To be valid, the consent of the data subjects must meet four cumulative criteria: it must be freely given, specific, informed and unambiguous. The controller must be able to demonstrate the validity of the use of this legal basis by ensuring that each of these conditions, specifically defined by the GDPR, is met.
Example: an organisation wishes to film or photograph volunteers to create a dataset of images to train a system to detect certain specific gestures. It may base the processing on the basis of their consent.
When creating a dataset for, an organisation must ensure the validity of the consent collected.
Beyond the obligations of transparency, a certain amount of information must be provided to the data subjects before they consent, in order to enable them to make informed decisions and to allow them to withdraw their consent.
Consent must relate to a specific purpose (see how-to sheet 2 on the definition of the purpose).
The freedom of consent implies, in principle, the possibility for data subjects to give their consent in a granular way, where there are different purposes.
Example: the consent of individuals to the use of their image, collected at a company event for communication purposes, does not mean that they consent to a re-use of the data for building a training dataset or improving an AI system. In this case, two separate consents must be collected (e.g. via two check boxes).
The freedom of consent may also be impacted in the case of an imbalance of power in the relationship between the data subject and the controller, especially if the controller is a public authority or an employer.
Example: a company wants to use the data of its employees to develop an AI system. Their consent can only be validly collected in exceptional situations, where they are able to refuse to give their consent without fear or incurring negative consequences. As controller, the company must ensure, in any event, that the communications intended to present the device to employees are neither incentive nor binding. It must inform the volunteers of the possibility of no longer participating in the collection of their data at any time, without any consequence.
It does not seem possible to obtain valid consent in some cases. This is often the case when the controller collects data accessible online or reuses an dataset available online, especially given the lack of contact with the data subjects and the difficulty in identifying them. In these cases, the controller must rely on a more appropriate legal basis.
There may also be difficulties related to the right to withdraw consent, for example due to technical obstacles to the identification of data subjects. If it is not possible for the controller to guarantee the possibility of exercising this right, it is recommended to rely on another legal basis.