previously here), the guidance sets out best practice regarding what will constitute valid consent. Higher standards for authorisation are also consistent with the Privacy Commissioner's commentary regarding agencies in New Zealand needing to raise their game in relation to transparency more generally and over time this type of overseas guidance, and the market practices that emerge as a result, may well influence what valid "authorisation" looks like for the purposes of the New Zealand Privacy Act.
What does the updated guidance say?
As with the previous version, the guidance sets out the basis on which valid consent can be obtained for the purposes of the GDPR. In summary, the guidance establishes that consent can only be an appropriate lawful basis for processing personal data if the relevant individual is offered control and a genuine choice with regard to accepting or declining the relevant terms without detriment. The guidance has, however, been updated to clarify two issues:
1. Cookie walls: The guidance emphasises that consent must be freely given and clarifies that, in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of that user. This effectively means that if a user is required to accept or consent cookies to access content on, for example, a website, then that consent is not valid as the user does not have a genuine choice (even if the user could instead choose to access the content from a third party website or app instead).
2. Scrolling and consent: The guidance continues to emphasise that consent cannot be ambiguous. In particular, the guidance states that the continued use of a website, or swiping or scrolling through a webpage, is not valid consent. However, the guidance clarifies that consent could be given by, for example, indicating acceptance by swiping a bar on a screen, waiving in front of a smart camera, turning a smartphone around clockwise or in a figure eight motion. Of course, the relevant agency would need to be able to demonstrate that consent is given in this way and the user must be able to withdraw consent in a similarly easy way.
In our view, the updated commentary is timely. We increasingly rely on services that are provided digitally via apps and websites, which often require some form of consent or authorisation. Issues regarding the validity of such consent and authorisation will be particularly relevant in the context of the development and roll-out of COVID-19 contact tracing apps.