One of the great innovations brought about by the new Data Protection Law is the establishment of new legal basis, leaving behind the consent-law binomial. Notwithstanding the above, the new law recognizes the extreme relevance of the data subject’s consent and regulates in depth the necessary requirements for a “valid consent”. This will be one of the most challenging points in the implementation of the new Personal Data Protection Law, so it is worth anticipating certain discussions that will take place around this legal basis.
Consent as a legal basis
Consent is the general rule of data processing, a situation that is expressly recognized by the legislator. The latter requires certain special considerations so that the data subject’s consent is not compromised and lends itself to situations of asymmetry.
Specifically, consent must meet certain requirements, without which it is not considered as valid according to the new law. These requirements are as follows: (i) it must be expressed prior to processing, (ii) must be express, (iii) be specific in terms of its purposes, (iv) must be informed, (v) must be unequivocal and, above all, (vi) must be free.
Considering these requirements, certain issues come into light that are worth keeping in mind once the new law enters into force, since they will most likely be discussed in the future. Indeed, these challenges have already been discussed in jurisdictions with more developed data protection traditions than Chile, so it is necessary to analyze how they have been addressed.
Presumption of lack of freedom
The law presumes that consent to process data has not been freely granted when the controller collects it within the framework of the performance of a contract or the provision of a service in which it is not necessary to carry out such collection, except in cases where consent is the only consideration required from the holder by the service provider.
Bulk consent:
Data controllers should avoid exposing their privacy and data processing policies in bulk, with a single checkbox that authorizes all processing. To ensure freedom of consent, it is recommended to incorporate separate acceptances associated with specific purposes, allowing the data subject to choose to accept all, some or none. This is known as granular consent, and while it presents challenges such as managing consented choices, it is one of the systems that ensures that the holder has freely consented to the processing.
Pay or Consent
Another situation that may constitute a challenge in the future in relation to the new requirements established by the law regarding consent is the Pay or Consent model. This model offers the user two options: (i) use a service free of charge and consent to process their data, for example, for behavioral advertising; or (ii) pay a fee for the ad-free service. The European Data Protection Board considers that data controllers should offer more alternatives to ensure freedom of consent, including alternatives that do not involve the payment of a fee and that allow a form of advertising with the processing of less or no personal data. In this way, misleading consents are avoided, users are prevented from being forced to accept the processing and digital equity is promoted.
Thus, the new Data Protection Law redefines the way the consent of the data subject is obtained. It is essential to avoid any practice that could compromise the data subject’s freedom when granting consent. This ensures more robust and respectful data protection for the data subject.