Interestingly, consent is straight off stressed to be only as good as the other grounds, and often perhaps not the most appropriate option (e.g., with a view to the data subjects’ rights). And consent cannot be used to ask for personal information that is not strictly necessary for the purpose at hand. Today’s ‘crisis of consent’ impacts both data subjects (fatigue, overload) and controllers/processors (difficult to be compliant, e.g. big data).

The session concluded by discussing three tensions, including some apparent contradictions between GDPR and other directives. The first relates to the demand for unnecessary personal info, between the GDPR (interdiction) and the 2019/770 directive on Digital Content/service. The second puts consent validity in the GDPR versus cookies ‘easy’ consent in e-Privacy. At this point, GDPR stands as the reference law, though more clarification (e.g., by DPA’s) is required. The third ‘tension’ involves consent versus ‘legitimate interest’ in sensitive areas as marketing and research, as well as when vulnerable data subjects are involved.

This is a session that will amply reward an attentive replay, with plenty of food for study.