This article was first published in the LexisNexis Privacy Law Bulletin 2019. Vol 17 No 7.
The issue of consent to data collection and use is gaining increasing traction in the modern era. When consent is gathered by a click of a button, are you really aware of how your personal information is being used? Have you even read terms and conditions before agreeing?
In a society where only 6% of people read Privacy policies or Terms & Conditions for all product or services they consent to,1 how do data controllers and processors ensure that an individual has given free and informed consent to the collection, use and disclosure of data?
Consent under the APP
Consent (express and implied) is an exception to general prohibitions against personal information being used in a particular way (Australian Privacy Principle (APP) 3.3(a) and 6.1(a), Office of the Australian Information Commissioner (OAIC) Guideline B.35).2
The four key elements of consent are:
- the individual is adequately informed before giving consent
- the individual gives consent voluntarily
- the consent is current and specific, and
- the individual has the capacity to understand and communicate their consent3
An APP entity should seek consent from an individual for collection and proposed use/disclosure of personal information at the time the information is collected.4 Even then, consent at a particular time in particular circumstances cannot be assumed to endure indefinitely.5
Implied consent is consent that may be reasonably inferred by way of conduct of the individual.7
An APP entity cannot assume:8
- an individual has given consent
- an individual would consent if the individual knew about the benefits of collection, use or disclosure of personal information
- an individual has given consent on the basis alone that they did not object to a proposal to have their information handled in a particular way
- consent simply because it provided an individual with a notice of a proposed collection
- that silence can be taken as consent
- that consent is implied if an individual’s intent is ambiguous or there is reasonable doubt about the individual’s intention
An APP entity may assume an individual’s consent where the following facts, where relevant, are met:
- an opt out option is clearly and prominently presented
- it is likely that the individual received and read the information about the proposed collection, use or disclosure, and the option to opt out
- the individual was given information on the implications of not opting out the opt out option was freely available and not bundled with other purposes
- it was easy for the individual to exercise the option to opt out, for example, there was little or no financial cost or effort required by the individual
- the consequences of failing to opt out are not serious
- an individual who opts out at a later time will, as far as practicable, be placed in the position as if they had opted out earlier9
An APP entity should implement procedures and system to obtain and record consent.10 The APP entity must also ensure that the individual has the option to withdraw their consent at any time.11
An APP entity should always seek express consentfrom an individual before handling the individual’s sensitive information given the greater privacy impact attached to it.12
Voluntary consent is classified as consent if an individual has a genuine opportunity to provide or withhold consent.13 This does not apply where there is duress, coercion or pressure that could overpower the
Under OAIC Guideline B.44, factors relevant to deciding whether consent is voluntary include:
- the alternatives open to the individual, if they choose not to consent
- the seriousness of any consequences if an individual refuses to consent
- any adverse consequences for family members or associates of the individual if the individual refuses to consent
An individual must be aware of the implications of providing or withholding consent. An APP entity should ensure that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent. The information should be written in plain English, without legal or industry jargon.
The GDPR14 contains similar provisions in relation to an individual’s consent of personal information being collected, used or disclosed.
Article 6 states that processing shall be lawful only if and to the extent that the data subject has given consent to the processing of their personal data for one or more specific purposes.15
Article 7 contains the conditions for consent:
the controller must be able to demonstrate consent was given
consent must be unbundled and intelligible
consent can be withdrawn at any time
consent must be “freely given”16
Peculiarly to the GDPR, Art 8 sets out the conditions applicable to child’s consent in relation to information society services: the processing of the personal data of a child shall be lawful where the child is at least 16 years old.17 A lower age may be provided by member states provided such lower age is not below 13 years.
Article 49 provides a derogation for specific situation in which provides a legal basis for the transfer of personal data to a third overseas organisation.18 One of the derogations is the case where the data subject has explicitly consented to the proposed transfer and the data subject has been informed as to the possible risks of the transfer.
Italian regulator fines Facebook for misleading users consent19
Last year Facebook was fined £10m by Italian authorities for misleading users in the sign-up process about the extent to which the data they provided would be used for commercial purposes.
Facebook had emphasised the free nature of the service without informing users of the potential profitable ends to which that data might be put, where, had users been aware of the breadth of their consent, it is unlikely that users would have consented. The Italian regulator criticised Facebook for the
default setting of the Facebook Platform services in which transfers user data to websites and other applications without express consent.
Swedish school fined for consent not being freely given20
A municipality in the north of Sweden has recently been fined over its use of facial recognition technology to monitor student attendance. The issue in this case was not that the school was collecting biometric information - a category of sensitive personal information - but rather the GDPR rules requiring valid consent.
The basis of the claim brought by the watchdog was that the school board could not use a student’s consent to collect biometric information due to the imbalance of power between the student and the school board.
The GDPR aims to ensure consent is freely given. Consent does not provide a valid legal ground for the processing of personal data under circumstances where there is a clear imbalance between the data subject and the controller.
“Choice” - real or constrained
It is obvious, and the Swedish example illustrates this, that some choices in an information age society may not in fact be true choices.
