By Martha Moraa.
Introduction.
Should I ask for consent every time I process personal data? The answer to that question is a No. It is a common misconception that consent is required for all data processing activities. Organisations seem to be stuck on the applicability of consent under the Kenyan Data Protection Act and seem to think that they need consent for all their processing activities when in reality the processing could be based on other lawful bases such as the performance of a contract or legitimate interests. Obtaining a person’s consent before processing their personal data is one of the ways in which organisations can lawfully process personal data. There are other legal bases for processing personal data where consent is not required.
What is consent?
The Kenyan Data Protection Act provides for consent from a data subject as one of eight lawful bases for processing personal data. The other lawful bases for processing personal data are; legal obligation, the performance of a contract, vital interest, public interest, legitimate interest, the performance of any task carried out by a public authority, and for purposes of historical, statistical, journalistic, literature, and art or scientific research. If your personal data processing practices do not meet one of the above lawful bases, then they are not lawful under the Data Protection Act, and you or your business will be subjected to financial penalties. The Data Protection Act defines consent as any manifestation of express, unequivocal, free, specific and informed indication of the data subject’s wishes by a statement or by an explicit affirmative action, signifying agreement to the processing of personal data relating to the data subject. This can include ticking a box when visiting an internet website or conduct that indicates in this context the data subject’s acceptance of the proposed processing of his or her data. Silence, pre-ticked boxes, or inactivity should not, therefore, constitute consent.
Another question we can ask ourselves is; What are some of the consequences of not obtaining valid consent when processing personal data? In July 2020, The Italian Data Protection Authority imposed a fine of €16,729,600 on telecoms company Wind Tre, due to its unlawful direct marketing activities. The enforcement action started after Italy’s regulator received complaints about Wind Tre’s marketing communications. Wind reportedly spammed Italians with ads without their consent and provided incorrect contact details, leaving consumers unable to unsubscribe. The regulator also found that Wind’s mobile apps forced users to agree to direct marketing and location tracking and that its business partners had undertaken illegal data-collection activities. It is sufficient to note that Wind should have established a valid lawful basis before using people’s contact details for direct marketing purposes. This probably would have meant getting consumers’ consent unless it could demonstrate that sending marketing materials was in its legitimate interests. The lesson from this is that for whatever reason you send direct marketing, you must ensure that consumers have an easy way to unsubscribe. And you must always ensure that your company’s Privacy Policy is accurate and up-to-date.
The Kenya Data Protection (General) Regulations, 2021, provided that any data controller or data processor who uses personal data for direct marketing purposes of data subjects must seek consent first.
In yet another case revolving around consent; The Spanish DPA fined financial services giant BBVA (Banco Bilbao Vizcaya Argentaria) €3 million for sending SMS messages without obtaining consumers’ consent. In all circumstances, you must ensure you have valid consent for sending direct marketing messages. The remaining €2 million of the penalty related to BBVA’s privacy policy, which failed to properly explain how the bank collected and use its customers’ personal data. Therefore, it is important to always include all the necessary information under your privacy policy and obtain valid consent.
Obligations of Data Controllers and Data Processors.
For purposes of consent, Data Controllers and Data Processors have an obligation to ensure that;
- The data subject has real choice and control. Consent will not be considered free if the data subject is unable to refuse or withdraw his or her consent without detriment. Any element of inappropriate pressure or influence upon the data subject which prevents a data subject from exercising their free will shall render the consent invalid.
- The accurate and full information regarding the nature of the personal data to be processed, purposes of the processing, the recipients of possible transfers, the rights of the data subject, consequences of not consenting to the processing in question, and any other relevant information is provided to a data subject to enable the data subject to give informed consent.
- The data subject must have taken a deliberate action to consent to the particular processing. This is affirmative action. Consent can be collected through a written or (a recorded) oral statement, including by electronic means.
- The request for consent is prominent, concise, separate from other terms and conditions, and in plain language. If the request for consent is vague or difficult to understand, then it will likely fail to meet the minimum criteria required to obtain valid consent and would, therefore, be invalid.
- There are records of consent to demonstrate when consent was obtained and what information was provided to the data subject at the time of obtaining consent.
- Their identity plus those of those third parties that rely on consent is revealed
- The consent must cover all purposes of the processing for which the consent is sought.
- There are granular consent options for each separate type of processing unless those activities are clearly interdependent.
- There are details of how a data subject may exercise their right to withdraw consent.
- There is an applicable lawful basis it is relying upon at the time of processing of personal data including consent.
- If purposes for data processing change after consent was obtained or if an additional purpose is envisaged, to obtain a new and specific consent. Therefore, should the processing activity change, and a data controller or data processor is relying on consent, it will need to either obtain new/fresh specific consent or else identify a new lawful basis for the new purpose.
- They should not retrospectively utilise another favourable lawful basis to justify the processing, where there is an issue relating to the validity of consent.
Use of consent in Employment.
Regulatory & enforcement action in other jurisdictions inform us that Consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties. The Hellenic DPA issued a 150,000 euro fine against PWC for the wrongful use of consent as a legal basis for processing its employees’ personal data. The Greek regulator said that the company had given employees the false impression that it was processing their personal data under the legal basis of consent, when in fact it was relying on another legal basis which it had failed to notify the employees. That lack of disclosure was a further breach of the rules on transparency, as too as its inability to demonstrate compliance with the principles of lawful, fair, and transparent processing. In this case, the DPA noted that choice of consent as the legal basis was inappropriate, as the processing of personal data was intended to carry out acts directly linked to the performance of employment contracts, compliance with a legal obligation to which the controller is subject and the smooth and effective operation of the company, as its legitimate interest.”
Martha Moraa is a Data Privacy & Protection Consultant at CyberTembo Unified Security Ltd.
LinkedIn.