The GDPR defines consent as a freely given, specific, informed and unambiguous indication of a person's wishes.

Therefore, if consent is bundled up into other non-negotiable contract terms and conditions, it is presumed not to have been freely given.

Consent and contract should not be merged into each other, WP29 declares.

Granularity

WP29 also signals the importance of 'granularity' or the level of detail in datasets.

Consent is presumed not to be freely given if the process doesn't give data subjects separate assents for separate processing activities.

Specific consent can only be given when data subjects are specifically informed about the intended purposes of data use.

WP29 points out that the GDPR introduces a high standard for informational clarity and accessibility. A data controller should, therefore, weigh up what information to provide, and how to provide it.

WP29 is clear that the data subject must deliberately consent to the particular processing of their data to comply with the requirement for 'unambiguous' consent.

A blanket acceptance of terms and conditions is not a clear consent.

Pre-ticked boxes which then must be unticked to prevent agreement will not be allowed under the GDPR.

The WP29 weighs up the issue of the imbalance of power between the controller and the data subject.

It points out that public authorities are unlikely to rely on consent for processing, since the data subject will, in general, have no realistic alternative except to comply with public authority.

WP29 says that there are other lawful bases, such as compliance with legal obligation, which are more appropriate for public authorities.

The same imbalance of power exists in the context of employees, whose data is unlikely to be deemed as freely given, according to WP29.