"This article was first published in Privacy and Data Protection Journal in September 2011."
Eduardo Ustaran, Partner, and Victoria Hordern, Senior Associate, at Fieldfisher, analyse the impact of the Article 29 Working Party Opinion on the definition of consent in the Data Protection Directive (95/46/EC)
The role of consent in data protection law has troubled policy makers since the early drafts of the Data Protection Directive (95/46/EC). The successive changes around the definition of consent that appeared in those drafts show the struggle to define a concept which has had a central role in the legal framework. As the Data Protection Directive undergoes a wholesale process of reform, the European Commission is still looking for the correct way to define consent so as to give people control over the use of their data, whilst maintaining a workable regime that does not upset the growth of the information society.
The European data protection authorities, through the Article 29 Working Party, have been active contributors to this process and in July 2011, adopted a formal Opinion (WP187) on the definition of consent (‘the Opinion’). The Opinion evidenc- es a very detailed assessment of the legislative history and role of consent in data protection legislation,as well as the different elements and requirements for consent to be valid. Irrespective of whether one agrees or disagrees with the views expressed within the Opinion, it is at least commendable that the Working Party has taken such a clear cut line on this issue. If there was ever any doubt as to where the regulators stood in terms of the conditions for obtaining individuals’ consent, that is no longer the case.
This article examines the key arguments made by the Working Party and assesses whether there is any room for pragmatism in interpreting them. Finally, we measure the impact of the Opinion on the decision making process of data controllers seeking to legitimise their personal data processing.
From a conceptual and practical perspective, the Opinion rests on the following premises:
Consent has to be given before the processing starts — Though the Data Protection Directive does not explicitly state when (i.e. at what point) consent should be sought, according to the Working Party it is clearly implied from the language of the various provisions that, as a general rule, consent has to be given before the processing starts.
Consent differs from the right to object — Under Article 14 of the Data Protection Directive, individuals have the right to object to the processing of their personal data under certain circumstances. This right applies even where the processing has been legitimised on the basis of a different ground from consent.
Consent based on an individual’s inaction or silence does not normally constitute valid consent, especially in an online context — The requirement in the Data Protection Directive that the data subject must 'signify' his or her consent seems to indicate that simple inaction is insufficient some sort of positive action is required for consent to be validly obtained. The Opinion states that it is possible for there to be different kinds of ‘action’, and that these should be assessed in context.
A situation of subordination often prevents consent from being seen as freely given — For example, where consent is required from a worker and there is a real or potential relevant prejudice that arises from not consenting, the consent is not freely given and therefore not valid.
Blanket consent without specifying and separating each purpose of the processing is not acceptable — For the Working Party, there is a require- ment of granularity of the consent with regard to the different elements that constitute the data processing. In other words, a generic consent cannot be held to cover all legitimate purposes followed by a data controller. Consent must be given in relation to the different aspects of the processing.
The mere availability of information is not sufficient for consent to be deemed Informed — Information should be provided directly to individuals. Furthermore,the information must be clearly visible (in terms of type and size of fonts), prominent and comprehensive.
Consent must always be unambiguous — For consent to be unambiguous, the procedure to seek and to give consent must leave no doubt as to the data subject’s intention to deliver consent. In other words, the indication by which the data subject signifies his or her agreement must leave no room for ambiguity regarding his or her intent. If there is a reasonable doubt about the individual’s intention, there is ambiguity and that does not constitute valid consent.
Evidence of consent should be created and retained, so that consent is verifiable — Data controllers relying on consent as a justifying ground for data processing may need to demonstrate that consent has been obtained, for example in the context of a dispute with a data subject. As a consequence, and as a matter of good practice, data controllers should create and retain evidence showing that the consent was indeed given. In addition, the measures used to ensure that consent is verifiable should be made available to the relevant data protection authority upon request.
Room for pragmatism?
The Opinion can be summarised as representing the gold standard for consent there is no middle ground, no wavering for the sake of pragmatism. To put it bluntly, as far as the EU data protection authorities are concerned, consent essentially means prior opt-in,and anything less will not qualify as valid consent. There is one problem with this stance: data protection is not mathematics. Data protection compliance always involves a balance of interests, and this balancing exercise does not come across in the Opinion. The Working Party’s approach is very dogmatic and wherever there is room for legal interpretation, the Opinion invariably chooses the most conservative approach.
