On December 16, 2022, Katia Bouslimani successfully defended her PhD Thesis entitled “Consent in the General Data Protection Regulation (GDPR)” in front of a Jury composed of Professors Brunessen Bertrand, Gloria González Fuster, Celia Zolynski, Peter Swire and Jean-Michel Bruguière and the supervisors of the PhD Thesis Karine Bannelier and Theodore Christakis.
The purpose of this thesis is to evaluate whether the GDPR provides data subjects with enough decisional power to ensure that their consent is real and meaningful. Katia Bouslimani argues that, despite the efforts of the European legislator, there are gaps in the GDPR that prevent data subjects from asserting the “self-determination” power that the GDPR aspires to give them through the mechanism of consent.
The first part of the thesis focuses on whether the GDPR ensures that data subjects are afforded the opportunity to give “informed and free” consent.
As regards informed consent, the European legislator has made a substantial contribution to enabling data subjects to be better informed before making a decision. However, the author regrets the missed opportunity to create legislative incentives to encourage more inclusive transparency practices, such as taking into account people with disabilities. She also notes that there is no consensus in case law about the nature of the information that must be provided to obtain informed consent. On the one hand, some decisions are based on the presence of a corpus of information that is considered necessary to obtain informed consent. On the other, some authorities have adopted a more casuistic method, based on the understanding of the data subject on a case-by-case basis.
The thesis argues that the GDPR has contributed to a strengthening of “free” consent due to the “explicit and unambiguous” consent requirement, the right to withdraw consent, and the prohibition of unlimited data retention periods. However, some contexts lack legal certainty for data controllers. For instance, it has not always been clear whether the consequences of refusing to give consent can be qualified as “prejudicial” or not. Similarly, a data controller may struggle to decide whether or not consent is necessary in the context of employment, as the notion of “manifest imbalance” is not precisely defined.
The second part of the thesis focuses on the extent to which consent is limited in the GDPR and identifies situations where consent requires additional safeguards or where consent is not applicable.
In this respect, the study first explains that certain situations are too complex to allow data subjects to make free and informed decisions. This is the case with overseas data transfers from the European Union under Chapter V of the GDPR. This is also the case with data processing that involves automated decision-making. In particular, the collective and societal risks created by the generalisation of artificial intelligence are difficult for data subjects to understand.
Furthermore, the thesis focuses on the difficult conciliation between consent and the other legal bases provided for in the GDPR. Consent is not the most beneficial choice from an economic point of view, since the simple withdrawal of consent can result in a drop in revenue for the data controller. However, since the controller chooses the legal basis for processing personal data, there is a practical tension between the GDPR’s legal bases of consent, contract and legitimate interest. While such a tension can be resolved by CJEU case law, it is unfortunate that the legislator has not clarified the regime that applies to behavioural advertising, this issue being the most critical one. This ambiguity led to a recent dispute between the Irish Data Protection Authorities and other European supervisory authorities over whether META’s targeted advertising is based on the performance of the contract or requires consent (the decision was published a few weeks after the defense of the thesis).
Finally, the study shows that the GDPR is not sufficient on its own to empower data subjects in the digital environment. Since the GDPR only focuses on the relationship between the data subject and the data controller in the context of a specific data processing scenario/operation, it fails to take into account that the data subject is asked for their consent by numerous data controllers. Therefore, the counterproductive “side effect” of requests for consent is not tackled by the GDPR. These difficulties include issues such as hyper-solicitation of the data subject, the difficulty of dealing with dark patterns and consent fatigue. The legal economic environment adds to these difficulties, as this environment creates a power asymmetry between the data subject and the data controller that hinders the ability of the former to exercise free and informed consent.
The thesis concludes with the observation that while the GDPR creates interesting opportunities regarding the adequacy of consent in relation to the will of the data subject, some issues still need to be addressed to achieve this objective. First, lawmakers should clarify certain unresolved questions concerning consent, in particular questions regarding targeted advertising. Second, consent in relation to the processing of personal data should be included in a more global reflection that considers the collective challenges attached to personal data protection.
We will provide information here about the publication of the thesis.