Consent can be conceived as a spectrum:
Obligatory Constrained Real
The first type of choice is best described in the context of schools. If a school conditions enrolment on recording the pupils’ photograph (and hence their sex, possibly, and their ethnic origin, both sensitive categories), and the child is obliged by law to attend school, can choice truly be said to be freely given? In such a case it is hard to say consent was true, because the pupils and their parents had no choice but to give consent. This reflects the issue of the Swedish school in which true consent could not be truly given due to the imbalance of power between the pupils and the school (which had the law requiring school attendance behind it). Utilities may be a good example of constrained consent. If there is competition between utilities providers, and one conditions supply on consent to data collection and the other does not, then the consumer has a choice (all other things being equal).
Similarly, if the user must hand over data to pay online, but can go into the Central Business District of a major city to pay in cash, there is formal choice. But it is constrained by convenience and potentially other externalities. The third type involves (certainly at a formal level and substantively probably too) real choice - real in the sense that a user gives consent because they want to.
When a user gives consent to Facebook to collect personal information this consent is not truly obligatory and rather it is a choice made in order for an individual to be a participant in modern society. Of course, if a provider requires a Facebook plug in/log in for use of its own services, that may be a different calculus.22 It is suggested that privacy arguments in the third (real choice) category will revolve around what was consented to (and the adequacy of warnings and expla- nations) rather than whether there was in fact real choice.
The practice of bundled consent by APP entities poses a significant problem in the context of real and free consent. Bundled consent occurs when anAPP entity “bundles” together multiple request for an individual’s consent for a range of various collection, uses and disclosure pur-
poses of their personal information.23 The inherent problem with such a practice is that the individual may be unaware as to the wide range of purposes they have given their consent on. Furthermore, the individual is given no choice to choose which collections, uses and disclosures they agree to and which they do not.
Bundling carries risk and should be discouraged. It is suggested that bundling will lead to disputes with the regulator as to the nature of the consent that was actually given.
Data minimisation principle - the new developing norm
With the introduction of the GDPR came the introduction of the data minimisation principle. Article 5 states that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘dataminimisation’)”.24
There is no APP equivalent to the data minimisation principle, however, the new Consumer Data Right (CDR) enforces the data minimisation principle in which all data holders must comply with.
Under the CDR, the accredited person:
- must not collect more data than is reasonably needed in order to provide the requested goods or services, and
- may use the collected data only as consented to by the consumer, and only as reasonably needed in order to provide the requested goods or services
Given the introduction of the CDR, it is likely that that the data minimisation principle will becomes a new norm and that the OAIC will likely test consent under the APP against the data minimisation principle to ensure APP entities minimise the collection of personal information to what is strictly necessary.
In conclusion, we consider that it is no longer sufficient for APP entities to seek to rely on APP 2 as a matter of click wrapped freedom of contract consent.
give consent to a minimum necessary collection use or disclosure of personal information, for example the school identification process, or the monopoly utility supplier
give consent to a medium collection and use or disclosure of personal information - where a user understands that they may have limited functionality on using the relevant service
give wide consent, where the user obtains the full range of services available, much as happens now, provided there is a proper explanation of what that entails (eg Facebook)
Finally, an emerging idea turns that on its head. Despite some arguments to the contrary, it is not entirely clear that many users care about their privacy, and enjoy the benefits that widespread use of their data allows (eg cookies linking google searches to advertising and personalisation of search results).
Those who care about privacy could be allowed the option of pricing it, by obtaining full service from a digital entity, in return for a small monthly payment to prevent that user’s data from being used in any other way other than to enhance the user’s experience on the subject application. This is in essence a Spotify model, where a full ad free service can be obtained for a small monthly amount. The latter solution is one that may be worth exploring in certain data rich contexts.
1. Consumer Policy research Centre, P Nguyen and L Solomon,
Consumer data and the digital economy (13 may 2018) p 30 available at https://cprc.org.au/wp-content/uploads/Full_Data_Report_A4_FIN.pdf.
2. Office of the Australian Information Commissioner, Australian
Privacy Principles Guidelines (July 2019) B.35.
3. Above, at B.35.
4. Above n 2, at B.48.
5. Above n 2, at B.49.
6. Above n 2, at B.36.
7. Above n 2, at B.37.
8. Above n 2, at B.38–B.39.
9. Above n 2, at B.40.
10. Above n 2, at B.42.
11. Above n 2, at B.51.
12. Above n 2, at B.41.
13. Above n 2, at B.43.
14. Regulation (EU) 2016/679 of the European Parliament and of
the Council of 27 April 2016  OJ L 119/1.
15. Above, art 6.
16. Above n 14, art 7.
17. Above n 14, art 8.
18. Above n 14, art 49
19. A Hern “Italian regulator fines Facebook £8.9m for misleading
users” The Guardian 8 December 2018 available online at
20. L Tung “Swedish school fined over ‘roll call’ facial recogni-
tion, but consent was the cause” CSO Online 2 September 2019
available online at www.cso.com.au/article/665899/swedish-
21. Above n 1, at 30.
22. Fashion Id GmbH & Co. KG v Verbraucherzentrale NRW eV
(Court of Justice of the European Union, C-40/17, 29 July 2019).
23. Above n 2, at B.45.
24. Above n 14, art 5.
This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2019.