Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
South Africa: Unpacking consent under the GDPR and POPIA
Personal data is one of the most sought-after commodities of the 21st century1, and as a result, consent has, in recent years, become increasingly prevalent as a codified legal mechanism intended to enable the informational self-determination2 of data subjects. Whilst consent is only one of various lawful bases upon which controllers3 can process personal data4, consent notices have become ubiquitous. The efficacy of consent as a privacy-preserving mechanism, however, is not so straightforward, as the manner in which it is defined, interpreted, and applied can have a significant impact upon numerous rights that data subjects are afforded under current data protection laws. Alon Lev Alkalay, assisted by Mahir Ahmed and Mudda Sulaiman, from Lighthouse Law, compare and analyse how consent is defined under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')5 and South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'), as well as what constitutes valid, binding consent.
Defining 'consent'
Defining consent, in the normal sense of the word
In the dictionary, the word 'consent' means 'to give assent or approval' and/or 'to be in concord in opinion or sentiment' with someone. By way of application of this definition, if consent is provided when X gives permission to Y to do Z, then one can assume that X understands, at the very minimum, 'what' Y will do in the form of Z.
Defining consent under the GDPR and POPIA
Through a legal lens, however, the definition and application of consent becomes far more complex. There are both commonalities and nuances in the way the GDPR and POPIA define consent. Article 4(11) of the GDPR defines 'consent' as 'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her'. Meanwhile, Section 1 of POPIA defines 'consent' as 'any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information'.
Under both the GDPR and POPIA, controllers bear the burden of proof for demonstrating consent, and consent may be withdrawn at any time by a data subject. Importantly, the threshold age for a child or young adult to independently provide valid consent differs between South Africa (18 years of age), the EU (16 years of age6), and the UK (13 years of age). Also, a juristic person is uniquely capable of giving consent in South Africa.
Unpacking the elements of consent
Under both the GDPR and POPIA, there are various elements of consent that must objectively be met in order for consent to be deemed valid — each of these elements are unpacked and analysed below, leveraging existing authority on the subject matter (largely stemming from the EU and the UK7).
Freely given (voluntary)
A key requirement for consent to be valid is that it must have been given freely (and not conditionally). According to the European Data Protection Board ('EDPB'), 'if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid'8. In its guidance on freely given consent, the EDPB states that in order for consent to be freely given, there should not be an imbalance of power between a controller and a data subject (for example, in an employer-employee relationship)9, consent should not be conditional, consent should be granular, and a data subject should not suffer detriment if they wish to withdraw consent for one or more processing purposes.
Article 7(4) of the GDPR also sets out a basic test to determine whether consent has been freely (voluntarily) given in the context of the performance of a contract or the provision of a service. In particular, it provides that where the performance of a contract or the provision of a service is conditional on consent to one or more processing purposes, but consent is not necessary for the performance of the contract or the provision of the service, then in such cases, consent cannot have been given freely. In such cases it is recognised that a data subject may suffer prejudice as withdrawing consent that has been bundled means '[running] the risk to be denied services they have requested'10.
Specific and informed
Specificity is integral to consent as '[k]nowledge of the content of proposed processing is of paramount importance in exercising a considered, measured or informed opinion, decision or expression of will'11 and is closely linked to granularity (forming part of 'freely given' consent discussed above). Ensuring the specificity of consent is also a necessary step in avoiding 'function creep' — described by the EDPB as the 'unanticipated use of personal data by the controller or by third parties and in loss of data subject control over [their] personal data'12.
As a general principle, where consent for specific processing purposes is 'bundled' with consent to the general terms and conditions for a contract or service, it is likely that such consent will not be specific and informed and, in turn, will be invalid. It is on this basis that Recital 32 of the GDPR provides that '[c]onsent should cover all processing activities carried out for the same purpose or purposes [and that when] the processing has multiple purposes, consent should be given for all of them'. Similarly, Recital 43 of the GDPR provides that '[c]onsent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case…'.
To facilitate consent being specific and informative, the GPPR requires that consent notices and privacy policies be 'concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.' Importantly, there are no similar (explicit) requirements under POPIA, however, South African academics have rightly pointed out that South Africa's Consumer Protection Act, 2008 ('CPA') requires that the producer of a notice, document, or visual representation that is required in terms of any law (which would include POPIA), must provide the notice in plain language13.
Unambiguous indication of wishes (expression of will)
It is generally accepted that under both the GDPR and POPIA, an indication of one's wishes, or an expression of one's will, means that 'neither silence nor inactivity can constitute valid consent'14. To quote the Norweigan data protection authority ('Datatilsynet'), 'it must be obvious that the data subject has consented to the particular processing'15. Whilst the GDPR provides that a 'statement' or a 'clear affirmative action' can signify an indication of wishes, POPIA does not specify what actions would be required of a data subject. South African academics have, however, aligned their interpretation of 'expression of will' with that of the EDPB and reiterate that it cannot be given by silence or inactivity and that it must be distinct from other actions, such as agreeing to terms and conditions16.
