Plato may have made the assumption that silence means consent but the Article 29 Working Party have made it clear that they do not. In their Opinion on consent (WP 187), the Working Party state that
Plato may have made the assumption that silence means consent but the Article 29 Working Party have made it clear that they do not. In their Opinion on consent (WP 187), the Working Party state that consent based on an individual’s inaction or silence would not normally constitute valid consent for the purposes of EU data protection rules. Additionally, the Working Party set out that consent must be given before any data processing starts, must be unambiguous and, moreover, blanket consent without specifying and separating out each processing purpose is not valid. In effect, the Working Party sets a very high standard for any controller who wishes to legitimise data processing by relying on the consent of the individual.
But is the position of the Working Party in WP 187 surprising? Perhaps not when one considers the remarks that have been made over the years in other Working Party publications. Something of this caution around consent was conveyed back in 2005 when the Working Party published their working document on a common interpretation of Article 26 (1) of the Directive (WP 114). In this instance, the Working Party examined the grounds (which include consent) under which international data transfers can be lawfully made. As well as warning employers not to rely solely on employee’s consent when transferring data (a concern echoed in other Working Party papers concerned with data processing in the context of employment relationships), the paper states that ‘relying on consent may therefore prove to be a “false good solution”, simple at first but in reality complex and cumbersome’.
Additionally in 2009 the Working Party published their response (in collaboration with the Working Party on Police and Justice) on the European Commission’s consultation on the future of privacy (WP168). In commenting on consent, the Working Party stated that ‘the requirement that consent has to be informed starts from the assumption that it needs to be fully understandable to the data subject what will happen if he decides to consent to the processing of his data’. In reality, it can be very difficult to prove incontrovertibly that an individual fully understands what will happen to his personal data, a fact that the Working Party admitted in their next remark which states that ‘the complexity of data collection practices, business models, vendor relationships and technological applications in many cases outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice’. So how can a controller ever be fully confident that an individual is properly informed in order to be able to effectively consent?
These previous remarks indicate that the Working Party’s recent narrow interpretation on what constitutes valid consent under EU data protection rules is fairly consistent with their past pronouncements. But what should controllers make of this? If meeting the consent requirements under the Directive is now effectively a ‘gold standard’ then, from a practical perspective, controllers could understandably only rely on consent when either the law explicitly requires consent or where no other lawful ground is available. In other words, a controller could take the view to only rely on consent in exceptional circumstances and rely on other grounds in all other case. Grounds such as the legitimate interest ground.
Other grounds under Article 7 of the Directive are relatively specific whereas the concept of legitimate interest recognises that data processing frequently involves a balance between the lawful activities of an organisation and the impact of data processing on an individual’s privacy. In a sense, the legitimate interest ground captures something of the day to day business reality that many organisations face when they have to weigh up certain risks. A project involving processing personal data may not fall readily into one of the other Article 7 grounds. An approach which requires a controller to assess the impact of the proposed processing on the fundamental rights and freedoms of the individuals with regard to privacy brings into play the need to assess the situation on its specific merits. A mere tick-box approach (which obtaining an individual’s consent can encourage) is unlikely to bring this degree of sensitivity to compliance issues. Privacy Impact Assessments of course are the tool that helps to model this approach. Likewise, accountability and the need for organisations to be able to demonstrate that they have thought about privacy risks and have procedures in place to deal with such risks, also complements an approach which is sensitive to the specific processing situation.
Therefore, since consent has been in effect written off as a false good solution, controllers are by default being encouraged to rely on the legitimate interest ground in general data processing circumstances. Any amendments to the current data protection regime should equip controllers to carry out assessments so that they can test whether their processing is necessary for their legitimate interests and consequently put in place necessary protections to ensure that the privacy rights of individuals are not overridden. Regulators should embrace and promote the legitimate interest ground as a means of instilling good data protection compliance practices in controllers.
But is the position of the Working Party in WP 187 surprising? Perhaps not when one considers the remarks that have been made over the years in other Working Party publications. Something of this caution around consent was conveyed back in 2005 when the Working Party published their working document on a common interpretation of Article 26 (1) of the Directive (WP 114). In this instance, the Working Party examined the grounds (which include consent) under which international data transfers can be lawfully made. As well as warning employers not to rely solely on employee’s consent when transferring data (a concern echoed in other Working Party papers concerned with data processing in the context of employment relationships), the paper states that ‘relying on consent may therefore prove to be a “false good solution”, simple at first but in reality complex and cumbersome’.
Additionally in 2009 the Working Party published their response (in collaboration with the Working Party on Police and Justice) on the European Commission’s consultation on the future of privacy (WP168). In commenting on consent, the Working Party stated that ‘the requirement that consent has to be informed starts from the assumption that it needs to be fully understandable to the data subject what will happen if he decides to consent to the processing of his data’. In reality, it can be very difficult to prove incontrovertibly that an individual fully understands what will happen to his personal data, a fact that the Working Party admitted in their next remark which states that ‘the complexity of data collection practices, business models, vendor relationships and technological applications in many cases outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice’. So how can a controller ever be fully confident that an individual is properly informed in order to be able to effectively consent?
These previous remarks indicate that the Working Party’s recent narrow interpretation on what constitutes valid consent under EU data protection rules is fairly consistent with their past pronouncements. But what should controllers make of this? If meeting the consent requirements under the Directive is now effectively a ‘gold standard’ then, from a practical perspective, controllers could understandably only rely on consent when either the law explicitly requires consent or where no other lawful ground is available. In other words, a controller could take the view to only rely on consent in exceptional circumstances and rely on other grounds in all other case. Grounds such as the legitimate interest ground.
Other grounds under Article 7 of the Directive are relatively specific whereas the concept of legitimate interest recognises that data processing frequently involves a balance between the lawful activities of an organisation and the impact of data processing on an individual’s privacy. In a sense, the legitimate interest ground captures something of the day to day business reality that many organisations face when they have to weigh up certain risks. A project involving processing personal data may not fall readily into one of the other Article 7 grounds. An approach which requires a controller to assess the impact of the proposed processing on the fundamental rights and freedoms of the individuals with regard to privacy brings into play the need to assess the situation on its specific merits. A mere tick-box approach (which obtaining an individual’s consent can encourage) is unlikely to bring this degree of sensitivity to compliance issues. Privacy Impact Assessments of course are the tool that helps to model this approach. Likewise, accountability and the need for organisations to be able to demonstrate that they have thought about privacy risks and have procedures in place to deal with such risks, also complements an approach which is sensitive to the specific processing situation.
Therefore, since consent has been in effect written off as a false good solution, controllers are by default being encouraged to rely on the legitimate interest ground in general data processing circumstances. Any amendments to the current data protection regime should equip controllers to carry out assessments so that they can test whether their processing is necessary for their legitimate interests and consequently put in place necessary protections to ensure that the privacy rights of individuals are not overridden. Regulators should embrace and promote the legitimate interest ground as a means of instilling good data protection compliance practices in controllers.