Consent, the Big Word in Privacy Compliance
Johan Eloff – 15 May 2017
The word “consent” might creep into the everyday vocabulary of households and businesses in the next few months. Becoming compliant with South Africa’s Privacy Act (POPI Act in short) gives effect to the constitutional right to privacy. We will hear concerns and questions such as “did you give consent”, “what did the consent require”, “can they do this without my consent”, “can I cancel my consent” and “can I refuse to sign a consent form”.
This short article can certainly not do justice to the rich and elaborative content published in the European Union on the application of consent as a privacy condition (in the EU the term principles is used). However, a few notes for consideration might assist business to avoid an unbalanced, primarily consent driven privacy compliance implementation.
As a first note one should always consider consent as grounds for lawful processing of privacy data. When reading the POPI Act with the purpose of preparing adherence to the Act, it is noticeable that consent does not appear as a self-defined heading in the eight Conditions. Along with Lawful Processing, Minimality and Collection, Consent forms part of the broader and detailed principles of Condition 2 dealing with Process Limitation.
International literature from the strong privacy countries in the EU concurs that consent does give grounds for lawful processing, but they also point out that consent is not the only or always the most appropriate reason for establishing grounds for lawful processing. In the South African Act one finds a number of other grounds for lawful processing whether consent is given or not.
Furthermore obtaining consent does not negate the processor from the other obligations under privacy law, especially the requirements for further Processing, Miminality and Purpose. On the contrary one should also point out that consent can legitimise processing activities which would otherwise be prohibited as in the case of processing some sensitive data. Sections 27(1)a, and 35(1)a in the POPI Act defines these requirements.
The next note for consideration refers to the content of consent. The POPI Act defines Consent as: “any voluntary, specific and informed expression of will in term of which permission is given for the processing of personal information.”
To be voluntary one would expect that consent can only be valid when individuals can exercise a choice free of deception, interference, intimidation, coercion or any significant consequences. To exercise a valid choice the attributes of the required consent should be specific and unambiguous. In other words, a blanket consent without specifying the exact, specific and explicitly defined purpose of the processing would be problematic. One can therefor say that consent must be intelligible.
Another note for consideration is the circumstances where the consent given cannot be seen as voluntary. An example would be where consent was sought and given but later withdrawn (a right of the data subject) but processing continues on lawful grounds for processing based on other conditions or exemptions such as the enforcement of other law. In retrospect one might then question whether the original consent can be interpreted as misleading or unfair practice.
As a last note, organisations are advised to be cognisant of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). By this regulation the European Parliament and Counsel as well as the European Commission intend to strengthen and unify data protection for all data subjects within the EU. This regulation applies from 21 May 2018. There will definitely be South African businesses that will be affected based on the adjustments and amendments on the Directive 95/46/EC. Equally important is the fact that in the past most countries based the establishment of their Privacy legislation on the principles of the OECD as well as Directive 95/46/EC. In Africa alone 53 countries have agreed to follow this road, including South Africa. The importance of this leads to the strong possibility that over time the principle of “follow the lead” will again apply in these countries and they will adopt their existing legislation in according to the GDPR. It will therefore be in the interest of organisations in South Africa to consider the GDPR during their POPI Compliance implementations. Regarding the topic of Consent, changes to Directive 95/46/EC can be classified under the following themes:
- Enhanced requirements for obtaining the data subject’s consent
- Affirmative consent for data processing
- Explicit consent for special categories for data required
- Parental consent required for processing children’s personal data
In conclusion: Although the correct practice will be to obtain consent for the purpose to process personal data, one should keep in mind that there are other conditions in the Act that can also be used as grounds for lawful processing. Business should guard against creating the perception that the required consent is an attempt to exempt them from complying fully with other conditions in the Act.
This article was written by Mr Johan Eloff, the Privacy Practice Lead at Magna Group. Johan is a subject matter expert in governance, risk and compliance in Information Management with a strong emphasis on Privacy legislation including the POPI Act of South Africa. He certified as a Certified Information Privacy Professional (CIPP/IT) at the International Association for Privacy Professionals (IAPP) in 2011. He has many years of experience in serving and chairing multiple management committees, task teams and governance bodies on compliance, risk management and audit.