There are three aspects of the Opinion where this approach is particularly extreme. The first is that, whilst the Working Party briefly concedes that consent can be reasonably concluded from behaviour, its position is that only some kind of positive action will qualify as proper consent. However, this ignores the fact that, in practice, ascertaining consent is a matter of assessing the level of certainty arising from an individual’s behaviour. The onus of this should of course be on the data controller, but there will be situations where it may be perfectly reasonable to accept someone’s passive behaviour as consent particularly when the use of that person’s information is within their expectations and ultimate control.
The second extreme position adopted by the Working Party is in respect of the requirement for all consent to be unambiguous, and for that unambiguity to be based on express or unmistakable actions. Because the standard sought by the Working Party is so high, there is no room for consent to be implied at least not in an online environment.
This leads to the third extreme position, which relates to assessment of the requirement for consent for the use of internet cookies under the e-Privacy Directive (2009/136). In this respect, the Working Party demands both prior and express consent, irrespective of the uses made of those cookies. The outcome is somewhat disproportionate. The e-Privacy Directive itself distinguishes between different purposes for which third parties may wish to store, or gain access to, information stored in the terminal equipment of an internet user. These purposes will range from the legitimate in particular, cookies to those involving an unwarranted privacy intrusion, such as spyware or viruses. A balanced and realistic assessment of the requirement for consent should take those differences into account and aim for a more pragmatic and reasonable standard.
Impact on the grounds for processing
If meeting the consent requirement under the Data Protection Directive is now effectively governed by the ‘gold standard’ set out in the Opinion, data controllers could take the view to only rely on consent to justify processing when either the law explicitly requires it or where no other lawful ground is available. Therefore, data controllers may understandably look to the other grounds for legitimising data processing. However, some of the other grounds given in Article 7 may not look too inviting. This is because they can be quite specific.
For instance, one ground is only really relevant in a contractual scenario. Another ground relates to the processing of data to protect vital interests (which are generally understood to mean emergency, life-or-death situations). While the data controller might at this stage be tearing its hair out in frustration, there is a further ground the ‘legitimate interest’ ground that offers something of a solution.
At the heart of the concept of legitimate interests is the idea of a balance that the controller has to carry out. The controller has to be able to argue that the processing of data is necessary for the purposes of his, or a third party’s, legitimate interests and that these interests are not overridden by the privacy interests of the relevant individuals. So a controller is actually required to consider the impact of the proposed processing on the individual’s privacy interests. This can be done through a Privacy Impact Assessment or similar exercise which requires the controller to justify why the proposed processing is necessary and to what extent it will intrude into the privacy of individuals.
Therefore, the legitimate interest approach could actually encourage controllers to become more engaged with weighing up the privacy risks to the individuals concerned. A mere ‘tick-box’ approach (which obtaining an individual’s consent can encourage) is unlikely to bring this degree of sensitivity to compliance issues.
Legitimate interests and legislative reform
In its contribution to the 2009 consultation on the reform of the Data Protection Directive, the Working Party stated that consent is often claimed as an applicable ground for processing when it is not appropriate to rely on consent. Therefore, as part of the ongoing debate on the amendment to the Directive, legislators and regulators may do well to consider the scope for identifying more prominently the appropriate grounds available to controllers to process personal data.
Controllers seeking to rely on the legitimate interest ground when processing personal data across the EU may become slightly frustrated to find that, in certain jurisdictions, the ground has not been properly imple- mented. In one such Member State, Spain, the matter has been referred for consideration to the European Court of Justice and has not, at the time of writing, been decided. Likewise, in Hungary, the legitimate interest condition has not been implemented forcing controllers in Hungary to rely on consent with all the attendant prob- lems this involves.
A revised data protection regime that harmonised the scope for reliance on legitimate interest, and encouraged controllers to engage in Privacy Impact Assessments, would improve data protection compliance and ensure the privacy of individuals is properly factored in to decisions about data processing.
The Working Party has spoken on consent. However, this does not necessarily represent the final say on the subject. Many aspects of the Working Party’s interpretation of consent in the Opinion lack pragmatism. In particular, the Opinion fails to recognise that certain types of processing are not significantly intrusive and that there should be more scope for a balance of interests in data protection compliance.
On the plus side, to the extent that consent has now become a gold standard, the law should recognise and promote the alternative ground of legitimate interests. Greater reliance on this ground should encourage responsible data controllers to consider the actual need for any given processing operation and assess the risk to privacy involved.
It is hoped that the new data protection framework, shortly to be announced by the European Commission, will adapt itself in a way that delivers effective and pragmatic data protection compliance.