General (informed) versus explicit consent
It is important to address that whilst POPIA only refers to one form of consent, the text of the GDPR differentiates between consent and 'explicit consent'. In particular, the GDPR requires explicit consent when processing special personal data, when transferring personal data to third countries in the absence of adequate safeguards, and when conducting solely automated decision making, including profiling.
Under the GDPR, both general consent and explicit consent stem from the definition of consent in Article 4(11) and therefore, contain the same requisite elements (consent must be freely given, specific, informed, and unambiguous). However, according to the EDPB, unlike general consent, explicit consent refers to the way in which consent is expressed and should be constituted by an explicit statement (electronic, physical, or oral) from a data subject, consenting to the processing of their personal data for one or more specific purposes — for example, by ticking a box, filling out a form, submitting an electronic signature, signing a physical document, or using one's biometric data to authenticate a transaction. Conversely, general 'unambiguous' consent may be met by a 'clear affirmative action' or a 'statement or conduct which clearly indicates in [the relevant context] the data subject's acceptance of the proposed processing of his or her personal data' — for example, where a data subject provides a controller with an email address or other personal information in order to be kept up to date with news and offers, without ever ticking a consent box or filling out a digital form.
Whether or not POPIA requires explicit consent is uncertain for the following reasons: (i) it does not differentiate between different forms of consent in its text; (ii) the phrase 'expression of will' is wide enough to include both implied (general) and explicit forms of consent (or as provided for in the GDPR, both a 'clear affirmative action' and a 'statement'); (iii) scholarly literature has been silent on the matter; and (iv) to date, the South African Information Regulator17 and South Africa's courts have yet to issue any guidance on what they deem to be an 'expression of will' and whether the form of consent, as defined in the POPIA, requires the same standard as the GDPR's explicit consent.
Final thoughts
As it stands, interpreting consent under POPIA is limited by a lack of guidance and jurisprudence in South Africa on the subject matter and in turn, attempts to compare approaches to consent under the GDPR and POPIA are currently constrained. Whilst it is encouraging to note that the Information Regulator has acknowledged18 that the misinterpretation of legislation is a risk, and has undertaken to address this risk through the issuance of guidance notes, the private sector and academia are likely to continue monitoring the growing jurisprudence of the courts and regulators of the EU and the UK in the interim, which, in the author's opinion, will likely end up influencing future interpretations of consent in South Africa.
Alon Lev Alkalay Associate
[email protected]
Mahir Ahmed Candidate Attorney
[email protected]
Mudda Sulaiman Academy Student
[email protected]
Lighthouse Law, Cape Town
1. See: Swales L The Protection of Personal Information Act 4 of 2013 in the Context of Health Research: Enabler of Privacy Rights or Roadblock (2022) 25 Potchefstroom Electronic Law Journal 2.
2. Informational self-determination can be understood as the 'capacity of the individual to determine the disclosure and the use of his/her personal data'. See: https://www.igi-global.com/dictionary/informational-self-determination/46032
3. For the purposes of this Insight, the authors have chosen to refer to the concept of 'Controller' under the GDPR, however, reference to 'Controller' is intended to include 'Responsible Party' under POPIA.
4. See Article 6(1)(a)-(f) of the GDPR and Section 11(1)(a)-(f) of POPIA.
5. The EU GDPR and the UK GDPR adopt the same definition of consent. For the purposes of this Insight, reference to the 'GDPR' is intended to refer to both the EU and UK GDPR. Reference to 'EU GDPR' and 'UK GDPR' is used when there is a need to differentiate between the two.
6. See Article 8(1) of the GDPR and note that EU Member States are permitted to provide for a lower age for consent, which may not be lower than 13 years of age.
7. Unlike the EU and the UK, the comprehensive protection of 'personal data' under data protection law had only recently been introduced in the form of POPIA, and as a result, the author notes that as of writing, there is limited judicial interpretation, scholarly literature, and regulatory guidance on the definition elements of consent under the POPIA.
8. See: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
9. See: https://edpb.europa.eu/news/national-news/2019/company-fined-150000-euros-infringements-gdpr_en.
10. See: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
11. Y Burns & A Burger-Smidt A Commentary on the Protection of Personal Information Act (2018) 52.
12. See: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf
13. De Stadler, E, et al, ''Over-Thinking The Protection of Personal Information Act'' (2021) 68.
14. Ira S Rubenstein ''Big Data: The End of Privacy or a New Beginning?'' (2013) 3 International Data Privacy Law 79.
15. See: https://www.datatilsynet.no/contentassets/da7652d0c072493c84a4c7af506cf293/advance-notification-of-an-administrative-fine.pdf
16. De Stadler, E, et al, 'Over-Thinking The Protection of Personal Information Act' (2021) 69.
17. It must be noted that the South African Information Regulator has not cited the drafting or publishing of guidance on consent as an actionable step in its previous Strategic Plans and Annual Performance Plans.
18. See: https://inforegulator.org.za/wp-content/uploads/2020/07/Strategic-Plan-2022_23-2026-27.pdf