How has the European Data Protection Supervisor (EDPS) advised on consent vs legal basis for EES processing in 2023-2025?

1. EDPS message in plain terms: legal basis first, consent is conditional

From the EDPS’s public work in 2023–2025 the central message is that EU institutions must identify an appropriate legal basis under the GDPR — consent is only one option and frequently not the right one for institutional processing; where the EDPS could not identify any valid legal basis it found infringements (EDPS decision reprimanding the Commission for targeted advertising in 2023) ^[2]. The Annual Report 2024 also records that, in specific operational contexts, the EDPS recommended using consent as the “most appropriate legal ground” for limited retention/processing periods, implying a situational approach rather than blanket reliance on consent ^[1].

2. Case signals: when EDPS will reject consent or other claimed bases

The EDPS’s handling of the European Commission’s targeted advertising campaign in September 2023 shows the practical consequences: the EDPS concluded the Commission did not demonstrate a legal basis for processing sensitive data and could not rely on public‑task arguments; it also noted that consent claims were not applicable or not relied upon, resulting in a finding of unlawful processing ^[2]. That case shows the EDPS will scrutinise public‑interest justifications closely and will not accept vague references to Treaty articles as a substitute for a clear GDPR legal basis ^[2].

3. Guidance and thematic advice — generative AI, research, retention

The EDPS issued thematic guidance where it flagged the need for a clear legal basis and careful use of consent: its June 2024 preliminary guidelines on generative AI told EU institutions to ensure processing is transparent and predictable and to “carefully evaluate the use of consent,” treating consent as voluntary and informed when invoked ^[4]. On research/retention matters the Annual Report 2024 notes recommendations including that, for certain limited retention periods or specific processing, the EDPS considered consent the most appropriate ground — again framed as context‑dependent rather than universal ^[1].

4. Policy positions on regulatory proposals — don’t equate permissions with consent

When consulted on legislative or sectoral proposals, the EDPS repeatedly warned that user “permissions” in a product or sectoral framework should not be treated as GDPR consent. For financial/data‑sharing frameworks the EDPS explicitly asked that “permissions” not be equated with consent under the GDPR and urged clearer limits on what data types and purposes are allowed ^[3]. This highlights an EDPS agenda to preserve the legal meaning of consent against pressures from product design or sectoral law.

5. Coordination with EDPB and supervisory activity across LSITS

The EDPS works jointly with the EDPB on consistency and cross‑border matters: joint opinions and coordinated supervision (e.g., on large‑scale IT systems and procedural rules) mean the EDPS’s positions on legal bases and consent are often developed in conversation with the EDPB and national authorities, suggesting harmonised but sometimes evolving interpretations across 2023–2025 ^{[5] [6]}. The work programme and coordinated supervision committee references show the EDPS’s role in supervising systems such as EES/ETIAS as they become operational and in guiding legal‑basis questions in those contexts ^[7].

6. What the current reporting does not say or leaves open

Available sources do not mention a single, consolidated EDPS “consent vs legal basis” policy document covering 2023–2025; rather, the EDPS’s approach must be read across reprimands, thematic guidelines (AI), annual reporting and sectoral consultation responses (not found in current reporting). The sources do not set out exhaustive tests or a checklist that the EDPS applies in every case; instead they show case‑by‑case reasoning and repeated cautions about conflating product permissions with GDPR consent ^{[2] [4] [3]}.

7. Bottom line for institutions and observers

For EU institutions and stakeholders the takeaway is clear: identify and document a specific GDPR legal basis for each processing activity; use consent only where it fits the GDPR’s requirements and where the EDPS has signalled it is appropriate (e.g., limited retention or certain research/testing contexts), and avoid treating operational “permissions” as GDPR consent ^{[1] [3] [4]}. The EDPS enforces these principles — lack of a valid legal basis has already led to formal findings of unlawful processing ^[2].